From 5227a86f2e5a41da9fba44eaa89135c8b05f39d1 Mon Sep 17 00:00:00 2001
From: Jan Svabenik <jan@svabi.ch>
Date: Sun, 5 Apr 2026 18:29:04 +0200
Subject: [PATCH] Ensure audio stream handler requires POST

---
 docs/pro-runtime-hardening-workboard.md |  4 +++-
 internal/control/control_test.go        | 10 ++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/docs/pro-runtime-hardening-workboard.md b/docs/pro-runtime-hardening-workboard.md
index 694a7cf..b825bb4 100644
--- a/docs/pro-runtime-hardening-workboard.md
+++ b/docs/pro-runtime-hardening-workboard.md
@@ -413,7 +413,9 @@ Diese Punkte könnten ggf. vorgezogen werden, auch wenn WS-05 formal nach WS-01/
 - Noch leer
 
 ## WS-05 Verifikation
-- Noch leer
+| Datum | Fokus | Ergebnis |
+|---|---|---|
+| 2026-04-05 | `/audio/stream` rejects non-POST requests | `TestAudioStreamRejectsNonPost` enforces POST-only access to `/audio/stream` before a stream source is configured |
 
 ---
 
diff --git a/internal/control/control_test.go b/internal/control/control_test.go
index 9c07f76..d810666 100644
--- a/internal/control/control_test.go
+++ b/internal/control/control_test.go
@@ -167,6 +167,16 @@ func TestAudioStreamPushesPCM(t *testing.T) {
 	}
 }
 
+func TestAudioStreamRejectsNonPost(t *testing.T) {
+	srv := NewServer(cfgpkg.Default())
+	rec := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/audio/stream", nil)
+	srv.Handler().ServeHTTP(rec, req)
+	if rec.Code != http.StatusMethodNotAllowed {
+		t.Fatalf("expected 405 for audio stream GET, got %d", rec.Code)
+	}
+}
+
 func TestTXStartWithoutController(t *testing.T) {
 	srv := NewServer(cfgpkg.Default())
 	rec := httptest.NewRecorder()