Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
135 commits
Select commit Hold shift + click to select a range
cdeee0c
chore(deps-dev): bump vite from 6.4.1 to 6.4.2 in /landing-website (#28)
dependabot[bot] Apr 18, 2026
cf70ba2
docs(changelog): 2026-04-24 evening — 12 more PRs merged, puzzle-page…
ahmetabdullahgultekin Apr 24, 2026
47d212f
docs(changelog): PR #38 — frontend RBAC gating (Rules 2+3) live on ap…
ahmetabdullahgultekin Apr 24, 2026
a51ae4f
chore(submodule): bump identity-core-api → 4bee6d7 (4 PRs landed 2026…
ahmetabdullahgultekin Apr 25, 2026
6a6e93f
chore(submodule): bump web-app → 1689177 (PR #39 biometric-puzzles)
ahmetabdullahgultekin Apr 25, 2026
3e123c2
chore(submodule): bump biometric-processor → 4a9383d (PR #36 anti-spo…
ahmetabdullahgultekin Apr 25, 2026
ea8448b
chore(submodule): bump web-app → 9d7f0c2 (PR #40 lint sweep, 78→17 wa…
ahmetabdullahgultekin Apr 25, 2026
6098744
chore(submodule): bump client-apps → acd395d (PRs #27/#28/#29 — Andro…
ahmetabdullahgultekin Apr 25, 2026
1719e38
chore(submodule): bump client-apps → 2af501f (PR #30 V16 i18n — 12 lo…
ahmetabdullahgultekin Apr 25, 2026
540c4bc
chore(submodule): bump biometric-processor → ee1e870 (PR #51 anti-spo…
ahmetabdullahgultekin Apr 25, 2026
06e3cfa
chore(submodule): bump web-app → 07f34d0 (PR #41 CI fix unblocks #39+…
ahmetabdullahgultekin Apr 25, 2026
a085449
chore(submodule): bump biometric-processor → bdd8203 (PR #52 config v…
ahmetabdullahgultekin Apr 25, 2026
876922f
chore(submodules): bump for today's afternoon-evening wave
ahmetabdullahgultekin Apr 25, 2026
27b2f0e
chore(submodule): bump identity-core-api → 07b6bcf (PR #30 V47 enroll…
ahmetabdullahgultekin Apr 25, 2026
32ee217
chore(submodules): bump for next wave (4 more PRs landed + 2 deploys)
ahmetabdullahgultekin Apr 25, 2026
a82700b
chore(submodules): bump for 3 Dependabot security/patch merges (web #…
ahmetabdullahgultekin Apr 25, 2026
fe220d2
chore(submodule): bump biometric-processor → f6c6fcb (PR #55 gesture …
ahmetabdullahgultekin Apr 25, 2026
fdbedad
chore(submodules): bump client-apps + biometric-processor (post-PR-#3…
ahmetabdullahgultekin Apr 26, 2026
cdb116b
chore(submodule): bump web-app → 0c61076 (PR #31 GestureLivenessStep …
ahmetabdullahgultekin Apr 26, 2026
276671f
chore(submodule): bump client-apps → 0104d15 (PR #35 polish: i18n + U…
ahmetabdullahgultekin Apr 26, 2026
70cf885
docs: strip iOS/macOS from forward roadmap (out of scope, no Apple ha…
ahmetabdullahgultekin Apr 26, 2026
a192a7d
docs: refresh CLAUDE.md + add login surfaces comparison + close-out s…
ahmetabdullahgultekin Apr 26, 2026
862f081
chore(submodule): bump identity-core-api → 82b3a48 (V48 drop biometri…
ahmetabdullahgultekin Apr 26, 2026
fa69dc0
chore(submodule): bump web-app → $(git -C web-app rev-parse --short H…
ahmetabdullahgultekin Apr 26, 2026
a366bd3
chore(submodule): bump identity-core-api → 462c062 (PR #36 PKCE D5a/b)
ahmetabdullahgultekin Apr 26, 2026
46dd45f
chore(biometric): bump submodules + roadmap docs
ahmetabdullahgultekin Apr 28, 2026
12241c8
chore(submodule): bump biometric-processor (compose centerface+anti-s…
