senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/docs/PROJECT_STATE.md
senke d820c22d7d chore(release): v1.0.4 — cleanup sprint complete, CI green 
7-day cleanup sprint (J1–J7) done. The codebase is unchanged
functionally but the working tree, docs, k8s runbooks, CI, and
Go dependency graph are all realigned with reality for the first
time since the v1.0.0 release.

VERSION          1.0.2 → 1.0.4 (skips v1.0.3 — that tag already
                 exists upstream, unused on this branch)
CHANGELOG.md     full v1.0.4 entry with per-day (J1–J7) breakdown
                 and the govulncheck + CI fix trail
docs/PROJECT_STATE.md   header month + version table refreshed,
                        pointer to AUDIT_REPORT.md added
docs/FEATURE_STATUS.md  header updated — no feature matrix
                        changes (no feature work in this sprint)

Key deliverables of the sprint:
  J1  0e7097ed1  purge 220 MB of debris (binaries, reports,
                 session docs, stale MVP scripts)
  J2  2aea1af36  rewrite CLAUDE.md, fix README, purge chat-server
                 refs from k8s runbooks and env examples
  J3  67f18892a  remove 3 deprecated unused handlers
  J3+ 7fa314866  2FA handler duplicate removal (bundled by parallel
                 ci-cache commit)
  J4  9cdfc6d89  GDPR-compliant hard delete with Redis SCAN cursor
                 and ES DeleteByQuery — closes TODO(HIGH-007)
  J5  0589ec9fc  defer GeoIP, rename v2-v3-types.ts to domain.ts,
                 document Storybook kill
  J5+ 7f89bebe1  fix lint-staged eslint rule (was linting the
                 whole project — root cause of earlier --no-verify)
  J6  113210734  mark 3 dormant docker-compose files deprecated
  fix 3d1f127ad  bump x/image, quic-go, testcontainers-go — drops
                 containerd + docker/docker from dep graph,
                 resolving 5 govulncheck findings without allowlist
  fix b33227a57  bump go.work to 1.25 to match veza-backend-api
  fix 73fc6e128  bump x/net v0.51.0 for GO-2026-4559
  fix 376d9adc4  retire legacy backend-ci.yml, centralize Docker
                 probe in SkipIfNoIntegration

CI status on the consolidated ci.yml workflow for 376d9adc4:
  Veza CI / Backend (Go)        OK 6m36s
  Veza CI / Frontend (Web)      OK 20m57s
  Veza CI / Rust (Stream)       OK 6m25s
  Security Scan / gitleaks      OK 4m13s
  Veza CI / Notify              skipped (fires only on failure)

First fully green CI run of the sprint and the first in a long
time overall. The tag v1.0.4 is cut on this state.

Refs: AUDIT_REPORT.md, all commits 0e7097ed1..376d9adc4
2026-04-15 16:39:30 +02:00

307 lines
16 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# État du projet Veza — Avril 2026
**Document opérationnel** : Où en sommes-nous, quelles sont les prochaines étapes.
---
## 1. Version actuelle
| Élément | Valeur |
| --------------------- | ------------------------------------------- |
| **Dernier tag** | v1.0.4 (2026-04-15) |
| **Branche courante** | `main` |
| **Phase** | Phase 9 — v1.0 Launch — Post-cleanup stable |
| **Prochaine version** | v1.0.5 ou v1.1.0 selon scope |
> v1.0.4 est une **release cleanup** post-audit : 7 jours de sprint
> (J1J7), ~-220 MB de débris retirés, docs alignées sur la réalité,
> TODO RGPD `HIGH-007` fermé, CI consolidée verte. Voir `CHANGELOG.md`
> pour le détail. `AUDIT_REPORT.md` à la racine contient l'audit qui
> a généré ce sprint.
