diff --git a/CHANGELOG.md b/CHANGELOG.md index 91867f0..2d9bc76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,20 @@ All notable changes to the FIVUCSAS platform. Dates are in ISO 8601 format. See each submodule's own `CHANGELOG.md` for granular per-repo changes. +## [2026-05-30] Stabilize-&-harden backlog — COMPLETE + +The 2026-05-30 stabilize-&-harden roadmap (P0-1/P0-2/P0-2b, P1-1…P1-5, P2-1/P2-2/P2-3 + frontend tests) is fully shipped and, where applicable, deployed. Two prod deploys done (identity-core-api P1-5 Flyway repair; biometric-processor P0-2b canonical reproducible build). + +- **P1-1** (identity-core-api #155/#156) — cross-tenant isolation ITs promoted to a REQUIRED, blocking CI gate (`-Dtest='*IntegrationTest,*IT'`, no `continue-on-error`, asserts they ran); 3 unit tests fixed to unblock `needs: test`. +- **P1-5** (identity-core-api #157, DEPLOYED) — Flyway chain DR-safe from a fresh DB: V29 resolves Default-Login + EMAIL_OTP by natural keys; V40 pkey collision + V40/V41 `COMMENT` syntax fixed; applies 71/71 from empty DB; one-time `flyway repair` (validate-on-migrate=true). Runbook: `identity-core-api/docs/RUNBOOK_FLYWAY_V29_REPAIR.md`. +- **P0-2b** (biometric-processor #125, DEPLOYED) — canonical reproducible bio build restored: digest-pinned base + lock-as-constraints; boots clean under prod `read_only`+`cap_drop` runtime; overlay demoted to fallback. +- **P2-2** (biometric-processor #124–#129) — CI honestly green (647 pass); masking removed. +- **P2-1** (spoof-detector #68) — results-integrity cleanup (leaked 100%/0.00%-ACER withdrawn, EER-on-test opt-in, weights heuristic; runtime unchanged). +- **P2-3** (parent #100) — `OPERATOR_SECURITY_RUNBOOKS.md` added. +- **Frontend tests** (web-app #133/#134) — +80 edge-case specs; suite 914 passing, 0 failing. + +**Operator follow-ups:** (1) add the `Integration tests (Testcontainers)` required status check in identity-core-api branch protection; (2) execute `OPERATOR_SECURITY_RUNBOOKS.md`. + ## [2026-05-30] Identity & account-linking (Phases 1-5) + ROOT role/user_type unification — SHIPPED A person operating multiple tenant accounts no longer re-enrols biometrics per account, and the platform-owner tier is now unambiguous. All deployed 2026-05-30. Design of record: `identity-core-api/docs/IDENTITY_ACCOUNT_LINKING_DESIGN.md` + `IDENTITY_ROLE_UNIFICATION.md`. See each submodule CHANGELOG/CLAUDE.md for granular detail. diff --git a/ROADMAP.md b/ROADMAP.md index f811ab0..5d6c368 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -1,6 +1,25 @@ # FIVUCSAS — Product Roadmap -> Last updated: 2026-05-30 — **Identity & account-linking (Phases 1-5) + ROOT role/user_type unification SHIPPED** (see the "Identity & Account-Linking — SHIPPED 2026-05-30" section directly below). Prior 2026-05-29 admin-walkthrough wave (9 PRs) + the 2026-05-12 wave (11 PRs) + the phase-A/B/C/I closures remain valid below. Verbose tier breakdown: `archive/2026-05/reviews/INVESTIGATION_MASTER_2026-05-07.md`. +> Last updated / verified: 2026-05-30 — **stabilize-&-harden backlog COMPLETE** (see "Stabilize & harden — COMPLETE 2026-05-30" directly below) **plus** the same-day Identity & account-linking (Phases 1-5) + ROOT role/user_type unification ship (section after it). Prior 2026-05-29 admin-walkthrough wave (9 PRs) + the 2026-05-12 wave (11 PRs) + the phase-A/B/C/I closures remain valid below. Verbose tier breakdown: `archive/2026-05/reviews/INVESTIGATION_MASTER_2026-05-07.md`. + +## Stabilize & harden — COMPLETE 2026-05-30 + +The 2026-05-30 stabilize-&-harden roadmap (P0-1/P0-2/P0-2b, P1-1…P1-5, P2-1/P2-2/P2-3) is **fully shipped and (where applicable) deployed**: + +| Item | What shipped | Where | +|---|---|---| +| **P0-1 / P0-2 / P1-2 / P1-3 / P1-4** | earlier in this wave — see each repo's CHANGELOG/CLAUDE.md | api / bio / web | +| **P0-2b** | Canonical reproducible bio build RESTORED — both `Dockerfile` `FROM` lines digest-pinned (`python:3.12-slim@sha256:090ba77e…`) + known-good lock as pip constraints; boots clean (no segfault) under prod `read_only`+`cap_drop` runtime; `Dockerfile.liveness-overlay` demoted to fallback. **DEPLOYED.** | biometric-processor #125 | +| **P1-1** | Cross-tenant isolation ITs are now a REQUIRED CI gate — `integration-tests` actually RUNS the ITs (`-Dtest='*IntegrationTest,*IT'`), BLOCKS (no `continue-on-error`), asserts they executed; 3 unit tests fixed to unblock `needs: test`. | identity-core-api #155 / #156 | +| **P1-5** | Flyway chain DR-safe from a fresh DB — V29 resolves Default-Login flow + EMAIL_OTP by natural keys (was prod-only hardcoded UUIDs); fixed V40 pkey collision + V40/V41 `COMMENT 'a'||'b'` syntax; applies 71/71 from empty DB; shipped via one-time `flyway repair` (validate-on-migrate=true). Runbook: `identity-core-api/docs/RUNBOOK_FLYWAY_V29_REPAIR.md`. **DEPLOYED.** | identity-core-api #157 | +| **P2-1** | spoof-detector results-integrity cleanup — leaked 100%/0.00%-ACER synthetic numbers withdrawn, EER-threshold-on-test made opt-in, fuser weights marked heuristic. Runtime unchanged. | spoof-detector #68 | +| **P2-2** | bio CI honestly green (647 pass) — `--ignore` / `continue-on-error` masking removed; lazy DeepFace import; stack-dependent ITs env-gated, not hidden. | biometric-processor #124–#129 | +| **P2-3** | `OPERATOR_SECURITY_RUNBOOKS.md` added (operator-gated security-hygiene runbooks). | parent #100 | +| **Frontend tests** | +80 edge-case specs (linking / consent / switcher / formatApiError); suite **914 passing, 0 failing**. | web-app #133 / #134 | + +**Operator follow-ups (2 remaining):** +1. Add the `Integration tests (Testcontainers)` REQUIRED status check in `identity-core-api` `main`-branch protection (so the P1-1 gate can't be merged around). +2. Execute the steps in parent `OPERATOR_SECURITY_RUNBOOKS.md` (P2-3 — operator-gated hygiene). ## Identity & Account-Linking (Phases 1-5) + ROOT unification — SHIPPED 2026-05-30 diff --git a/biometric-processor b/biometric-processor index 4b956d4..84a4f4c 160000 --- a/biometric-processor +++ b/biometric-processor @@ -1 +1 @@ -Subproject commit 4b956d4868dee174c88435b53173dbb2ba695837 +Subproject commit 84a4f4c8aec887a2006d30d036e8847cb32a837e diff --git a/identity-core-api b/identity-core-api index 3180c5c..0c50841 160000 --- a/identity-core-api +++ b/identity-core-api @@ -1 +1 @@ -Subproject commit 3180c5c85ec2ede961358e87e7b7081678aa0684 +Subproject commit 0c508418b8ba2238258f035698e72467248f44fd diff --git a/spoof-detector b/spoof-detector index 5049e6d..851d4d2 160000 --- a/spoof-detector +++ b/spoof-detector @@ -1 +1 @@ -Subproject commit 5049e6d049bd1f417a37831a086ae4d84334de58 +Subproject commit 851d4d26a0f3d9c02e6d9a0abd55f19c378ea33a diff --git a/web-app b/web-app index b8ce5a7..8d08646 160000 --- a/web-app +++ b/web-app @@ -1 +1 @@ -Subproject commit b8ce5a777488c5a4aabb687806beb41597127068 +Subproject commit 8d08646a547c7c9991930c3eb718100ee04f74c2