ahmetabdullahgultekin Apr 28, 2026
f79372d
chore(submodule): bump biometric-processor (mtcnn fix)
ahmetabdullahgultekin Apr 28, 2026
030705c
chore(submodule): bump web-app (CI env fix + FaceLandmarker + passive…
ahmetabdullahgultekin Apr 28, 2026
d83d88d
docs(2026-04-28): refresh CLAUDE.md + add session roadmap and client-…
ahmetabdullahgultekin Apr 28, 2026
5199952
chore(submodules): bump web-app + identity-core-api + biometric-proce…
ahmetabdullahgultekin Apr 28, 2026
d0d9931
chore(submodule): bump identity-core-api → c25b731 (users-list lastLo…
ahmetabdullahgultekin Apr 28, 2026
38f5e83
chore(submodule): bump identity-core-api → 5446d57 (V42 + tenant-lock)
ahmetabdullahgultekin Apr 28, 2026
f3f185e
docs: multi-email / multi-tenant identity design note
ahmetabdullahgultekin Apr 28, 2026
41aecdf
docs(archive): move 16 superseded reports into archive/2026-04-pre-ro…
ahmetabdullahgultekin Apr 28, 2026
bd388ea
chore(2026-04-28-evening): 4 audit reports + bump submodules
ahmetabdullahgultekin Apr 28, 2026
014109d
docs(audit): 2026-04-29 ops follow-up — closes 2 P0 + 2 P1 from yeste…
ahmetabdullahgultekin Apr 29, 2026
385c745
chore(submodule): bump web-app → eef1657 (Sec-P0b — biometric API key…
ahmetabdullahgultekin Apr 29, 2026
0f487c0
chore(submodule): bump identity-core-api → d4c4d43 (5 P1 carryovers +…
ahmetabdullahgultekin Apr 29, 2026
91e0905
chore(submodule): bump web-app → c641d4e (basic-audit P1 sweep)
ahmetabdullahgultekin Apr 29, 2026
574351c
chore(submodules): bump api → 69bfa09 + web-app → c580822 (5-team wave)
ahmetabdullahgultekin Apr 29, 2026
02db026
chore(deploy): tag :latest images with :sha-<short> after build (Ops-…
ahmetabdullahgultekin Apr 29, 2026
8480c8a
chore(audit): close DRAFT audit PRs api#32 + web#45 as superseded
ahmetabdullahgultekin Apr 29, 2026
01135c0
docs(changelog): add 2026-04-28 + 2026-04-29 hardening wave entries
ahmetabdullahgultekin Apr 29, 2026
3cf98bf
chore: bump submodules — bio→22563fd (file-size guard), web→5b8f876 (…
ahmetabdullahgultekin Apr 29, 2026
dcbb592
chore(submodules): bump api → 30371e8 (Z1) + web-app → 9e151bf (Z2)
ahmetabdullahgultekin Apr 29, 2026
5f7464e
docs(claude): refresh status to 2026-04-29 — Z-wave shipped
ahmetabdullahgultekin Apr 29, 2026
dbfb778
chore(submodule): bump web-app → 9231f4d (Z2 vitest exclude)
ahmetabdullahgultekin Apr 29, 2026
a49ad5f
chore: bump docs+bio submodules + ignore verify-widget/html build art…
ahmetabdullahgultekin Apr 30, 2026
cec373a
chore(submodules): bump api+web to ship gitleaks CI
ahmetabdullahgultekin Apr 30, 2026
77d1c1c
chore(submodules): bump api+web — gitleaks CLI fix + allowlist
ahmetabdullahgultekin Apr 30, 2026
71e24a3
docs(claude): mark all reachable Z-wave + ops follow-ups as completed…
ahmetabdullahgultekin Apr 30, 2026
9cff734
docs(claude): record biometric-API-key rotation + Grafana ops-email +…
ahmetabdullahgultekin Apr 30, 2026
14d2877
chore(submodule): web-app 7365003 — CI SKIP_MODEL_FETCH
ahmetabdullahgultekin Apr 30, 2026
83c0ff7
chore(submodule): web-app c791923 — fix dashboard/profile mismatches
ahmetabdullahgultekin Apr 30, 2026
b9548a3