---
## 2. Ce qui est livré
### v0.103 (Phase 1 Fondation)
- Auth : OAuth Spotify (A1), Sessions enrichies (A4)
- Profils : Bannière (B1), Liens sociaux (B2), Profil privé (B3)
- ⏸️ 2FA SMS, Passkeys → reportés v0.104
### v0.201 (Phase 2 Contenu — Lot E)
- ✅ Lot E — Métadonnées : BPM, musical_key, lyrics, tags (E1E4)
- Migrations : 084 track_lyrics, 085 tracks.tags
### v0.202 (Phase 2 Contenu — Lots G, H, F, C, D)
- Lot G : Recherche avancée (musical_key, tri pertinence, autocomplete, facettes type, historique)
- Lot H : Analytics créateur (stats, graphiques, taux complétion, export CSV/JSON)
- Lot F : Seller dashboard (GET /sell/stats, liste produits marketplace)
- Lot C : Player (crossfade, gapless preload, PiP)
- Lot D : Autoplay (GET /tracks/recommendations, section « À écouter ensuite »)
### v0.203 (Phase 2 Contenu — Lots L, K, D1)
- Lot L : Social Trending (GET /social/trending, cache Redis, SocialViewTrending connecté)
- Lot K : Recherche enrichie (pg_trgm fuzzy, AND/OR/NOT/"phrase exacte", tooltip aide)
- Lot D1 : Queue collaborative (sessions partagées, bouton Partager, polling sync)
### v0.301 (Phase 3 Social — Lots P0, C1, P1, S1)
- Lot P0 : Chat Server typing protocol, auth WebSocket doc
- Lot C1 : Typing indicators, read receipts, delivered status
- Lot P1 : Présence (migration 088, GET /users/:id/presence, PresenceBadge)
- Lot S1 : Social enrichi (feed API, actor/track enrichi, pagination, explore, filtres)
### v0.302 (Phase 3 Social — Lots S2, N1, P2)
- Lot S2 : Groupes avancés (request join, invite, rôles, feed groupes, mes groupes)
- Lot N1 : Notifications push Web (subscription, envoi sur événement, préférences, badge)
- Lot P2 : Présence enrichie (rich presence track, mode invisible, PUT /users/me/presence)
### v0.303 (Phase 3 Social — Lot C2)
- Lot C2 : Chat appels WebRTC 1-to-1 (signalisation, CallButton, IncomingCallModal, ActiveCallBar)
### v0.401 (Phase 4 Commerce — Lots M1, M2, M3)
- Lot M1 : Produits & Catalogue (BPM, musical_key, category, previews, images, filtres, rich text)
- Lot M2 : Licences & Droits (product_licenses, GET /licenses/mine, LicenceCard, LicensesView)
- Lot M3 : Seller dashboard enrichi (evolution chart, top products, real sales)
### v0.402 (Phase 4 Commerce — Lots P1, P2)
- Lot P1 : Checkout Hyperswitch production-ready (return URL order_id, CheckoutSuccessView/ErrorView, webhook cancelled, CheckoutPaymentForm)
- Lot P2 : Codes promo (promo_codes, ValidatePromoCode, GET /commerce/promo/:code, PromoCodeModal connecté, OrderSummary dans Cart)
### v0.404 (Phase 4bis Stabilisation — post-audit)
- Sécurité : JWT stream token endpoint, SSRF protection webhooks (HTTPS-only), IDOR fix GetUploadStatus, Hyperswitch webhook secret requis en prod, password reset tokens hashés (SHA-256), docker-compose.hybrid supprimé, secrets CI → GitHub Secrets
- Infra : Rate limiting Redis, alerting Prometheus, PostgreSQL 16 aligné, compose staging complet, CodeQL SAST, Rust CI avec clippy
- Qualité : 40 fmt.Printf → zap, ~45 any éliminés frontend, TypeScript 5.9.3 unifié, code mort supprimé (~1600 LOC), gorilla/websocket → coder/websocket
### v0.501 (Phase 5 Streaming & Cloud — Lots S1, C1, G1)
- Lot S1 — HLS production : transcoding adaptatif 3 tiers (128k, 256k, 320k), ABR hls.js, cache segments CDN, monitoring Prometheus (4 compteurs), waveform generation (FFmpeg + audiowaveform), WaveformDisplay SVG interactif, useHLSPlayer hook
- Lot C1 — Cloud Storage MVP : gestion dossiers/fichiers, upload drag-and-drop avec quota 5GB, prévisualisation audio inline, publication cloud → track
- Lot G1 — Gear avancé : profils publics (is_public toggle, GearShowcase), galerie images multi-photo avec carousel, recherche ILIKE avec SearchBar
- Infra : MinIO S3-compatible (dev, staging, prod), 6 migrations (103108)
- Sécurité : Trivy container scanning CI
### v0.803 (Phase 8 — Sécurité, Compliance & Outillage Dev)
- Security headers (CSP, HSTS, X-Frame-Options, etc.)
