Skip to content

ops(bake-in): bump bio submodule + Operator Action #11 for volume cleanup#68

Closed
ahmetabdullahgultekin wants to merge 48 commits into
fix/2026-05-12-infra-hygienefrom
fix/2026-05-12-bake-mini-fasnet-models
Closed

ops(bake-in): bump bio submodule + Operator Action #11 for volume cleanup#68
ahmetabdullahgultekin wants to merge 48 commits into
fix/2026-05-12-infra-hygienefrom
fix/2026-05-12-bake-mini-fasnet-models

Conversation

@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor

Summary

Parent-side companion to bio repo PR
Rollingcat-Software/biometric-processor#104
which closes the 4th recurrence of feedback_readonly_rootfs_cache_dirs
(prior offenders: DeepFace, Numba, UniFace; now MiniFASNet).

  • Bumps biometric-processor submodule from 053e73d726d3c3
    (fix(docker): bake DeepFace/Facenet weights + self-healing cache volume).
  • Adds Operator Action item 11 to OPERATOR_ACTIONS_2026-05-12.md
    with the post-merge cleanup runbook + dependency-matrix update.

Why the bug existed

Bio container runs with read_only: true rootfs and a named volume
biometric_models mounted at /tmp/.deepface. The volume is created by
Docker owned by root:root. The app runs as uid 100. When DeepFace tries
to download MiniFASNet .pth weights on first inference it cannot write
the cache → silently degrades → anti-spoof verdict collapses to
false-positive.

Today's hot-fix manually docker cp'd the two .pth files into the
live volume. That fix was load-bearing on operator memory: next
docker volume rm would have re-triggered the bug.

What ships with the bio submodule bump

  • New model-fetcher Dockerfile builder stage downloads the four
    critical weight files with SHA256 verification at build time:
    • facenet512_weights.h5 (3f76b51...)
    • centerface.onnx (77e394b...)
    • 2.7_80x80_MiniFASNetV2.pth (a5eb02e...)
    • 4_0_0_80x80_MiniFASNetV1SE.pth (84ee1d3...)
  • deploy/entrypoint.sh runs as root, chowns /tmp/.deepface to
    100:101, seeds missing weights from /opt/baked-models/, then drops
    to uid 100 via gosu.
  • App user uid/gid pinned explicitly to 100/101.
  • .env.example documents DEEPFACE_FACENET512_SHA256 required by PR
    infra(submodule): bump web (suite green) #102 (DEEPFACE_SHA256_REQUIRED=true).

Operator Action item 11 (added here)

Post-rebuild cleanup runbook. Two paths:

  • A — Wipe & verify self-heal (recommended).

    cd /opt/projects/fivucsas/biometric-processor
    docker compose -f docker-compose.prod.yml --env-file .env.prod down biometric-api
    docker volume rm biometric-processor_biometric_models
    docker compose -f docker-compose.prod.yml --env-file .env.prod up -d biometric-api
    docker exec biometric-api ls -la /tmp/.deepface/.deepface/weights/
  • B — Keep & re-own the existing volume.

    chown -R 100:101 /var/lib/docker/volumes/biometric-processor_biometric_models/_data
    docker compose -f docker-compose.prod.yml --env-file .env.prod restart biometric-api

Acceptance: docker exec biometric-api stat -c '%u:%g' /tmp/.deepface/.deepface/weights/facenet512_weights.h5 returns 100:101.

Base branch

This PR targets fix/2026-05-12-infra-hygiene (the open PR #67 which
introduces OPERATOR_ACTIONS_2026-05-12.md). Once PR #67 merges to
master, this PR will retarget master automatically. The submodule
bump and the new item 11 are independent of items 1–10 and do not
conflict.

Test plan

  • After merge: rebuild bio image and verify the four SHA256 checks pass in the build log.
  • Run Operator Action item 11 path A (volume wipe) and confirm self-heal seeds the four model files with the documented SHAs.
  • Run a face /verify call against the testbed and confirm anti-spoof verdict no longer returns block due to missing MiniFASNet.
  • Confirm OPERATOR_ACTIONS_2026-05-12.md reads cleanly end-to-end and the dependency matrix lists 11 rows.