chore(submodule): web-app 91b1b6e — face mesh + hand skeleton overlay…
ahmetabdullahgultekin Apr 30, 2026
03bb6f0
chore(submodule): web-app 0654b27 — close P3 session-count UX
ahmetabdullahgultekin Apr 30, 2026
7239728
docs(claude): record late-day profile UX polish + puzzle landmark ove…
ahmetabdullahgultekin Apr 30, 2026
52e5659
refactor(landing): strip Marmara University from buyer-facing copy (P…
ahmetabdullahgultekin May 1, 2026
ba49025
chore(submodules): bump api+bio+web — 7 PRs landed (Phase 1+2 + Copilot)
ahmetabdullahgultekin May 1, 2026
7e2d61c
docs(triage): USER_BUGS_2026-04-30 — face-no-gate / YOLO wrong class …
ahmetabdullahgultekin May 1, 2026
7085a46
chore(submodules): bump api+bio+web — USER-BUG-1 + 3, JVM heap, post-…
ahmetabdullahgultekin May 1, 2026
19290cd
chore(submodules): bump api+bio+web — USER-BUG-2 closed (server+clien…
ahmetabdullahgultekin May 1, 2026
463411a
docs(user-bugs): all four closed; operator rebuild + E.164 phone foll…
ahmetabdullahgultekin May 1, 2026
cb68f91
chore(submodule): identity-core-api → 567ce25 — ShedLock for SoftDele…
ahmetabdullahgultekin May 1, 2026
d8a84ba
chore(submodules): bump api+web — auth-methods-testing real APIs (USE…
ahmetabdullahgultekin May 1, 2026
ff03346
chore(submodules): bump api+bio — Copilot post-merge round 2 fixes (r…
ahmetabdullahgultekin May 1, 2026
2544d2e
docs(user-bugs): USER-BUG-5 (auth-methods-testing mocks) closed; stat…
ahmetabdullahgultekin May 1, 2026
297f04e
chore(submodule): web-app → f2930ca — Copilot post-merge round 2 (PR …
ahmetabdullahgultekin May 1, 2026
930d132
chore(submodules): bump api+web — Copilot post-merge round 3
ahmetabdullahgultekin May 1, 2026
7fa269c
chore(submodule): biometric-processor — Copilot post-merge round 4 (P…
ahmetabdullahgultekin May 1, 2026
c7a56a6
chore(submodule): identity-core-api → V53 forbid hard-delete trigger …
ahmetabdullahgultekin May 1, 2026
dcebf0f
chore(submodule): web-app — wrong-password error fix (USER-BUG-6, PR …
ahmetabdullahgultekin May 1, 2026
a7c4372
chore(submodules): bump web+bio — face login cold-start (USER-BUG-7)
ahmetabdullahgultekin May 1, 2026
8ed110a
chore(submodules): bump api+web — admin-pages bug sweep (USER-BUG-8/9…
ahmetabdullahgultekin May 1, 2026
fb72666
chore(submodule): identity-core-api → V54 E.164 phone validation (PR …
ahmetabdullahgultekin May 1, 2026
a73c79f
chore(submodule): identity-core-api → AuthController.verifyMfaStep ex…
ahmetabdullahgultekin May 1, 2026
8a7cf89
chore(submodules): bump api+web+bio — Copilot post-merge round 5 (26 …
ahmetabdullahgultekin May 1, 2026
a1d3df0
chore(submodule): identity-core-api → Copilot round 6 on PR #50 (PR #52)
ahmetabdullahgultekin May 1, 2026
1efa889
chore(submodule): web-app — phone E.164 auto-prefix (USER-BUG-4 part …
ahmetabdullahgultekin May 1, 2026
72c2bfe
chore(submodule): identity-core-api → Copilot round 7 on PR #52 (PR #53)
ahmetabdullahgultekin May 1, 2026
694242e
docs(session): 2026-05-01 status snapshot + 4 historical 4-lens revie…
ahmetabdullahgultekin May 1, 2026
36411a6
chore(submodule): identity-core-api → P0 cross-tenant breach fixed (P…