- DDoS rate limiting: global 1000 req/s, per-IP 100 req/s
- Audit middleware HTTP (POST/PUT/DELETE auto-log), GET /admin/audit/logs
- CCPA Sec-GPC, opt-out endpoint
- Account deletion hardening (anonymisation, S3, sessions)
- Moderation queue (reports CRUD, actions dismiss/warn/ban)
- Maintenance mode, announcements, feature flags
- AdminSettingsView (onglet SETTINGS) : maintenance, feature flags, annonces
- Maintenance mode (503, admin toggle)
- Announcements CRUD, GET /announcements/active
- Feature flags DB persistence
- AdminSettingsView, AdminModerationView, AnnouncementBanner connectés
### v0.802 (Phase 8 — Cloud avancé, Gear, Tags)
- Cloud : versioning, sharing, GDPR export, backup cron
- Gear : documents CRUD, repairs CRUD, warranty notifier
- Tags : GET /tags/suggest, audio/aiff
- Frontend : CloudFileVersions, CloudShareModal, GearDocumentsTab, GearRepairsTab
### v0.702 (Phase 7 — Reviews, Factures, Remboursements & Product Detail)
- Route /marketplace/products/:id avec ProductDetailPage (lazy)
- MSW handlers : reviews (GET/POST), invoice download
- Tests unitaires : reviews (6), invoices (4), refunds (6)
- API_REFERENCE.md : sections Reviews, Invoices, Refunds
### v0.801 (Phase 8 — UX/UI Polish, Accessibilité & PWA)
- User preferences: migration 118, PUT /users/me/preferences (contrast, density, accentHue, fontSize)
- Thèmes avancés: high contrast, compact/comfortable density, accent color, font size 1420px
- Accessibilité: ARIA labels, aria-haspopup menu, focus-visible ring, useReducedMotion
- PWA: service worker re-enabled (safe caching), Install App in Settings
- Background playback: useWakeLock for mobile
### v0.703 (Phase 7 — Go Live & Streaming Complet)
- Go Live : page /live/go-live, stream key, OBS instructions
- Endpoints : GET/POST /live/streams/me/key, GET /live/streams/me, PUT /live/streams/:id
- Live Chat WebSocket : LiveViewChat connecté, stream_id comme room
- Viewer count temps réel : polling dans LiveViewPlayer
- Media Session : seekbackward/seekforward (10s)
### v0.701 (Phase 7 — Retry, Admin Dashboard, Deep Health)
- Transfer Retry Worker : retry automatique des transferts failed (backoff exponentiel, max 3)
- Migration 116 : retry_count, next_retry_at sur seller_transfers
- GET /admin/transfers, POST /admin/transfers/:id/retry
- AdminTransfersView : tableau admin avec filtres, pagination, bouton Retry
- GET /health/deep : DB, Redis, S3, disk, config summary
- docs/API_REFERENCE.md
### v0.603 (Phase 6+ Transfer automatique, Commission & Stabilisation)
- T1 : Transfer automatique Stripe Connect après paiement réussi (webhook Hyperswitch)
- Commission plateforme configurable (PLATFORM_FEE_RATE, défaut 10 %)
- Migration 115 seller_transfers, modèle SellerTransfer, GET /sell/transfers
- Carte Transfer History dans SellerDashboard
- Tests unitaires : transfer success, multi-seller, transfer-fails
- Archivage docs pre-v0.501
### v0.602 (Phase 6+ Payout, Dette Technique & Tests E2E)
- CLN2 : Split interceptors auth.ts, error.ts, facade < 30 LOC
- P3 : Stripe Connect payout (onboarding, balance, seller_stripe_accounts)
- INF2 : Grafana dashboards enrichis (p50, top endpoints, 4xx, WS connections, messages/s, orders, refunds, payout)
- QA2 : E2E commerce backend (product -> order -> review -> invoice), SMOKE_TEST_V0602.md
