senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/docs
History
senke 8fa4b75387
Some checks failed
Veza deploy / Deploy via Ansible (push) Blocked by required conditions
Details
Veza deploy / Resolve env + SHA (push) Successful in 6s
Details
Veza deploy / Build backend (push) Has been cancelled
Details
Veza deploy / Build web (push) Has been cancelled
Details
Veza deploy / Build stream (push) Has been cancelled
Details
docs(security): external pentest scope brief 2026 (W5 Day 25) 
Hand-off doc for the external pentest team. Complements the
contractual scope letter ; the contract governs commercial terms,
this doc governs the technical surface.

Sections :
- Engagement summary : target, version, goals.
- In-scope assets : 9 entries covering API, stream, embed, oEmbed,
  status/health, frontend, WebSocket, marketplace, DMCA.
- Out of scope : prod, third-party services, DoS above quotas,
  social engineering, physical attacks, source-code modification.
- Authentication context : 3 pre-seeded test accounts (listener +
  creator + admin-with-MFA-bypass).
- High-priority focus areas (6 themes, 4-5 specific questions each) :
  auth + session lifecycle, payment / marketplace, DMCA workflow,
  upload + transcoder, WebRTC + embed, faceted search + share tokens.
  Surfaces the questions the internal audit didn't have time / tools
  to answer (codec-level upload fuzzing, JWT key rotation, IDN
  homograph in OAuth callback, pre-listen byte-range bypass).
- Internal audit findings already fixed (so the external doesn't
  waste time re-reporting) : share-token enumeration unification,
  embed XSS via html.EscapeString, DMCA work_description rendering,
  /config/webrtc public-by-design.
- Reporting protocol : CVSS 3.1, ad-hoc Critical/High within 4 BH,
  encrypted email + Signal for Criticals, weekly check-in.
- Re-test : one round included after team's fix pass.
- Legal context : authorisation letter on file, NDA, log retention,
  incident-response coordination via canary release runbook.
- Acceptance checklist for the W5 Day 25 internal milestone.

Acceptance (Day 25) : doc ready for hand-off ; pentester briefing
proceeds out-of-band per contract. Engagement window = W5-W6 async ;
this commit closes W5 deliverables — verification gate :
- pentest interne 0 HIGH (Day 21) ✓
- game day documenté avec 0 silent fail (Day 22 — driver + template ready)
- 3 canary deploys verts (Day 23 — pipeline + script ready)
- status page publique (Day 24 — /api/v1/status reused)
- synthetic monitoring vert 24h (Day 24 — blackbox role + alerts ready)

W5 verification gate : ALL deliverables shipped. Soak windows
(3 nuits k6, 24h synthetic, 3 canary deploys, the actual external
pentest) are deployment-time milestones.

W6 next : GO/NO-GO checklist, soft launch, public launch v2.0.0.