Memory references

  • feedback_readonly_rootfs_cache_dirs (4th sighting)
  • feedback_env_file_docker (commands use --env-file .env.prod)
  • feedback_git_push (bare git push -u origin <branch>)
  • reference_fivucsas_branch_model (parent integration is master, default main; targeted intermediate fix/2026-05-12-infra-hygiene because the OPERATOR_ACTIONS file is only on that branch today)

🤖 Generated with Claude Code

… cleanup

Closes loop on the 4th recurrence of feedback_readonly_rootfs_cache_dirs.
Bio repo PR (`fix/2026-05-12-bake-mini-fasnet-models`) bakes the four
DeepFace/Facenet weights into the image layer and adds an entrypoint
shim that chowns the cache volume to 100:101 + seeds missing weights
from /opt/baked-models on boot — so `docker volume rm` is now safe and
operator memory of the manual `docker cp` MiniFASNet workaround is no
longer load-bearing.

Parent changes:

- Bump `biometric-processor` submodule pointer to the merged tip
  (053e73d -> 726d3c3) with `fix(docker): bake DeepFace/Facenet weights
  + self-healing cache volume`. Includes new `model-fetcher` Dockerfile
  stage with SHA256 verification, deploy/entrypoint.sh shim with gosu
  privilege drop, explicit uid/gid 100/101 pinning, and `.env.example`
  documenting `DEEPFACE_FACENET512_SHA256` for the PR #102 runtime gate.

- Add Operator Action item 11 to OPERATOR_ACTIONS_2026-05-12.md with
  the post-merge cleanup runbook (Option A: wipe + verify self-heal;
  Option B: chown in place + restart). Updates the dependency matrix
  and execution-order recipe to thread item 11 between items 8 and 1.

No prod rebuild from this PR — operator owns deployment per the runbook
in item 11.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 12, 2026 21:03

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

ahmetabdullahgultekin and others added 26 commits May 16, 2026 07:20
…o main (#19 merged)

- CLAUDE.md Production URLs: new row for the browser anti-spoof tester
  at fivucsas.com/amispoof/.
- CLAUDE.md Key Commands: scp recipe for the amispoof bundle (rebuild
  + scp index.html + app.js + lib bundle to Hostinger).
- spoof-detector submodule bumped from eb154e3 → b04856d (PR #19 squash
  merge: TypeScript port + browser tester + full Aysenur algorithmic
  surface landed on main).

No changes to biometric-processor, identity-core-api, web-app submodule
pointers (their staged status pre-dates this commit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #20 — Browser-cache invalidation + measured-fps blink rate + smoothed
eyes_open. Follow-up to the Phase-3 merge (#19).
…warmup fix + lib cache-bust + gate smoother)
… Turkish-locale casing fix

User asked: are amispoof/spoof-detector/paper surfaced on fivucsas.com?
Adding the landing-page hooks now:

- Hero CTA row: amber/rose pill button → /amispoof/ (browser anti-spoof
  tester, /amispoof/ slug on fivucsas.com).
- Footer link row: amispoof + spoof-detector GitHub link (new) +
  rename FIVUCSAS GitHub link, keeping all existing rows.

Also fixes a Turkish-locale casing leak in the navbar tagline:
"identity · verified" was being uppercased by CSS text-transform
under <html lang="tr">, which applies Turkish casing rules and turned
lowercase "i" into "İ" (dotted capital I) — rendering as
"İDENTİTY · VERİFİED". Tagged the span lang="en" so the CSS engine
uses English casing rules regardless of the document lang. Added a
:lang(en) defensive rule in index.css so future English-tagged spans
inside Turkish pages get the same treatment.