ahmetabdullahgultekin May 1, 2026
15e6ddf
chore(api-submodule): bump to security wave 2026-05-02 (P0-SEC-2/4 + …
ahmetabdullahgultekin May 2, 2026
758ef69
docs(2026-05-02): session status + proctoring/amispoof.com design memo
ahmetabdullahgultekin May 2, 2026
a4f9051
chore(api-submodule): bump to WebAuthn fix wave (PR #57)
ahmetabdullahgultekin May 2, 2026
4fce7e7
chore(2026-05-02): api bump + optimized roadmap
ahmetabdullahgultekin May 2, 2026
f6e9f91
docs(session-status): record CustomUserDetails blast-radius + upgrade…
ahmetabdullahgultekin May 2, 2026
d6811bf
chore(submodules): bump web-app + biometric-processor to 2026-05-02 main
ahmetabdullahgultekin May 2, 2026
54bb412
chore(submodule): web-app → F3 Playwright tags + nightly cron (PR #65)
ahmetabdullahgultekin May 2, 2026
65d53a2
chore(submodule): web-app → P1-FE error-surfacing batch (PR #66)
ahmetabdullahgultekin May 2, 2026
ce0a6ae
chore(submodule): identity-core-api → backend quality + YAML hotfix (…
ahmetabdullahgultekin May 2, 2026
e74b20e
docs(2026-05-02): rebuild executed + JWT/User analysis + soak plan
ahmetabdullahgultekin May 2, 2026
5e7ace5
chore(submodules): land PR-#63/#64/#67/#68 — backend/bio quality batc…
ahmetabdullahgultekin May 4, 2026
adfa6f8
chore(web-submodule): T-FRONTEND-HYGIENE P3 batch
ahmetabdullahgultekin May 4, 2026
e0e87b5
docs(2026-05-04): roadmap refresh + CHANGELOG entry for Wave 1
ahmetabdullahgultekin May 4, 2026
725ea44
chore(api-submodule): T-SEC-TAIL DeviceController boundary + P2 cleanup
ahmetabdullahgultekin May 4, 2026
044d537
docs(review): senior UI/UX designer review of verify + app — 2026-05-04
ahmetabdullahgultekin May 4, 2026
b5291f2
docs(review): senior DB engineer deep review — 2026-05-04
ahmetabdullahgultekin May 4, 2026
4eeae57
chore(api-submodule): T-ARCH V57 pg_partman migration
ahmetabdullahgultekin May 4, 2026
0be0bca
chore(2026-05-04): land Wave 1 + Wave 2 + senior reviews — final bumps
ahmetabdullahgultekin May 4, 2026
ac0b78d
docs(audit): CI/CD pipeline deep review — 2026-05-04
ahmetabdullahgultekin May 4, 2026
28f2b33
docs(2026-05-04): doc-sweep — ROADMAP refresh + CHANGELOG + submodule…
ahmetabdullahgultekin May 4, 2026
b386c21
chore(web-submodule): T-UIUX-P1 batch (PR #72)
ahmetabdullahgultekin May 4, 2026
3e59a0e
chore(2026-05-04): late-day — P0 deployed + Copilot/UIUX/CICD waves l…
ahmetabdullahgultekin May 4, 2026
46bf751
docs(roadmap): professional rewrite — Tier 1-7 stack post-late-day de…
ahmetabdullahgultekin May 4, 2026
5a427fb
docs(roadmap): T4.10 — fold T-COPILOT-DEEP late-arriving deferred items
ahmetabdullahgultekin May 4, 2026
f2efeac
docs(audit): documentation audit + organization recommendations 2026-…
ahmetabdullahgultekin May 4, 2026
ea4da37
chore(2026-05-04 PM): USER-BUG-2 guest invitation jsonb fix DEPLOYED
ahmetabdullahgultekin May 4, 2026
08ad4bf
docs(roadmap): T4.12 — fold T-DOC-AUDIT findings into roadmap
ahmetabdullahgultekin May 4, 2026
604738f
docs: SECURITY.md + LICENSE + landing-website README (T4.12.a/b/c) (#39)
ahmetabdullahgultekin May 6, 2026
bab809e
chore(ci): rewrite deploy-landing on ubuntu-latest (#38)
