senke/veza

No description

Find a file

senke 3c4d0148be feat(webhooks): persist raw hyperswitch payloads to audit log — v1.0.7 item E Every POST /webhooks/hyperswitch delivery now writes a row to `hyperswitch_webhook_log` regardless of signature-valid or processing outcome. Captures both legitimate deliveries and attack probes — a forensics query now has the actual bytes to read, not just a "webhook rejected" log line. Disputes (axis-1 P1.6) ride along: the log captures dispute.* events alongside payment and refund events, ready for when disputes get a handler. Table shape (migration 984): * payload TEXT — readable in psql, invalid UTF-8 replaced with empty (forensics value is in headers + ip + timing for those attacks, not the binary body). * signature_valid BOOLEAN + partial index for "show me attack attempts" being instantaneous. * processing_result TEXT — 'ok' / 'error: <msg>' / 'signature_invalid' / 'skipped'. Matches the P1.5 action semantic exactly. * source_ip, user_agent, request_id — forensics essentials. request_id is captured from Hyperswitch's X-Request-Id header when present, else a server-side UUID so every row correlates to VEZA's structured logs. * event_type — best-effort extract from the JSON payload, NULL on malformed input. Hardening: * 64KB body cap via io.LimitReader rejects oversize with 413 before any INSERT — prevents log-spam DoS. * Single INSERT per delivery with final state; no two-phase update race on signature-failure path. signature_invalid and processing-error rows both land. * DB persistence failures are logged but swallowed — the endpoint's contract is to ack Hyperswitch, not perfect audit. Retention sweep: * CleanupHyperswitchWebhookLog in internal/jobs, daily tick, batched DELETE (10k rows + 100ms pause) so a large backlog doesn't lock the table. * HYPERSWITCH_WEBHOOK_LOG_RETENTION_DAYS (default 90). * Same goroutine-ticker pattern as ScheduleOrphanTracksCleanup. * Wired in cmd/api/main.go alongside the existing cleanup jobs. Tests: 5 in webhook_log_test.go (persistence, request_id auto-gen, invalid-JSON leaves event_type empty, invalid-signature capture, extractEventType 5 sub-cases) + 4 in cleanup_hyperswitch_webhook_ log_test.go (deletes-older-than, noop, default-on-zero, context-cancel). Migration 984 applied cleanly to local Postgres; all indexes present. Also (v107-plan.md): * Item G acceptance gains an explicit Idempotency-Key threading requirement with an empty-key loud-fail test — "literally copy-paste D's 4-line test skeleton". Closes the risk that item G silently reopens the HTTP-retry duplicate-charge exposure D closed. Out of scope for E (noted in CHANGELOG): * Rate limit on the endpoint — pre-existing middleware covers it at the router level; adding a per-endpoint limit is separate scope. * Readable-payload SQL view — deferred, the TEXT column is already human-readable; a convenience view is a nice-to-have not a ship-blocker. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>		2026-04-18 02:44:58 +02:00
.github	ci: retire legacy backend-ci.yml, centralize Docker probe in SkipIfNoIntegration	2026-04-15 16:12:45 +02:00
.husky	implicit: implement Implicit 10.3 - add optional test check to pre-commit hook	2026-01-16 14:18:41 +01:00
apps/web	feat(backend,web): surface RTMP ingest health on the Go Live page	2026-04-16 23:52:36 +02:00
chat_exports	report generation and future tasks selection	2025-12-08 19:57:54 +01:00
config	chore(infra): J6 — mark 3 dormant docker-compose files as deprecated	2026-04-15 12:58:39 +02:00
dev-environment	refactor: remove dead code (api_manager.go, unused templates)	2026-02-22 17:44:19 +01:00
docker/haproxy	chore: consolidate CI, E2E, backend and frontend updates	2026-02-17 16:43:21 +01:00
docs	feat(webhooks): persist raw hyperswitch payloads to audit log — v1.0.7 item E	2026-04-18 02:44:58 +02:00
docs-assets/mermaid	BASE: completing the initial repo state	2025-12-03 22:56:50 +01:00
fixtures	release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24	2026-02-27 09:43:25 +01:00
full_veza_audit_data	feat(v0.923): API contract tests, OpenAPI generation, CI type sync check	2026-02-27 20:23:10 +01:00
home/senke/git/talas/veza/apps/web/src	small fixes : cors + login loop	2026-02-07 20:36:48 +01:00
infra	chore(infra): J6 — mark 3 dormant docker-compose files as deprecated	2026-04-15 12:58:39 +02:00
k8s	docs(J2): align docs with reality — rewrite CLAUDE.md, fix README, purge chat-server refs	2026-04-14 17:23:50 +02:00
loadtests	feat(v0.14.0): validation runtime & staging pipeline	2026-03-13 16:09:43 +01:00
make	fix: sync E2E tests with seed data + i18n fix	2026-04-02 19:42:03 +02:00
packages/design-system	feat: design system, theme, and layout improvements	2026-03-23 15:44:37 +01:00
prompts	chore: add audit screenshots, audit scripts, and prompt templates	2026-03-31 19:17:05 +02:00