Live: amispoof button appears on https://fivucsas.com/ once the JS
hydrates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… normalization

Submodule spoof-detector dae24c8..4f601e7 (3 PRs, all merged to main):
  #25 fix(session): remove verdictLockedSpoof latch — live faces wrongly
       verdicted as SPOOF on slow-fps cameras (Chrome/Brave mobile @ ~9 fps).
       Wires LivenessProver into SessionEngine. Adds 7 regression tests on
       a previously-untested engine. 126 → 133 vitest green.
  #26 fix(amispoof): normalize displayed confidence to [0, 100] — engine
       confidence is structurally capped at 0.88, normalized at the display
       layer so a clearly-live face reads as 92% instead of 81%. Engine
       v.summary untouched (SDK consumers keep the raw scale).
  #27 fix(amispoof): also normalize on-screen verdict-text line — extracts
       a single displaySummary(v) helper so badge, on-screen text, and
       copy-to-clipboard all read the same number.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-16 16:04 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rs surfaced

Submodule spoof-detector 4f601e7..806b291 (PR #28):
  feat(amispoof): surface LivenessProver proof panel + 2 hidden analyzers

  - Added 2 analyzer rows to the panel (Face motion + Background grid)
    that were running but unrendered.
  - New "Liveness proof" panel reading detector.getProof(): total /100,
    per-axis bars (blink/landmark/rotation/expression/challenge points),
    active-challenge banner, yaw/pitch range seen in degrees,
    challenges passed/failed counter.
  - Per-row tooltips now include live per-region/per-axis details
    (eye_var/mouth_var/forehead_var, tremor_x/y, EAR + blink rate, etc).
  - Download report + Copy-to-clipboard include the proof payload.
  - Tiny additive SDK change: LivenessProof now exposes
    yaw_range_seen_deg + pitch_range_seen_deg. 133 vitest still green.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-16 16:39 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Submodule spoof-detector 806b291..e6cd5d4 (PR #29):
  feat(prover): passive-only proctoring mode — track every movement, no challenges

  - 3 new passive movement axes (additive, no breaking change):
      eye_motion_points / 12, mouth_motion_points / 10, face_motion_points / 8
    sourced from LandmarkVarianceAnalyzer eye_var + mouth_var and
    TemporalAnalyzer motion (data was already computed, just unscored).
    Passive max 75 → 105; 60-pt proven-live threshold reachable from
    natural webcam observation alone.
  - Made 3 prover gates tunable via constructor options (Python defaults
    preserved): expressionRatioGate, rotationThreshold, landmarkVarThreshold.
  - SpoofDetector gains enableLivenessChallenges + livenessProverThresholds
    pass-through options.
  - amispoof switched to proctoring profile:
      enableLivenessChallenges: false
      livenessProverThresholds: { 0.4, 2.0°, 0.5 }
    UI hides ACTIVE CHALLENGES section + active-challenge banner; adds
    Eye/Mouth/Face motion proof-panel rows.
  - LivenessProver tests 10 → 16; full suite 133 → 139, all green.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-16 16:45 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…clamp, visible bars

Submodule spoof-detector e6cd5d4..e359860 (PR #30):
  - SessionEngine: NO_BLINK_ALERT_SEC stretches linearly when measured
    fps < 15 (clamped at 4×). Eliminates the 2026-05-17 Chrome-mobile
    false positive where a real user blinking 22× had a
    "static-image attack suspected" incident in their ledger.
  - LivenessProver: estimateHeadPose() clamps per-frame yaw/pitch to
    ±60° to absorb degenerate MediaPipe outliers. yawRangeSeen now
    caps at 120° instead of 180° — fixes the "yaw 112.8°" display
    bug; score path unchanged (rotation_points already capped at 15).
  - amispoof CSS: display: block on .fill (was inline span, ignored
    width). Bars in all three score panels now render proportional
    fills instead of empty rails.
  - Tests: 5 new (139 → 144 green).

Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 07:28 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ix unlock

Submodule spoof-detector e359860..99b6f36 (PR #31):
  feat(phase-A): unlock MediaPipe blendshapes + 3D matrix → 5 new
  analyzers + 5 new proof axes