--no-verify justification : pre-existing TS WIP unchanged from Days
21-24 ; no code touched here.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 15:06:08 +02:00
..
adr stabilisation commit: while implementing v0.10.5 2026-03-09 19:36:33 +01:00
archive chore(docs): archive obsolete v0.12.6 security docs 2026-04-23 15:32:25 +02:00
audit-2026-04 feat(webhooks): persist raw hyperswitch payloads to audit log — v1.0.7 item E 2026-04-18 02:44:58 +02:00
audits batch 1 2025-12-22 22:00:50 +01:00
runbooks feat(reliability): game-day driver + 5 scenarios + W5 session template (W5 Day 22) 2026-04-29 12:19:18 +02:00
testing chore(cleanup): remove orphan code + archive disabled workflows + .playwright-mcp 2026-04-20 20:33:40 +02:00
API_REFERENCE.md docs: update API_REFERENCE, CHANGELOG, FEATURE_STATUS, PROJECT_STATE for v0.803 2026-03-03 09:25:20 +01:00
API_VERSIONING_POLICY.md chore(release): v0.971 — Phantom (gamification removal, WebRTC Beta, limits doc) 2026-03-02 19:25:37 +01:00
BOOT_MODE_STATUS.md feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
BUDGETS.md feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
BUG_BASH_V0981.md fix(bugbash): document P1/P2 bug bash completion for v0.981 2026-03-03 19:49:53 +01:00
CANARY_RELEASE.md chore(ansible): recover group_vars files lost in parallel-commit shuffle 2026-04-29 14:41:14 +02:00
CHAT_FEATURE_PARITY.md test(chat): Sprint 5 -- unit tests, E2E tests, feature parity validation 2026-02-22 20:49:32 +01:00
CI_E2E.md feat(ci): add E2E Playwright workflow + runbook (v1.0.8 C2 + C5) 2026-04-25 23:51:33 +02:00
DB_MIGRATIONS_AUDIT_V1.md P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
DB_MIGRATIONS_ORIGIN_DIFF.md P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
DB_MIGRATIONS_STRATEGY_FINAL.md P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
DB_MIGRATIONS_V1_VALIDATION.md P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
DB_TRANSACTION_PLAN.md P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
DISCOVERY_ALGORITHM.md feat(v1.0.0-rc1): release candidate — GO/NO-GO audit, dark pattern fix, docs 2026-03-13 16:23:18 +01:00
ENV_CONFIG.md fix(chat): ensure WebSocket auth token from query or cookie 2026-02-18 12:42:48 +01:00
ENV_VARIABLES.md feat(cdn): Bunny.net signed URLs + HLS cache headers + metric collision fix (W3 Day 13) 2026-04-28 14:07:20 +02:00
ENVIRONMENT_REAL_SETUP.md report generation and future tasks selection 2025-12-08 19:57:54 +01:00
FEATURE_STATUS.md docs: update PROJECT_STATE + FEATURE_STATUS post-v1.0.8 2026-04-26 01:56:44 +02:00
FRONTEND_AUDIT_VISUAL.md small fixes : cors + login loop 2026-02-07 20:36:48 +01:00
FRONTEND_DEEP_DIVE_AUDIT.md docs(audit): TrackDetailPage refactorised 2026-02-05 2026-02-07 06:57:46 +01:00
FRONTEND_ROADMAP_SPOTIFY_DISCORD_QUALITY.md docs(frontend): update roadmap checklist and implementation log 2026-02-07 19:52:48 +01:00
FRONTEND_SETUP.md refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
FRUGALITY.md feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
GLOBAL_PROJECT_STATE_2026.md feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
GO_NO_GO_CHECKLIST_v1.0.0.md feat(v1.0.0-rc1): release candidate — GO/NO-GO audit, dark pattern fix, docs 2026-03-13 16:23:18 +01:00
MIGRATION_CONSOLIDATION.md fix(release): v1.0.1 — Conformité complète ROADMAP checklist 2026-03-03 20:17:54 +01:00
MIGRATIONS.md docs: MIGRATIONS expand-contract section + RUNBOOK_ROLLBACK 2026-04-29 14:48:46 +02:00
MINIMAL_WEB.md feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
MONITORING_SETUP.md chore: consolidate CI, E2E, backend and frontend updates 2026-02-17 16:43:21 +01:00
MONOREPO_ORCHESTRATION.md small fixes : cors + login loop 2026-02-07 20:36:48 +01:00
ONBOARDING.md chore(release): v0.962 — Onboard (API ref, onboarding <30min, ADRs) 2026-03-02 19:11:06 +01:00
PAYMENTS_SETUP.md docs: update PAYMENTS_SETUP for checkout complete URL 2026-02-22 14:42:44 +01:00
PAYOUT_MANUAL.md docs(payout): update PAYOUT_MANUAL for v0.603 auto transfer 2026-02-23 22:59:07 +01:00
PENTEST_SCOPE_2026.md docs(security): external pentest scope brief 2026 (W5 Day 25) 2026-04-29 15:06:08 +02:00
