Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,67 @@

All notable changes to the FIVUCSAS platform. Dates are in ISO 8601 format. See each submodule's own `CHANGELOG.md` for granular per-repo changes.

## [2026-04-22b] UI refresh — verify.fivucsas.com (Scope B)

Copilot AI Apr 22, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The heading uses a non-ISO date tag (2026-04-22b), but the changelog intro states that dates are in ISO 8601 format. Consider switching this header to an ISO 8601 date (and encode the "b"/Scope in the title text), or update the changelog’s stated date-format convention so it matches the tags used here.

Suggested change
## [2026-04-22b] UI refresh — verify.fivucsas.com (Scope B)
## [2026-04-22] UI refresh — verify.fivucsas.com (Scope B)

Copilot uses AI. Check for mistakes.

Follow-up to Scope A. Polishes the hosted login surface
(`verify.fivucsas.com/login`) and the iframe widget
(`verify.fivucsas.com/?session_id=…`).

**Zero functional change.** Preserves every OAuth handler,
postMessage event shape, frame-bust effect, `assertSafeRedirectScheme`
guard, step component, SDK byte, CSP header, and Permissions-Policy
delegation. The `fivucsas-auth.js` SDK is **not rebuilt** — SHA-384 on
live matches the staged copy, so `bys-demo`'s SRI hash and every
external integrator's `integrity="sha384-…"` attribute remain valid.

### Changed

- `web-app/` submodule bump: `a4c0053 → 70a4c06`. Pulls in
[Rollingcat-Software/web-app#25](https://github.com/Rollingcat-Software/web-app/pull/25):
- `src/verify-app/HostedLoginApp.tsx` — `HostedFrame` rebuilt:
ambient radial gradient canvas (light + dark aware), gradient
brand-mark above the card, "Secured by FIVUCSAS" pill with
`VerifiedUserOutlined` icon, Poppins display title,
`verify.fivucsas.com` microcopy footer. All `parseHostedParams`,
`resolveLocale`, frame-bust effect, tenant meta fetch with
AbortController + 10s timeout, `handleLoginComplete`
(`/oauth2/authorize/complete` call), and `handleCancel` preserved.
- `src/verify-app/VerifyApp.tsx` — iframe body wrapper tokens tuned;
transparent background preserved so parent page styling still
bleeds through the widget. Every postMessage emission
(`sendReady`, `sendStepChange`, `sendComplete`, `sendCancel`,
`sendError`, `onParentMessage`, `setParentOrigin`) and every
handler preserved.
- `src/verify-app/LoginMfaFlow.tsx` — Card chrome softened
(mode-aware elevation, 20 px radius), header uses Poppins display
font with tighter letter-spacing, cancel button with compact close
icon. Phase state machine + every one of the 10 step components

Copilot AI Apr 22, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This says "every one of the 10 step components" but the parenthetical list contains 11 components (including NfcStep). Please reconcile the count with the list so the changelog entry is accurate.

Suggested change
icon. Phase state machine + every one of the 10 step components
icon. Phase state machine + every one of the 11 step components

Copilot uses AI. Check for mistakes.
(`PasswordStep`, `MethodPickerStep`, `TotpStep`, `SmsOtpStep`,
`EmailOtpMfaStep`, `FaceCaptureStep`, `VoiceStep`,
`FingerprintStep`, `QrCodeStep`, `HardwareKeyStep`, `NfcStep`)
untouched.

- `verify-widget/html/index.html` — regenerated by `sync-assets.sh`
to point at the new verify-app bundle
(`/assets/index-DGYB7Ly1.js`, `mui-vendor-DkSS5YNQ.js`,
`react-vendor-BkVLglrX.js`). This is the tracked entry for the
Docker image; asset chunks themselves remain gitignored.

### Deploy (followed the required 3-step sync)

1. `cd web-app && npm run build:verify` — clean, produced `dist-verify/`
2. `cd ../verify-widget && ./sync-assets.sh` — staged 43 files into
`verify-widget/html/`. SDK files (`fivucsas-auth.js`, `.esm.js`,
`.map`) kept their 2026-04-18 mtimes (untouched).
3. `docker compose -f docker-compose.prod.yml up -d --build verify-widget`
— nginx image rebuilt, container is healthy.

**Live verification:**
- `https://verify.fivucsas.com/` + `/login` → 200
- `sha384sum` on live `/fivucsas-auth.js` matches local staged copy —
SRI hashes in `bys-demo/index.html` + `callback.html` still valid
- 56 / 56 verify-app Vitest tests green, 608 / 608 full suite green

## [2026-04-22] UI refresh — landing, web-app shell, BYS demo (Scope A)

Zero functional change across the whole refresh. Every route, handler,
Expand Down
6 changes: 3 additions & 3 deletions verify-widget/html/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,10 @@
html, body { width: 100%; min-height: 100%; overflow-x: hidden; }
body { font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; }
</style>
<script type="module" crossorigin src="/assets/index-DaHnXTBo.js"></script>
<script type="module" crossorigin src="/assets/index-DGYB7Ly1.js"></script>
<link rel="modulepreload" crossorigin href="/assets/rolldown-runtime-COnpUsM8.js">
<link rel="modulepreload" crossorigin href="/assets/mui-vendor-MRtv65hb.js">
<link rel="modulepreload" crossorigin href="/assets/react-vendor-zwRPOsMw.js">
<link rel="modulepreload" crossorigin href="/assets/mui-vendor-DkSS5YNQ.js">
<link rel="modulepreload" crossorigin href="/assets/react-vendor-BkVLglrX.js">
<link rel="stylesheet" crossorigin href="/assets/index-Ci_SIW9g.css">
</head>
<body>
Expand Down
2 changes: 1 addition & 1 deletion web-app