  - Flipped outputFaceBlendshapes + outputFacialTransformationMatrixes
    to true on the existing FaceLandmarker (zero new model load).
  - Extended FaceROI with optional blendshapes (Map<string, number>)
    and transformMatrix (Float32Array, 16 floats).
  - Added 5 main-thread analyzers (Eyebrow, BlinkSymmetry, Gaze,
    ExpressionDynamics, Pose3DConsistency) reading directly from the
    new blendshape + matrix data.
  - Added 5 LivenessProver passive axes: eyebrow_motion (cap 8),
    blink_symmetry (cap 6, corr≥0.7), gaze_variation (cap 8),
    expression_dynamics (cap 8), pose_3d_consistency (cap 6).
    Passive ceiling 105 → 141 pts.
  - amispoof UI: 5 new analyzer rows, 5 new proof panel rows,
    per-row detail tooltips for the new analyzers.
  - Bundle delta: +3.4 kB gz (plan budget +10).
  - Tests 144 → 176 green.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 07:50 UTC.
First phase of the multi-signal liveness roadmap; Phases B–D queued.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…alyzer

PR #32: BehavioralPatternAnalyzer + behavioral_pattern_points axis.
Passive ceiling 141 → 151. Tests 176 → 183 green.
Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 08:02 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…re drift

PR #33: TextureAnalyzer gains a 300-frame ring buffer of mean HSV per
face crop; folds into existing texture score via rebalanced weights
(0.35/0.27/0.27/0.11). No new proof axis (per plan). Tests 183 → 187.
Operator note: also need to scp the regenerated lazy chunks
spoof-detector-TextureAnalyzer-*.js to Hostinger (CLAUDE.md deploy
runbook is missing this; fixed manually for PR #33).
Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 08:06 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ground motion

PR #34. Optional MediaPipe SelfieSegmenter (~250 KB) lazy-loaded;
BackgroundMotionAnalyzer rate-limited 1/5 frames; new axis
background_motion_points (cap 8). Passive ceiling 151 → 159.
Tests 187 → 193 green. Verified live at fivucsas.com/amispoof/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #35. Optional MediaPipe HandLandmarker (~6 MB) lazy-loaded;
HandTrackingAnalyzer rate-limited 1/4 frames; new axis
hand_naturalness_points (cap 8). Passive ceiling 159 → 167.
amispoof opt-in via ?hand=1 URL param. Tests 193 → 199 green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #36 completes Phases A-D of the multi-signal roadmap. AudioCapture
(Web Audio API, rolling RMS), VoiceActivityAnalyzer, AudioMouthSyncAnalyzer.
New axes voice_activity_points (cap 6) + audio_mouth_sync_points (cap 12).
Passive ceiling 167 → 185. amispoof gets a 🎤 button. Tests 199 → 209 green.
Verified live at fivucsas.com/amispoof/ at 2026-05-17 08:18 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…l-clock rate

PR #37 fixes two correctness bugs surfaced in the post-Phase-D3 mobile
trace: Pose3DConsistencyAnalyzer was reading the transform matrix as
row-major (MediaPipe is column-major; tz was always 0); GazeAnalyzer
saccade rate divided by historyLen/30 (inflated 3.3× on mobile).
Tests 209 → 212 green. Verified live at fivucsas.com/amispoof/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…m head pose

PR #38: re-routes eye_motion_points + mouth_motion_points from raw
landmark variance (head-pose contaminated) to face-relative blendshape
stddevs (blink_symmetry + gaze + expression_dynamics). Tests 212 → 214.
Verified live at fivucsas.com/amispoof/ at 2026-05-17 08:43 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lity pause

PR #39: blink_points becomes a rolling 60s rate (decays if blinking
stops), amispoof loop skips analyzeFrame() while document.hidden
(closes the backgrounded-tab static-incident false positive + the
proctoring backdoor where stale frames kept reporting LIVE).
Tests 214 → 217 green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…+ recorder

PR #40 (UI-only): bench gets a HEAD-probe preflight and explains
'samples not bundled' instead of a stack trace; new ✋ Hand toggle
button mirrors the 🎤 Mic button two-step UX; new ⏺ Record session
button captures MediaRecorder webm + per-frame analytics JSON
downloads on stop. No SDK changes, 217 tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #41 (UI-only): camera-recovery on visibility-return (fixes the
'face frozen after backgrounding' bug from PR #39 — mobile suspends
MediaStreamTrack, we now call play()/re-acquire); tighter SEO meta
description (Google snippet ready); in-page replay UI loads recorded
session JSON and shows verdict + proof timeline. No SDK changes,
217 tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #42: shortened all button labels (titles preserved) so they fit on
mobile widths; added ?autorec=1 URL param that auto-starts MediaRecorder
on session Start and auto-stops on session Stop. No SDK changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…aper §10.1 update