ahmetabdullahgultekin May 6, 2026
d4fbf5f
chore(deps-dev): bump postcss from 8.5.6 to 8.5.14 in /landing-websit…
dependabot[bot] May 7, 2026
002198a
2026-05-07: 6-lens investigation + 10 P0 fixes (7 shipped) + user-bug…
ahmetabdullahgultekin May 7, 2026
52b24cb
2026-05-07 late: tenant pre-flight gate + verify.fivucsas Round 2 + s…
ahmetabdullahgultekin May 7, 2026
ebdfbec
chore(docs): archive stale 2026-04 review/audit/roadmap docs to archi…
ahmetabdullahgultekin May 7, 2026
957646e
2026-05-07 Round 3: P1 batch + P0-#7+#8+#9 + prod rebuild verified
ahmetabdullahgultekin May 7, 2026
7ee52de
chore(submodules): bump api/bio/web — P1 batch 2026-05-08
ahmetabdullahgultekin May 8, 2026
55d62da
chore(submodules): bump bio — compose-fix for FIVUCSAS_EMBEDDING_KEY …
ahmetabdullahgultekin May 8, 2026
c0614c6
chore(submodules): bump api — APP_PURGE_SOFT_DELETE_ENABLED wired (#91)
ahmetabdullahgultekin May 9, 2026
61e400a
chore(submodules): bump api — V29 Testcontainers FK fix (#92)
ahmetabdullahgultekin May 9, 2026
58436e3
chore(submodules): bump bio — CI infra round 1+2 (#80)
ahmetabdullahgultekin May 9, 2026
a6ac35a
chore(submodules): extract spoof-detector to standalone repo
ahmetabdullahgultekin May 9, 2026
3d60bec
chore(submodules): bump bio + spoof-detector — antispoof restructure
ahmetabdullahgultekin May 9, 2026
87500f6
chore(submodules): bump practice-and-test — liveness R&D collection (#7)
ahmetabdullahgultekin May 9, 2026
0db0270
chore(submodules): bump spoof-detector — research consolidation (#2)
ahmetabdullahgultekin May 9, 2026
be4129b
chore(submodules): bump bio→31a2667 + spoof-detector→99b5170
ahmetabdullahgultekin May 9, 2026
8671ccf
chore(submodule): bump spoof-detector → 23d10d0 (complete bio mirror)
ahmetabdullahgultekin May 9, 2026
8940066
chore(submodule): bump spoof-detector → paper-prep + hybrid arch + IS…
ahmetabdullahgultekin May 9, 2026
b264d5d
chore(submodule): bump spoof-detector → real-numbers in-house validat…
ahmetabdullahgultekin May 9, 2026
4888aa8
chore(submodule): bump spoof-detector → public-dataset benchmarks (CA…
ahmetabdullahgultekin May 9, 2026
01c40d6
chore(submodule): bump spoof-detector → all 6 bootstrap CIs + ablatio…
ahmetabdullahgultekin May 9, 2026
3187d88
chore(branch-protection): enable 1-review + admin-bypass on main acro…
ahmetabdullahgultekin May 11, 2026
51a28bf
chore(merge): reconcile master into main (session 2026-05-11) (#51)
ahmetabdullahgultekin May 11, 2026
d44725e
chore(sync): main -> master post-reconciliation (session 2026-05-11)
ahmetabdullahgultekin May 11, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,13 @@ REDIS_PASSWORD=change_me_in_production
JWT_SECRET=your-super-secret-256-bit-key-change-this-in-production
JWT_ACCESS_TOKEN_EXPIRATION=3600000
JWT_REFRESH_TOKEN_EXPIRATION=604800000
# BE-H1: signing algorithm. Default RS256 (asymmetric, OIDC best practice).
# HS512 is verify-only for legacy tokens minted before the 2026-04-20 flip.
JWT_DEFAULT_ALGO=RS256
JWT_RSA_KID=rs-2026-04
# RSA key pair (PEM). REQUIRED in prod; auto-generated in dev profile if omitted.
JWT_RSA_PRIVATE_KEY_PEM=
JWT_RSA_PUBLIC_KEY_PEM=