### v0.601 (Phase 6 — Production Readiness & Commerce)
- INF1 : Blue-green HAProxy, Grafana dashboards (API, Chat, Commerce), Alertmanager, Hyperswitch LIVE_MODE
- AUTH1 : OAuth Discord, OAuth Spotify opérationnels
- CLN1 : handler.go split en 4 sous-handlers, interceptors.ts en modules (utils, request, response)
- QA1 : Tests OAuth, MIGRATIONS.md, audit console.log
### v0.503 (Phase 5 — HLS E2E + Chat Hardening + Cleanup)
- SS1 : HLS Streaming E2E (backend serving routes, frontend ABR player)
- CH1 : Redis rate limiter (sliding window + in-memory fallback), présence persistante Redis (2min TTL), PostgreSQL full-text search (tsvector + GIN index)
- CL1 : veza-chat-server directory supprimé, références CI/CD/config/scripts nettoyées
- QA1 : 23 Go tests passing, documentation
### v0.502 (Phase 5 Communication — Chat Server Rewrite)
- Chat Server Rust → Go : WebSocket intégré dans veza-backend-api (`/api/v1/ws`)
- Hub/Client avec goroutines readPump/writePump, 30s ping keepalive
- 18 types messages entrants, 20 types sortants (protocole identique au Rust)
- Handlers : SendMessage, EditMessage, DeleteMessage, JoinConversation, LeaveConversation, FetchHistory, SearchMessages, SyncMessages, Typing, MarkAsRead, Delivered, AddReaction, RemoveReaction, WebRTC signaling (5 types)
- PermissionService (room_members), RateLimiter (per-user per-action)
- ChatPubSubService (Redis PubSub + fallback in-memory)
- 4 nouvelles migrations (109112), 3 modèles GORM, 4 repositories enrichis
- Docker : suppression chat-server Rust de docker-compose.yml, staging.yml, prod.yml
- Frontend : dérivation WS_URL depuis API_URL, types TS mis à jour, MSW mis à jour
- 15 tests unitaires Go, E2E tests intégration, CHAT_FEATURE_PARITY.md (25/25 OK)
---
## 3. Prochaines étapes
### v0.503 (livrée 2026-02-22)
- SS1 : HLS Streaming E2E (backend routes + frontend ABR player)
- CH1 : Chat hardening (rate limiter Redis, présence persistante Redis, FTS PostgreSQL)
- CL1 : Cleanup veza-chat-server, nettoyage CI/CD/config
- QA1 : Tests, documentation
- Référence : [V0_503_RELEASE_SCOPE.md](V0_503_RELEASE_SCOPE.md)
### Prochaine version (v0.701)
- Retry automatique des transferts échoués (cron + backoff exponentiel)
- Dashboard admin des transferts (GET /admin/transfers, retry manuel)
- Deep health checks (GET /health/deep — DB, Redis, S3, disk)
- Startup config validation
- Documentation API Reference
- Référence : [V0_701_RELEASE_SCOPE.md](V0_701_RELEASE_SCOPE.md)
---
## 4. Sécurité
| Métrique | Avant v0.404 | Après v0.404 |
| ------------------ | ------------ | ------------ |
| **Score sécurité** | 5/10 | 7/10 |
**Améliorations v0.404 :**
- JWT stream token endpoint (`POST /auth/stream-token`) pour auth HLS/WebSocket
- SSRF protection sur webhooks (HTTPS-only, whitelist schéma)
- IDOR corrigé dans GetUploadStatus (ownership check)
- Hyperswitch webhook secret requis en production (HMAC)
- Password reset tokens hashés (SHA-256)
- Docker hybrid compose supprimé
- Credentials CI migrés vers GitHub Secrets
---
## 5. Infrastructure
| Élément | État v0.404 |
| ------------------- | ---------------------------------------- |
| Rate limiting Redis | ✅ Disponible |
| Alerting Prometheus | ✅ Règles ajoutées |
| PostgreSQL | ✅ Aligné v16 |
| Compose staging | ✅ Complet (chat, stream, reverse proxy) |