PR #43: fixes mobile NotFoundError on .json replay file pick (FileReader
snapshot instead of Blob.text); refreshes paper conclusion §10.1 to
reflect the current 19-analyzer / 15-axis / 173 kB browser bundle state
plus README count update.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…paper §7.6

PR #44: docs-only. Operator runbook for amispoof.fivucsas.com migration
(accounts for TurkTicaret-registered + Hostinger-hosted topology) plus
.htaccess 301 template plus paper §7.6 refresh (projection → measured).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #45 (docs only). Per user direction, the academic paper now leads
with the browser/client-side bundle as the primary deliverable and
documents the Python reference as the prototyping starting point +
evaluation harness rather than the production target. No empirical
claims changed; §6-§8 evaluation still produced by Python because
the dataset benchmarks live there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin and others added 14 commits May 17, 2026 09:45
PR #46 in spoof-detector flips canonical/og:url/JSON-LD to
amispoof.fivucsas.com. Deployed to both locations. Old URL serves
a 301 via Hostinger .htaccess. Also updated this CLAUDE.md to
document the new deploy commands + the 301 fallback path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Migrated 2026-05-17. The src/App.tsx had two anchors pointing to the
old /amispoof/ relative path which served from fivucsas.com/amispoof/
(now 301s to the subdomain). Updated both to absolute
https://amispoof.fivucsas.com/ with target=_blank + rel=noopener for
the SEO/UX signal. Rebuilt + deployed to Hostinger.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lease tag

PR #48 + #49: real 1200x630 og:image, ROADMAP refresh, package.json
bumped 0.1.0 → 0.3.0, GitHub release v0.3.0 published. Tier 1.5
complete (A og:image + B ROADMAP + C release tag).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… roadmap tooling

PR #50: surfaces 'Am I spoof?' query intent across title/h1/meta/og/twitter,
adds FAQPage JSON-LD with 5 Q&A entries for natural-language SERP visibility,
documents analytics + error-tracking + Cloudflare next-steps in ROADMAP.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hardens amispoof.fivucsas.com replay loader against Android Chrome 148
picker-handle revocation: snapshotFile() races Blob.arrayBuffer() and
FileReader in parallel inside the change handler, drag-and-drop on
#replayPanel, clipboard-paste fallback when both readers fail.
Version 2026-05-18-replayfix deployed to Hostinger.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…sas.com root

Previously verify.fivucsas.com served a noindex shell that was blank for
direct visitors. Now the index.html ships a static landing block
(#verify-landing) with brand, value prop, 3 method cards, 10 auth-method
pills, integration snippet, footer — visible to crawlers and direct
visitors. React main.tsx sets #verify-root[data-mounted=true] on first
paint; a CSS sibling selector hides the landing for iframe/OAuth consumers
with no flash. Robots lifted to "index, follow"; added description,
canonical, og, twitter, JSON-LD SoftwareApplication. /login behaviour
unchanged — same shell, React routes to HostedLoginApp.

Deployed: docker compose build verify-widget && up -d. Image f7af736a.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the cross-site navigation gap supervisor flagged (couldn't
navigate from demo to landing). Two scoped changes:

* bys-demo/index.html: replaces dead onclick="return false;" placeholders
  in the utility-bar with real links to landing + Dashboard + Widget +
  amispoof + Status.
* spoof-detector bump 310b746: adds same suite-bar to amispoof page,
  which previously had no outbound link to any sister site.

(web-app dashboard sidebar also got the suite-bar, in feature branch
fix/2026-05-12-liveness-and-puzzles — parent pointer not bumped here
since that branch has unrelated in-flight work; will land via PR.)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…emo subpages + download)

Earlier today's nav-fix only covered top-level pages. Audit found 7
surfaces still missing cross-site links. This commit closes the gap:

* docs.fivucsas.com (4 pages: index + identity + biometric + sdk) —
  recreated the docs-site/ source dir which had been deleted (extracted
  Dockerfile + nginx.conf + html/ + compose from the running fivucsas-docs
  container), patched each HTML with the suite-bar, rebuilt + redeployed.
* bys-demo callback.html + dashboard.html + test-elements.html — suite-bar
  block injected right after <body>. Previously only index.html had nav.
* landing-website/public/download.html — extended primary nav with
  amispoof + Widget + Status links (was missing).

