senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/veza-docs/audit/AUDIT_02_SPECIFICATIONS.md
senke 0e4117f028 docs: integrate audit roadmap into VEZA_VERSIONS_ROADMAP — v0.12.6.1 DONE, 14 versions added 
- Mark v0.12.6.1 (pentest remediation 30/30) as DONE
- Add 14 new versions from audit: v0.12.6.2→v1.0.0-rc1
- Update tracking table with priorities P0→P3
- Update v0.12.6 checkboxes (all findings now resolved)
- Add Phase P7 (Conformité) and Validation phases
- Update AUDIT_05_ROADMAP_v1.0.md to reflect completed remediation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 06:34:52 +01:00

11 KiB
Raw Blame History

AUDIT_02_SPECIFICATIONS.md -- Synthese des Exigences ORIGIN

Date : 2026-03-11 Auditeur : Claude Opus 4.6

1. FEATURES REGISTRY (ORIGIN_FEATURES_REGISTRY.md)

1.1 Vue d'ensemble

  • Total features specifiees : ~560 (apres suppression des 40 features ethiquement exclues)
  • Features supprimees : F456-F470 (AI/ML), F491-F500 (Blockchain/Web3), F536-F550 (Gamification)
  • IDs non reattribues : Les numeros supprimes restent vacants

1.2 Modules et features par module

Module Range Features Priorite
1. Auth & Securite F001-F030 30 P0-P1
2. Profils & Utilisateurs F031-F065 35 P0-P2
3. Gestion de Fichiers F066-F105 40 P0-P2
4. Streaming Audio F106-F150 45 P0-P2
5. Chat & Messagerie F151-F185 35 P1-P2
6. Social & Communaute F186-F225 40 P1-P2
7. Marketplace F226-F275 50 P1-P2
8. Formation & Education F276-F305 30 P2-P3
9. Gestion de Materiel F306-F330 25 P3
10. Cloud & Stockage F331-F350 20 P2-P3
11. Recherche & Decouverte F351-F380 30 P1-P2
12. Analytics & Statistiques F381-F410 30 P1-P2
13. Administration F411-F435 25 P1-P2
14. UI/UX F436-F455 20 P2
15. IA & Fonctionnalites Avancees F456-F470 15 SUPPRIME
16. Livestreaming F471-F480 10 P2
17. Collaboration Temps Reel F481-F490 10 P2-P3
18. Blockchain & Web3 F491-F500 10 SUPPRIME
19. Integrations Externes F501-F520 20 P2-P3
20. Applications Natives (-> PWA) F521-F535 15 P2
21. Gamification F536-F550 15 SUPPRIME
22. Notifications F551-F570 20 P1-P2
23. Securite Avancee F571-F585 15 P0-P1
24. Developpeurs & API F586-F600 15 P2-P3

2. API SPECIFICATION (ORIGIN_API_SPECIFICATION.md)

2.1 Principes obligatoires

  • URLs: /api/v{version}/{resource} (plural nouns, snake_case fields)
  • Responses: JSON, dates ISO 8601, IDs UUID v4
  • Pagination: cursor-based par defaut, offset-based pour pages fixes
  • Rate limiting: headers X-RateLimit-* obligatoires, Retry-After sur 429
  • Erreurs: format standardise {"error": {"code": 1000-9999, "message": ..., "details": [...]}}
  • Auth: JWT Bearer, OAuth 2.0 (Google, GitHub, Discord, Spotify)
  • Roles RBAC: user, creator, premium, moderator, admin

2.2 Endpoints specifies (extrait des sections 7.x)

Groupe Endpoints Examples
Auth 8 register, login, logout, refresh, forgot-password, reset-password, verify-email, me
Users 6+ GET/PATCH /{id}, GET /{id}/tracks, followers, following, follow/unfollow
Tracks 10+ CRUD, upload, stream, waveform, likes, comments, tags
Playlists 8+ CRUD, tracks, collaborate, share, export
Chat 6+ rooms, messages, reactions, mentions, search, attachments
Marketplace 10+ products, orders, checkout, downloads, reviews, promo codes
Search 3+ unified, suggestions, autocomplete
Feed 2+ feed, suggestions
Discover 3+ genre, tag, trending
Analytics 5+ dashboard, heatmap, comparison, export, audience
Admin 5+ metrics, users, content, payments, announcements
Notifications 3+ list, preferences, mark-read
Live 4+ start, stop, callbacks, list
Subscriptions 4+ plans, subscribe, cancel, invoices
GDPR 3+ export, delete account, anonymize