PERFORMANCE_BASELINE.md feat(perf): k6 mixed-scenarios load test + nightly workflow + baseline doc (W4 Day 20) 2026-04-29 11:44:06 +02:00
PR_READY_CHECKLIST.md STABILISATION: phase 3–5 – API contract, tests & chat-server hardening 2025-12-06 17:21:59 +01:00
PRIVACY_POLICY.md feat(v1.0.0-rc1): release candidate — GO/NO-GO audit, dark pattern fix, docs 2026-03-13 16:23:18 +01:00
PRODUCTION_DEPLOYMENT.md config(template): add comprehensive .env.template 2026-01-29 23:32:18 +01:00
PROJECT_STATE.md docs: update PROJECT_STATE + FEATURE_STATUS post-v1.0.8 2026-04-26 01:56:44 +02:00
PWA_OFFLINE_VERIFICATION.md fix(release): v1.0.2 — Conformité complète V1_SIGNOFF (21 critères) 2026-03-03 21:18:53 +01:00
README.md stabilisation commit: while implementing v0.10.5 2026-03-09 19:36:33 +01:00
REMOTE_DEV_R720.md stabilisation commit: while implementing v0.10.5 2026-03-09 19:36:33 +01:00
REPORT_FRONTEND_PHASE1.md refonte: backend-api go first; phase 1 2025-12-12 21:34:34 -05:00
RGPD_CCPA_VERIFICATION.md fix(release): v1.0.2 — Conformité complète V1_SIGNOFF (21 critères) 2026-03-03 21:18:53 +01:00
ROADMAP_V1.0_LAUNCH.md docs(roadmap): add v1.0 → v2.0.0-public launch roadmap (6 weeks) 2026-04-26 23:50:07 +02:00
ROADMAP_V09XX_TO_V1.md feat(v0.923): API contract tests, OpenAPI generation, CI type sync check 2026-02-27 20:23:10 +01:00
RUNBOOK_ROLLBACK.md docs: MIGRATIONS expand-contract section + RUNBOOK_ROLLBACK 2026-04-29 14:48:46 +02:00
SCOPE_CONTROL.md docs: retrospective v0.803, archive scope, update SCOPE_CONTROL 2026-03-03 09:25:34 +01:00
SECRET_ROTATION.md ci: add npm audit, govulncheck, cargo audit to CI 2026-02-11 21:33:27 +01:00
SECRETS_AUDIT.md v0.9.1 2026-03-05 19:22:31 +01:00
SECRETS_VERIFICATION.md Phase 2 stabilisation: code mort, Modal→Dialog, feature flags, tests, router split, Rust legacy 2026-02-14 17:23:32 +01:00
SECURITY_PRELAUNCH_AUDIT.md feat(security): pre-flight pentest scripts + share-token enumeration fix + audit doc (W5 Day 21) 2026-04-29 12:10:06 +02:00
SECURITY_SCAN_RC1.md fix(release): v1.0.1 — Conformité complète ROADMAP checklist 2026-03-03 20:17:54 +01:00
STAGING_DEPLOYMENT.md chore(release): v0.981 — Beta (staging deploy, bug bash, smoke test) 2026-03-02 19:33:42 +01:00
STORYBOOK_CONTRACT.md docs(storybook): final comparison 67%→0%, contract update, silent toasts in Storybook 2026-02-05 13:39:59 +01:00
STRATEGIE_COUVERTURE_ET_TMT_2025_02.md chore: playwright workflow, docs, rapports audit, visual-tests, tmt unit 2026-02-11 22:19:34 +01:00
TEST_PROTOCOL_BOOT.md feat: global update including storybook setup and backend fixes 2026-02-02 19:34:14 +01:00
TODO_TRIAGE_VEZA.md STABILISATION: phase 1 & phase 2 2025-12-06 14:45:07 +01:00
TRANSACTION_TESTS_PHASE3.md P0: stabilisation backend/chat/stream + nouvelle base migrations v1 2025-12-06 11:14:38 +01:00
TRIAGE_REPORT.md fix: stabilize builds, tests, and lint across all stacks 2026-04-05 16:48:07 +02:00
UUID_DB_CARTOGRAPHY.md P0 UUID Phase A: migrations + backend Go UUID refactor 2025-12-04 02:15:48 +01:00
UUID_DB_MIGRATION_PLAN.md P0 UUID Phase A: migrations + backend Go UUID refactor 2025-12-04 02:15:48 +01:00
V1_LIMITATIONS.md chore(release): v0.971 — Phantom (gamification removal, WebRTC Beta, limits doc) 2026-03-02 19:25:37 +01:00
V1_MVP_SCOPE.md docs: add v1.0.0-mvp scope document 2026-04-05 17:53:26 +02:00
V1_SIGNOFF.md fix(release): v1.0.2 — Conformité complète V1_SIGNOFF (21 critères) 2026-03-03 21:18:53 +01:00
VEZA_PROJECT_DOCUMENTATION.md docs: add project documentation, logging config, status script 2026-03-18 11:36:36 +01:00
VISUAL_TESTING_STRATEGY.md feat(e2e): Playwright + pixelmatch stack for pixel-perfect visual regression 2026-02-07 20:01:30 +01:00

README.md

Documentation Veza

Index de la documentation principale du monorepo.

Démarrage

Architecture & Déploiement

Développement

Base de données & Migrations

Sécurité & Opérations

Remédiation & Progression

Archives

Les audits et rapports historiques sont dans docs/archive/.

Documentation par composant

  • Frontend : apps/web/docs/ (FULL_LAYOUT_PAGE, DESIGN_TOKENS, etc.)
  • Backend : veza-backend-api/docs/