veza/docs/SMOKE_TEST_V0803.md

# Smoke Test v0.803 — Sécurité, Compliance & Outillage Dev

## Prérequis

- `veza-backend-api` compilé et démarré
- PostgreSQL avec migrations appliquées jusqu'à 125
- `.env` avec `DATABASE_URL`, `JWT_SECRET`
- Utilisateur admin et utilisateur standard avec tokens JWT

---

## 1. Security Headers (SEC1)

### 1.1 Headers présents

```bash
curl -sI http://localhost:8080/api/v1/health | grep -iE "content-security|x-frame|x-content-type|referrer-policy|permissions-policy"
# Attendu:
# Content-Security-Policy: default-src 'self'; ...
# X-Frame-Options: DENY
# X-Content-Type-Options: nosniff
# Referrer-Policy: strict-origin-when-cross-origin
# Permissions-Policy: camera=(), microphone=(self), ...
```

### 1.2 HSTS (production uniquement)

```bash
# En mode PRODUCTION:
# Attendu: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# En mode DEV: absent
```

### 1.3 Rate limiting global

```bash
# Envoyer 150 requêtes rapides depuis une même IP
# Attendu: 429 Too Many Requests après 100 requêtes
```

---

## 2. Audit Logs (SEC2)

### 2.1 Log automatique

```bash
# Effectuer un POST (ex: créer un produit)
curl -s -X POST http://localhost:8080/api/v1/marketplace/products \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"title":"Test","price_cents":1000}' | jq .

# Vérifier l'audit log
curl -s "http://localhost:8080/api/v1/admin/audit-logs?limit=1" \
  -H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: action="create", resource_type="product", user_id, ip_address
```

### 2.2 Filtres audit logs

```bash
curl -s "http://localhost:8080/api/v1/admin/audit-logs?action=create&limit=10" \
  -H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: uniquement les logs avec action "create"
```

### 2.3 Non-admin accès refusé

```bash
curl -s http://localhost:8080/api/v1/admin/audit-logs \
  -H "Authorization: Bearer {USER_TOKEN}" | jq .
# Attendu: 403 Forbidden
```

---

## 3. Account Deletion (SEC2)

### 3.1 Supprimer son compte

```bash
curl -s -X DELETE http://localhost:8080/api/v1/users/me \
  -H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: 200, "Account deleted"
```

### 3.2 Vérifier anonymisation

```bash
# Tenter de se connecter avec l'ancien email
# Attendu: 401 Unauthorized (email anonymisé)
```

### 3.3 Frontend

```bash
# Settings → Account → Delete Account
# Vérifier: modal de confirmation avec texte "type DELETE to confirm"
# Vérifier: redirection vers login après suppression
```

---

## 4. OpenAPI/Swagger (DEV1)

### 4.1 Swagger UI

```bash
curl -s http://localhost:8080/swagger/index.html | head -20
# Attendu: HTML de Swagger UI
```

### 4.2 OpenAPI spec

```bash
curl -s http://localhost:8080/swagger/doc.json | jq '.info.title'
# Attendu: "Veza API"
```

---

## 5. API Keys (DEV1)

### 5.1 Créer une API key

```bash
curl -s -X POST http://localhost:8080/api/v1/developer/api-keys \
  -H "Authorization: Bearer {TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"name": "My Integration", "permissions": ["read"]}' | jq .
# Attendu: 201, { "key": "veza_sk_...", "name": "My Integration" }
# Note: raw key retournée uniquement à la création
```

### 5.2 Auth via X-API-Key

```bash
curl -s http://localhost:8080/api/v1/dashboard \
  -H "X-API-Key: veza_sk_..." | jq .
# Attendu: 200, dashboard data (authentifié via API key)
```

### 5.3 Lister et révoquer

```bash
curl -s http://localhost:8080/api/v1/developer/api-keys \
  -H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: liste des API keys (sans le raw key)

curl -s -X DELETE http://localhost:8080/api/v1/developer/api-keys/{KEY_ID} \
  -H "Authorization: Bearer {TOKEN}" | jq .
# Attendu: 200, key revoked
```

---

## 6. Moderation (ADM1)

### 6.1 Lister les signalements

```bash
curl -s http://localhost:8080/api/v1/admin/reports \
  -H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: 200, liste paginée de reports
```

### 6.2 Résoudre un signalement

```bash
curl -s -X POST http://localhost:8080/api/v1/admin/reports/{REPORT_ID}/resolve \
  -H "Authorization: Bearer {ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"action": "warn", "note": "First warning"}' | jq .
# Attendu: 200, report status = resolved
```

---

## 7. Maintenance Mode (ADM1)

### 7.1 Activer maintenance

```bash
# Setter MAINTENANCE_MODE=true dans .env et redémarrer
curl -s http://localhost:8080/api/v1/dashboard | jq .
# Attendu: 503 Service Unavailable, "Platform is under maintenance"

curl -s http://localhost:8080/api/v1/health | jq .
# Attendu: 200 (health exempté)
```

---

## 8. Announcements (ADM1)

### 8.1 Créer une annonce

```bash
curl -s -X POST http://localhost:8080/api/v1/admin/announcements \
  -H "Authorization: Bearer {ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"title": "Scheduled Maintenance", "content": "...", "type": "warning"}' | jq .
# Attendu: 201, announcement created
```

### 8.2 Annonces actives (public)

```bash
curl -s http://localhost:8080/api/v1/announcements/active | jq .
# Attendu: 200, liste des annonces actives
```

---

## 9. Feature Flags (ADM1)

### 9.1 Lister les flags

```bash
curl -s http://localhost:8080/api/v1/admin/feature-flags \
  -H "Authorization: Bearer {ADMIN_TOKEN}" | jq .
# Attendu: 200, liste des feature flags avec enabled/disabled
```

### 9.2 Toggle un flag

```bash
curl -s -X PUT http://localhost:8080/api/v1/admin/feature-flags/HLS_STREAMING \
  -H "Authorization: Bearer {ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"enabled": true}' | jq .
# Attendu: 200, flag updated
```

---

## 10. Tests automatisés

```bash
cd veza-backend-api && go test ./... -v
cd apps/web && npm run build
```

---

## 11. Documentation

- [ ] `docs/API_REFERENCE.md` sections Security, Audit, API Keys, Admin
- [ ] `CHANGELOG.md` contient entrée v0.803
- [ ] `docs/PROJECT_STATE.md` : Dernier tag = v0.803
- [ ] `docs/FEATURE_STATUS.md` : section "Livré en v0.803"
- [ ] Swagger UI accessible sur /swagger/
- [ ] `git tag v0.803` créé