proto	refactor(infra): centralize protobuf definitions in shared proto/ directory	2026-02-22 17:45:11 +01:00
scripts	chore(release): v1.0.6.2 — subscription payment-gate bypass hotfix	2026-04-17 12:21:53 +02:00
sub_task_agents	Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy	2026-02-14 17:23:32 +01:00
test-reports/20251226-132633	[TEST] MVP integration tests executed - 2/28 API passed, 0/20 E2E passed, 3 bugs found	2026-01-04 01:44:13 +01:00
tests	test(e2e): convert all remaining 298 console.log to real expect()	2026-04-08 15:50:17 +02:00
tmt	fix: sync E2E tests with seed data + i18n fix	2026-04-02 19:42:03 +02:00
tools	BASE: completing the initial repo state	2025-12-03 22:56:50 +01:00
veza-backend-api	feat(webhooks): persist raw hyperswitch payloads to audit log — v1.0.7 item E	2026-04-18 02:44:58 +02:00
veza-common	v0.9.1	2026-03-05 19:22:31 +01:00
veza-docs	feat(v0.13.0): conformité features partielles — CAPTCHA, password history, login history, SMS 2FA	2026-03-12 09:31:50 +01:00
veza-stream-server	chore(infra): J6 — mark 3 dormant docker-compose files as deprecated	2026-04-15 12:58:39 +02:00
.cursorrules	docs: retrospective v0.803, archive scope, update SCOPE_CONTROL	2026-03-03 09:25:34 +01:00
.editorconfig	initial: initial repo set up (README, LICENSE, CONTRIBUTORS, etc...)	2025-12-03 13:54:23 +01:00
.gitattributes	initial: initial repo set up (README, LICENSE, CONTRIBUTORS, etc...)	2025-12-03 13:54:23 +01:00
.gitignore	chore(cleanup): J1 — purge 220MB of debris, archive session docs	2026-04-14 17:01:27 +02:00
.gitleaks.toml	ci(security): expand gitleaks allowlist for e2e artifacts, docs, templates	2026-04-14 12:32:34 +02:00
.lighthouserc.js	feat(v0.14.0): validation runtime & staging pipeline	2026-03-13 16:09:43 +01:00
.lintstagedrc.json	fix(ci): lint-staged eslint rule was linting the whole project	2026-04-15 12:47:21 +02:00
.nvmrc	v0.9.3	2026-03-05 19:35:57 +01:00
CHANGELOG.md	feat(webhooks): persist raw hyperswitch payloads to audit log — v1.0.7 item E	2026-04-18 02:44:58 +02:00
CLAUDE.md	docs(J2): align docs with reality — rewrite CLAUDE.md, fix README, purge chat-server refs	2026-04-14 17:23:50 +02:00
CONTRIBUTING.md	release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24	2026-02-27 09:43:25 +01:00
docker-compose.dev.yml	fix(backend,infra): send real verification emails + fail-loud in prod	2026-04-16 14:52:46 +02:00
docker-compose.env.example	feat(payments): document Hyperswitch activation and validate checkout flow	2026-02-15 16:08:49 +01:00
docker-compose.override.yml.example	BASE: completing the initial repo state	2025-12-03 22:56:50 +01:00
docker-compose.prod.yml	fix(v0.12.6.1): LOW-002 update Hyperswitch 2025.01.21→2026.03.11	2026-03-12 06:23:56 +01:00
docker-compose.staging.yml	chore(release): v0.981 — Beta (staging deploy, bug bash, smoke test)	2026-03-02 19:33:42 +01:00
docker-compose.test.yml	fix(infra): align PostgreSQL to version 16 in test compose	2026-02-22 17:35:35 +01:00
docker-compose.yml	refactor(backend,infra): unify SMTP env schema on canonical SMTP_* names	2026-04-16 20:44:09 +02:00
env.remote-r720.example	stabilisation commit: while implementing v0.10.5	2026-03-09 19:36:33 +01:00
generate_page_fix_prompts.sh	chore: add audit screenshots, audit scripts, and prompt templates	2026-03-31 19:17:05 +02:00
go.work	fix(ci): bump go.work to 1.25 to match veza-backend-api/go.mod	2026-04-15 15:06:50 +02:00
go.work.sum	chore(release): v0.931 — Cursor (cursor-based pagination, performance baseline)	2026-03-02 12:35:49 +01:00
Makefile	release(v0.903): Vault - ORDER BY whitelist, rate limiter, VERSION sync, chat-server cleanup, Go 1.24	2026-02-27 09:43:25 +01:00
package-lock.json	feat(ui): add SUMI design system components, seasonal hooks, and i18n updates	2026-03-31 19:15:54 +02:00
package.json	fix: stabilize frontend — 98 TS errors to 0, align API endpoints, optimize bundle	2026-03-24 21:18:49 +01:00
README.md	chore(cleanup): J5 — defer GeoIP, rename v2-v3-types, document Storybook kill	2026-04-15 12:43:57 +02:00
RELEASE_NOTES_V1.md	chore(release): v0.992 RC2 — Release notes, sign-off final	2026-03-03 19:53:41 +01:00
run-audit.sh	chore: add audit screenshots, audit scripts, and prompt templates	2026-03-31 19:17:05 +02:00
rust-toolchain.toml	BASE: completing the initial repo state	2025-12-03 22:56:50 +01:00
status.sh	docs: add project documentation, logging config, status script	2026-03-18 11:36:36 +01:00
turbo.json	chore: add Turborepo for monorepo orchestration	2026-02-14 22:38:32 +01:00
Untitled	chore: consolidate CI, E2E, backend and frontend updates	2026-02-17 16:43:21 +01:00
VERSION	chore(release): v1.0.6.2 — subscription payment-gate bypass hotfix	2026-04-17 12:21:53 +02:00
VEZA_VERSIONS_ROADMAP.md	docs: update VEZA_VERSIONS_ROADMAP [v1.0.0-rc1 DONE]	2026-03-13 16:24:04 +01:00