2.3 Rate limits specifies

Type Limite Fenetre
Authentication 10 req 1 min
Read (GET) 1,000 req 1 h
Write (POST/PUT/PATCH) 100 req 1 h
Upload 10 1 h
Search 500 1 h
Streaming 10,000 plays 1 jour
Export 3 req 1 jour

3. SECURITY FRAMEWORK (ORIGIN_SECURITY_FRAMEWORK.md)

3.1 Exigences critiques

Exigence Ref Criticite
Passwords hashes avec Argon2id ou bcrypt (cost >= 12) Regle 1 P0
TLS 1.3 minimum sur toutes les communications Regle 2 P0
Donnees sensibles chiffrees au repos (AES-256) Regle 3 P0
JWT access token: 15 min, refresh: 7 jours Regle 4 P0
MFA obligatoire pour admin et moderator Regle 5 P0
Rate limiting sur tous les endpoints publics Regle 6 P0
Input validation cote serveur obligatoire Regle 7 P0
Audit logs immutables pour actions sensibles Regle 8 P0
Security headers obligatoires (CSP, HSTS, X-Frame-Options) Regle 9 P0
Secrets JAMAIS dans le code Regle 10 P0

3.2 Findings audit (VEZA-SEC-001/002)

  • VEZA-SEC-001 : Secret JWT par defaut en dur dans config_rust.rs (P0) -> Corrige v0.9.1
  • VEZA-SEC-002 : Desalignement issuer/audience JWT Go/Rust (P0) -> Corrige v0.9.1

3.3 Pentest v0.12.6 findings

  • 2 CRITIQUES, 10 HAUTS, 12 MOYENS, 6 BAS, 5 INFO
  • Statut: 2 CRITIQUES corriges, 3 HAUTS restants a corriger

4. BUSINESS LOGIC (ORIGIN_BUSINESS_LOGIC.md)

4.1 Regles financieres

Regle Valeur
Commission Creator 15%
Commission Premium 10%
Payout auto >= $50 (hebdomadaire)
Payout manuel >= $100
Remboursement 30 jours max (14 jours standard)
Prix en centimes Obligatoire

4.2 Plans d'abonnement

Plan Prix Storage Upload Commission
Free $0/mois 1 GB 5 tracks/mois N/A
Creator $9.99/mois 50 GB Illimite 15%
Premium $19.99/mois 200 GB Illimite 10%

4.3 Regles de moderation

  • 3 strikes = suspension automatique
  • Decision finale toujours humaine
  • Categories: spam, contenu offensant, violation droits, fake, other
  • Detection deterministe uniquement (pas de ML)

4.4 Notifications ethiques

  • Push desactivees par defaut (sauf DMs et follows)
  • Pas de "X likes" ou gamification dans les notifications
  • Quiet hours configurables
  • Desactivation marketing en un clic

5. PERFORMANCE TARGETS (ORIGIN_PERFORMANCE_TARGETS.md)

5.1 SLOs

Metrique Cible Stretch
API p95 < 100ms < 50ms
API p99 < 200ms < 100ms
DB query p95 < 10ms < 5ms
FCP < 1.5s < 1s
TTI < 3.5s < 2s
Audio stream start < 500ms < 300ms
Search results < 500ms < 200ms
Uptime 99.9% 99.99%

5.2 Lighthouse Scores

Categorie Cible
Performance >= 90
Accessibility >= 95
Best Practices >= 90
SEO >= 90

5.3 Budgets

Metrique Limite
Bundle JS initial < 200KB gzip
N+1 queries Interdites
Memory leaks Zero tolerance
Rebuffering audio < 0.5%
Concurrent users 100K (cible prod)
Throughput 10K req/s

6. TESTING STRATEGY (ORIGIN_TESTING_STRATEGY.md)

6.1 Coverage cibles

Type Coverage Temps max
Unit tests >= 80% lignes < 2 min
Integration tests >= 70% endpoints < 5 min
E2E tests >= 50% flows critiques < 10 min
Performance tests 100% endpoints critiques < 15 min
Security tests 100% OWASP Top 10 < 20 min
Load tests 100% scenarios prod 30-60 min