# ============================================================================
# Service URLs
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/deploy-landing.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
name: Deploy Landing to Hostinger

on:
workflow_dispatch:
push:
branches: [master]
branches: [main, master]
paths:
- 'landing-website/**'
- '.github/workflows/deploy-landing.yml'
Expand Down
1 change: 0 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ nul
*.zip

# Archive and backup folders
/archive/
/_backup_before_submodules/

# Claude metadata
Expand Down
612 changes: 612 additions & 0 deletions CICD_AUDIT_2026-05-04.md

Large diffs are not rendered by default.

36 changes: 36 additions & 0 deletions CLAUDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,42 @@ PASSWORD | EMAIL_OTP | SMS_OTP | TOTP | FACE | VOICE | FINGERPRINT | HARDWARE_KE
- My Profile page (enrollments, activity, data export, KVKK/GDPR)
- Cross-device session management (view/revoke)

## Biometric Pipeline (CRITICAL — Read Before Touching biometric-processor or web-app auth)

**Architecture decision:** Auth kararı sunucuda olmalı — tarayıcı güvenilmez. Client geometry embedding (512-dim landmark distance) LOG-ONLY'dir, auth için kullanılmaz (D2 kararı).

### Gerçek Üretim Durumu (2026-04-28 afternoon, post-fix)
| Katman | Durum |
|---|---|
| Client detection (auth) | ✅ MediaPipe FaceLandmarker 478pt primary, BlazeFace fallback |
| Server detection | ✅ MTCNN (bundled weights, deviation from centerface roadmap due to DeepFace bug) |
| Server embedding | ✅ Facenet512 (512-dim) |
| Server liveness (/verify) | ✅ UniFace MiniFASNet passive — `LIVENESS_BACKEND=uniface`, `LIVENESS_MODE=passive` |
| Server liveness (/enroll) | ✅ Wired |
| Server anti-spoofing | ✅ `ANTI_SPOOFING_ENABLED=true` |
| Client passive liveness | ✅ `PASSIVE_LIVENESS_THRESHOLD=0.45` gate in useFaceChallenge |
| Client quality scoring | ✅ Bbox fallback when no landmarks; weights redistribute to blur*0.55+lighting*0.45 |
| pgvector search | ✅ Üretimde |
| Adaptive threshold | ✅ `VERIFICATION_THRESHOLD_AGED_*` for >2yr-old embeddings |

### Kural: Embedding Dimension Tutarlılığı
`FACE_RECOGNITION_MODEL` ile `EMBEDDING_DIMENSION` her zaman eşleşmeli:
- `Facenet` → `EMBEDDING_DIMENSION=128`
- `Facenet512` → `EMBEDDING_DIMENSION=512`
- Model değiştirince **tüm embeddingler geçersiz** — yeniden enrollment zorunlu

### Kural: GPU Gerektiren Modeller
`ALLOW_HEAVY_ML=false` (default) iken bu modeller boot'u engeller:
- `FACE_DETECTION_BACKEND`: `retinaface`, `yolov8`, `yolov11*`, `yolov12*`
- `FACE_RECOGNITION_MODEL`: `ArcFace`, `VGG-Face`, `GhostFaceNet`

CX43 CPU-only — GPU ihtiyacı doğmaz (Faz 1-3 roadmap CPU-safe).

### Kural: Liveness Entegrasyonu
`/liveness` endpoint'i ayrı çalışıyor. `/enroll` ve `/verify` liveness çağırmıyor — bu kasıtlı değil, açık bir boşluk. Faz 2'de düzeltilecek.