README.md

Veza Monorepo

Version courante : v1.0.4 (cleanup + consolidation post-audit). Voir CHANGELOG.md et docs/PROJECT_STATE.md.

Project Structure

apps/web — Frontend React 18 + Vite 5 + TypeScript strict (source of truth for the UI)
veza-backend-api — Main Go 1.25 API service (Gin, GORM, Postgres, Redis, RabbitMQ, Elasticsearch). Handles REST, WebSocket, and chat (chat server was merged into this service in v0.502).
veza-stream-server — Rust streaming server (Axum 0.8, Tokio 1.35, Symphonia) — HLS, HTTP Range, WebSocket, gRPC
veza-common — Shared Rust types and logging
packages/design-system — Shared design tokens

See CLAUDE.md for the full architecture map.

Development Setup

Prerequisites: Node 20 (see .nvmrc), Go, Rust, Docker. Configure .env from .env.example.

# Verify environment
make doctor
./scripts/validate-env.sh development

# Install dependencies
make install-deps

# Option A — Backend in Docker + Web local
make dev

# Option B — All apps local with hot reload (infra from docker-compose.dev.yml)
make dev-full

# Option C — Infra only, then run services manually
docker compose -f docker-compose.dev.yml up -d
make dev-web              # or make dev-backend-api, make dev-stream-server

See docs/ENV_VARIABLES.md for required variables. make build builds all services.

Quick Start

Frontend only

cd apps/web
npm install
npm run dev

Docker Production

Canonical production compose file: docker-compose.prod.yml

docker compose -f docker-compose.prod.yml up -d

See make/config.mk for COMPOSE_PROD and deployment docs.

CI/CD

Badge : CI status above. Set SLACK_WEBHOOK_URL (Incoming Webhook) in repo secrets to receive Slack notifications on failure.

Disabled workflows

Storybook (chromatic.yml.disabled, storybook-audit.yml.disabled, visual-regression.yml.disabled): deferred until MSW is wired up for /api/v1/auth/me and /api/v1/logs/frontend, which currently causes ~1 400 network errors in the Storybook build. The npm scripts (storybook, build-storybook) still work locally for one-off component inspection. To reactivate in CI, fix the MSW handlers and rename the three files back to .yml.

Documentation

Developer Onboarding — Setup, architecture, conventions, troubleshooting
Documentation index — Index complet de la documentation
See docs/ for detailed architecture and development guides. Older audits and reports are archived in docs/archive/.