6.2 Coverage par stack (trajectoire)

Stack Actuel (estim.) Phase 3.5 Phase 4R Phase 5R
Frontend ~50% 70% 75% 80%
Backend Go Non mesure 70% 80% 80%
Backend Rust Non mesure 60% 70% 75%

7. UI/UX SYSTEM (ORIGIN_UI_UX_SYSTEM.md)

7.1 Design system SUMI

  • 200+ composants specifies
  • Design tokens (couleurs, typo, spacing, shadows, radius)
  • Dark mode obligatoire
  • Mobile-first design
  • 4px base spacing grid

7.2 Anti-dark-patterns (S13)

Interdits: FOMO, notifications push manipulatrices, friction a la desinscription, metriques de popularite publiques, streaks/XP/leaderboards, confirmshaming, bait-and-switch, roach motels, trick questions, disguised ads, hidden costs

7.3 Accessibilite

  • WCAG AA minimum sur toute la plateforme
  • WCAG AAA pour fonctions critiques (navigation, lecture audio, upload, inscription)
  • Keyboard navigation complete
  • Screen reader support (ARIA labels)
  • Contrast >= 4.5:1 (normal text), >= 3:1 (large text)

8. CODE STANDARDS (ORIGIN_CODE_STANDARDS.md)

8.1 Conventions obligatoires

Convention Description
Formatters obligatoires gofmt, rustfmt, Prettier
Linters obligatoires golangci-lint, clippy, ESLint
Tests obligatoires Coverage >= 80% nouveau code
Context propagation Toute fonction I/O: ctx en premier param
Error format API {"error": {"code": ..., "message": ..., "context": ...}}
Pagination {"data": [...], "pagination": {...}}
Logging JSON level, time, msg, request_id, user_id
Goroutines Mecanisme de terminaison obligatoire
Fonctions Max 50 lignes, complexite cyclomatique < 10
Code mort Suppression immediate interdite
Magic numbers Interdits (utiliser constantes)

9. QUALITY METRICS (ORIGIN_QUALITY_METRICS.md)

9.1 Dettes techniques identifiees (DT-001 a DT-017)

ID Description Priorite
DT-007 .nvmrc manquant Corrige
DT-008 rust-toolchain.toml manquant Corrige
DT-013 TypeScript strict mode Corrige
DT-001 a DT-017 Voir detail dans ORIGIN Variable

10. ERROR PATTERNS (ORIGIN_ERROR_PATTERNS.md)

10.1 Patterns identifies (31 total)

Categorie Patterns Priorite
Backend Go 10 P0-P1
Frontend TypeScript 8 P0-P2
Tests 6 P1-P2
Configuration 3 P0-P1
Lint/Format 4 P2

Key patterns:

  • PAT-001: Import cycles (circular dependencies)
  • PAT-002: Type mismatches (string vs *string)
  • PAT-024: JWT mismatch between Go and Rust
  • PAT-025: Context propagation missing
  • PAT-026: Goroutine leaks
  • PAT-027: Inconsistent pagination
  • PAT-028: Non-standard error handling

11. GO/NO-GO v1.0 CRITERIA

Securite

  • JWT RS256 en production
  • Aucun secret dans le repo git
  • Pentest valide (0 finding critique/haut ouvert)
  • RGPD: export et suppression fonctionnels

Stabilite

  • Uptime >= 99.9% (30 derniers jours)
  • Taux d'erreur 5xx < 0.1%
  • Aucun incident P0 non resolu

Performance

  • p95 API < 100ms
  • Lighthouse Performance >= 85
  • Lighthouse Accessibility >= 90
  • Lighthouse PWA >= 90

Qualite

  • Coverage tests >= 70% (Go + Rust)
  • 0 linting error
  • CI/CD verte depuis 2 semaines

Ethique

  • Audit UX anti-dark-patterns valide
  • Aucune donnee comportementale revendue
  • Algorithme de decouverte documente et auditable
  • Politique de confidentialite conforme RGPD

Business

  • Flux de paiement teste E2E en production
  • Flux de payout createur teste
  • Support accessible

Fin de la synthese des specifications Phase 2