**Detay:** `archive/2026-04-pre-roadmap-2028/BIOMETRIC_PIPELINE_AUDIT_2026-04-28.md` | **Roadmap:** `archive/2026-04-pre-roadmap-2028/BIOMETRIC_ROADMAP_2026-04-28.md`

## Database

- Flyway migrations V1-V38 (identity-core-api; V37 tenant_id index, V38 SPA public client flip) + Alembic 0001-0004 (biometric-processor)
Expand Down
144 changes: 144 additions & 0 deletions CLIENT_APPS_PARITY_PLAN_2026-04-28.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# Client-Apps Parity & APK Release Plan — 2026-04-28

Research-only output from Team D. **Nothing was changed in code.** This
file captures the work for user review before implementation.

## 1. UI Parity Plan (≈5.5h work)

Goal: bring `client-apps` LoginScreen visually + behaviorally close to
`web-app/src/features/auth/components/LoginPage.tsx` and
`web-app/src/verify-app/HostedLoginApp.tsx`.

### Web reference visuals
- Background gradient: `linear-gradient(135deg, #667eea → #764ba2 → #f64f59)`, animated.
- Primary/button gradient: `#6366f1 → #8b5cf6`.
- Input bg: `#f8fafc` light, focus `#fff`. Text `#1a1a2e`. Border `rgba(0,0,0,0.23)`.
- Card: glassmorphism (white 0.95, blur 20px), 24px radius.
- Logo: 80×80 gradient box, white Fingerprint icon, shadow.
- TextField/Button radius: 12px.
- Motion: framer-motion staggered entry, logo 3D rotateY.
- Floating shapes: 5 glassmorphic circles (decorative).

### Client-apps current
- File: `client-apps/shared/src/commonMain/kotlin/com/fivucsas/shared/ui/screen/LoginScreen.kt` (441 lines), Material3.
- Theme: `AppColors.kt` Primary `#FF1976D2`, Secondary `#FF00ACC1`. No gradients.
- No card wrapper, no logo gradient block, no animations on form entry.

### Phase plan
| Phase | Work | Effort |
|---|---|---|
| 1 — Colors & Shapes | Update `AppColors.kt`: Primary `#6366F1`, Secondary `#8B5CF6`, add `WebGradientBg`/`WebPrimaryGradient` Brushes. Add `AppShapes.small = RoundedCornerShape(12.dp)`. Wrap LoginScreen in Card + add gradient logo box. | 2h |
| 2 — Form styling | Custom `OutlinedTextField` defaults: bg `#F8FAFC`, text `#1A1A2E`, 12dp radius. | 1.5h |
| 3 — Animations & polish | `AnimatedVisibility` + slide animations for form fields. White spinner color. Verify dark-mode behavior (recommend light-only for login). | 2h |

### Compose limitations / decisions needed
- **Glassmorphism** — Compose has no native `backdrop-filter: blur()`. Use solid white Card + elevation shadow. Acceptable.
- **Animated gradient** — CSS animation not portable. Use static gradient OR `animateFloat()` + offset (medium complexity). Recommend static for MVP.
- **Floating shapes** — Decorative; expensive on mobile. Defer.
- **Dark mode** — Web has no dark login. Recommend forcing light-only for `LoginScreen` (override LocalThemeMode in screen root).

## 2. APK Release Workflow Plan

### Current state
- `client-apps/.github/workflows/android-build.yml` (142 lines) — builds debug + release APKs but **does not sign the release** and **does not upload to GitHub Releases**. All historical APK uploads (v1.0.0–v5.2.0) were manual.
- `client-apps/androidApp/build.gradle.kts:23-108` — signing config already reads from env vars; no code change needed.
- **No GitHub repo secrets exist** for `ANDROID_KEYSTORE_BASE64`, `ANDROID_KEYSTORE_PASSWORD`, `ANDROID_KEY_ALIAS`, `ANDROID_KEY_PASSWORD`.