| CodeQL SAST | ✅ Ajouté |
| Rust CI (clippy) | ✅ Ajouté |
---
## 6. Qualité du code
| Métrique | v0.404 |
| ----------------------- | ---------------------------- |
| fmt.Printf → zap | 40 remplacements |
| any TypeScript éliminés | ~45 |
| TypeScript unifié | 5.9.3 |
| Code mort supprimé | ~1600 LOC |
| gorilla/websocket | Remplacé par coder/websocket |
---
## 7. Références rapides
| Document | Usage |
| ------------------------------------------------------------------ | ------------------------------------------------------- |
| [PLAN_V0_301_FINALISATION.md](archive/PLAN_V0_301_FINALISATION.md) | Plan de finalisation v0.301 |
| [V0_401_RELEASE_SCOPE.md](archive/V0_401_RELEASE_SCOPE.md) | Scope v0.401 (Phase 4 Commerce) |
| [V0_402_RELEASE_SCOPE.md](V0_402_RELEASE_SCOPE.md) | Scope v0.402 (checkout & codes promo) |
| [V0_303_RELEASE_SCOPE.md](V0_303_RELEASE_SCOPE.md) | Scope v0.303 (Chat appels WebRTC 1-to-1) |
| [PLAN_V0_401_IMPLEMENTATION.md](PLAN_V0_401_IMPLEMENTATION.md) | Plan d'implémentation v0.401 |
| [PLAN_V0_402_IMPLEMENTATION.md](PLAN_V0_402_IMPLEMENTATION.md) | Plan d'implémentation v0.402 |
| [V0_404_RELEASE_SCOPE.md](V0_404_RELEASE_SCOPE.md) | Scope v0.404 (stabilisation post-audit) |
| [V0_501_RELEASE_SCOPE.md](archive/V0_501_RELEASE_SCOPE.md) | Scope v0.501 (Streaming & Cloud, archivé) |
| [V0_502_RELEASE_SCOPE.md](archive/V0_502_RELEASE_SCOPE.md) | Scope v0.502 (Chat Server Rewrite, archivé) |
| [V0_503_RELEASE_SCOPE.md](archive/V0_503_RELEASE_SCOPE.md) | Scope v0.503 (archivé) |
| [V0_601_RELEASE_SCOPE.md](archive/V0_601_RELEASE_SCOPE.md) | Scope v0.601 (archivé) |
| [V0_602_RELEASE_SCOPE.md](archive/V0_602_RELEASE_SCOPE.md) | Scope v0.602 (archivé) |
| [PLAN_V0_601_IMPLEMENTATION.md](PLAN_V0_601_IMPLEMENTATION.md) | Plan d'implémentation v0.601 |
| [PLAN_V0_602_IMPLEMENTATION.md](PLAN_V0_602_IMPLEMENTATION.md) | Plan d'implémentation v0.602 |
| [V0_603_RELEASE_SCOPE.md](V0_603_RELEASE_SCOPE.md) | Scope v0.603 (Transfer auto, Commission, Stabilisation) |
| [PLAN_V0_603_IMPLEMENTATION.md](PLAN_V0_603_IMPLEMENTATION.md) | Plan d'implémentation v0.603 |
| [CHAT_FEATURE_PARITY.md](CHAT_FEATURE_PARITY.md) | Feature parity Rust vs Go (25/25 OK) |
| [V0_301_RELEASE_SCOPE.md](archive/V0_301_RELEASE_SCOPE.md) | Scope détaillé v0.301 (Phase 3 Social) |
| [V0_203_RELEASE_SCOPE.md](V0_203_RELEASE_SCOPE.md) | Scope v0.203 (archivé) |
| [SCOPE_CONTROL.md](SCOPE_CONTROL.md) | Anti-scope-creep, workflow |
| [FEATURE_STATUS.md](FEATURE_STATUS.md) | Statut des features par domaine |
| [CHANGELOG.md](../CHANGELOG.md) | Historique des versions |
---
## 8. Stack technique
| Composant | État |
| ------------------------- | ---------------------------------------- |
| Backend Go | ✅ Opérationnel |
| Frontend React (Vite) | ✅ Opérationnel |
| Chat Go (intégré backend) | ✅ Opérationnel (v0.502) |
| Stream Server Rust | ✅ Compile — HLS en intégration (v0.503) |
| PostgreSQL | ✅ |
| Redis | ✅ |
---
## 9. Indicateurs
| Métrique | Valeur |
| --------------------------- | ---------- |
| Features livrées (cumul) | ~353 / 600 |
| Features E2E fonctionnelles | 22 |
| Score maturité produit | 5/10 |
| Module Streaming | 55% |
| Module Cloud | 30% |
| Module Gear | 60% |
Reference in a new issue View git blame Copy permalink