### What user must do (one-time)
1. Generate keystore locally:
```
keytool -genkey -v -keystore release.jks -keyalg RSA -keysize 2048 -validity 36500 \
-alias fivucsas \
-dname "CN=FIVUCSAS, OU=Engineering, O=Marmara University, C=TR" \
-storepass "<SECURE>" -keypass "<SECURE>"
```
2. Base64-encode: `base64 -i release.jks` (Linux/Mac) or PowerShell `[Convert]::ToBase64String([IO.File]::ReadAllBytes("release.jks"))`.
3. Add 4 GitHub repo secrets at `github.com/Rollingcat-Software/client-apps/settings/secrets/actions`:
- `ANDROID_KEYSTORE_BASE64` (the base64 string)
- `ANDROID_KEYSTORE_PASSWORD`
- `ANDROID_KEY_ALIAS` (= `fivucsas`)
- `ANDROID_KEY_PASSWORD`
4. **Never commit `release.jks` to git.** Store securely (e.g., `~/.android/keystore/`).

### Workflow YAML (to be added at `.github/workflows/android-release.yml`)

Triggers on `vX.Y.Z` tag push. Builds signed APK, uploads to GitHub Releases tagged with the same version.

```yaml
name: Android Release APK
on:
push:
tags: ['v[0-9]+.[0-9]+.[0-9]+']
workflow_dispatch:
inputs:
tag_name:
description: 'Release tag (e.g. v5.2.1)'
required: true
type: string
concurrency:
group: android-release-${{ github.ref }}
cancel-in-progress: false
env:
JAVA_VERSION: '21'
jobs:
build_and_release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with: { java-version: 21, distribution: 'temurin' }
- uses: android-actions/setup-android@v3
- uses: gradle/actions/setup-gradle@v4
- name: Dummy google-services.json
run: |
cat > androidApp/google-services.json << 'EOF'
{"project_info":{"project_id":"fivucsas-ci-dummy"},"client":[{"client_info":{"android_client_info":{"package_name":"com.fivucsas.mobile"}}}],"configuration_version":"1"}
EOF
- name: Decode keystore
env:
ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
run: |
[ -z "$ANDROID_KEYSTORE_BASE64" ] && { echo "::error::keystore secret missing"; exit 1; }
mkdir -p "$RUNNER_TEMP/keystore"
printf '%s' "$ANDROID_KEYSTORE_BASE64" | base64 -d > "$RUNNER_TEMP/keystore/release.jks"
echo "ANDROID_KEYSTORE_PATH=$RUNNER_TEMP/keystore/release.jks" >> "$GITHUB_ENV"
- name: Build signed release APK
env:
ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
ANDROID_KEY_ALIAS: ${{ secrets.ANDROID_KEY_ALIAS }}
ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
run: ./gradlew :androidApp:assembleRelease --no-daemon
- name: Wipe keystore
if: always()
run: rm -f "$RUNNER_TEMP/keystore/release.jks"
- id: version
run: |
TAG="${{ github.ref_name }}"
echo "version_name=${TAG#v}" >> "$GITHUB_OUTPUT"
- uses: softprops/action-gh-release@v1
env: { GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' }
with:
tag_name: ${{ github.ref_name }}
files: androidApp/build/outputs/apk/release/*.apk
body: |
## FIVUCSAS Mobile ${{ steps.version.outputs.version_name }}
Signed release APK. Suitable for direct distribution or Play submission.
Package: com.fivucsas.mobile
```

## 3. Open decisions (need user)

1. Dark mode for login: light-only or platform-dark? **Recommend: light-only.**
2. Animated gradient background: do or skip for MVP? **Recommend: skip, static gradient.**
3. Floating glassmorphic shapes: implement or defer? **Recommend: defer.**
4. Test the workflow on `v5.2.0-test` first or go straight to `v5.2.1`? **Recommend: test tag first.**
5. Keystore rotation policy: store rotation cadence (e.g., 12 months)? Document it.

## 4. Sequence I recommend the user follow

1. Approve the parity color/typography choices (or push back).
2. Generate the keystore locally; do NOT share it with anyone.
3. Add 4 GitHub secrets.
4. Approve me to commit the `android-release.yml` and apply the parity changes.
5. Push a `v5.2.0-test` tag, watch the workflow, delete the test release after.
6. Push `v5.2.1` for real.
Loading
Loading