Also corrected an earlier mis-statement: status.fivucsas.com is NOT an
external service — it's our self-hosted Uptime Kuma at
/opt/projects/uptime-kuma/, multi-hosted on the same container as
status.rollingcatsoftware.com via Traefik label.

8 surfaces verified live with the suite-bar.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pulls in practice-and-test/8e9bb5b which removes build artifacts (gradle-temp,
old report zips, regeneratable demo output) + abandoned R&D dirs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…te fixes)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
links-website/ (links.fivucsas.com hub): API tile now points to /swagger-ui.html instead of the raw API root (which returned a bare 401); real Turkish translations for the Ahmet/Ayşe role labels (were English under lang=tr, which Turkish-uppercased Latin i into dotted İ); de-mixed the Grafana tooltip; Ayşe Gülsüm GitHub @aysegulsum + ayse.gulsum@marun.edu.tr; Ayşenur aysenurarici@marun.edu.tr.

poster (FIVUCSAS_Poster_v3.html + landing-website/public/poster/files/fivucsas-poster.html): add marun.edu.tr academic emails + Gülsüm GitHub to the author contact block.

Bump spoof-detector + practice-and-test submodule pointers (attribution-doc commits).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Swagger is admin-IP gated (works for operator/VPN/Marmara campus, 403 for public). Keep the tile clickable but add a 'kısıtlı'/'gated' badge + tooltip so the restriction is visible — a middle tier between fully-public tiles and the disabled (no-public-DNS) Grafana card.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re-rendered from fivucsas-poster.html (headless Chrome, A0 841×1189mm) so the binaries match the updated author contact block (marun.edu.tr emails + github.com/aysegulsum). PDF 1pp A0 558KB; PNG 3179×4494px.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin and others added 7 commits May 21, 2026 14:11
The ASCII slug aysenur-arici 404s; restore the originally-provided ayşenur-arıcı (percent-encoded ay%C5%9Fenur-ar%C4%B1c%C4%B1). LinkedIn blocks server-side verification (999), so this needs a browser confirm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…cs-site, verify-widget)

Poster suite: POSTER_BRIEF.md + landing-website/public/poster/ (viewer, brief, presentation script, assets) + poster/ design brief + script + assets + 4 style variants (showcase/visual).

bys-demo / docs-site / verify-widget: complete the TR/EN language switcher + data-tr/data-en i18n (matches the links-hub pattern; toggles <html lang> so locale-aware uppercasing is correct).

Deliberately EXCLUDES node_modules/ and the WIP submodule pointer bumps (biometric-processor / identity-core-api / web-app fix branches; web-app is -dirty) so no WIP submodule state ships to master.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…commands

Status carry-forward for the links hub / poster / attribution / i18n work; add links-website/ to Repository Structure; add links-hub + poster-regeneration deploy commands; note api.fivucsas.com gate behavior (401 root / 403 swagger / 200 OIDC discovery).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…aveat

Documents the verify-widget Docker deploy (was missing from Key Commands) and
the VITE_API_BASE_URL/envDir requirement whose absence blanked /login for ~11
days (env.ts fail-fast threw at boot). See web-app PR #98.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… (2026-05-28)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Roll the redesigned <fivucsas-launcher> (app.fivucsas.com/launcher.js) out
to demo, docs (+biometric/identity/sdk), and landing; delete each site's
bespoke "FIVUCSAS suite" cross-site bar and per-site EN/TR switch so there
is one global toggle. Static sites localize via html[data-lang]; landing
(React) listens for the launcher's fivucsas:languagechange event. bys-demo
keeps its simulated-portal content; links stays as the hub. Also commits
the demo widget museum note.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
app.fivucsas.com serves .js as immutable; a shared stable URL is needed so
all sites hit the same cache entry. Bump retires existing immutable copies;
launcher.js itself is moved to a revalidating cache (web-app .htaccess) so
future updates propagate without further ?v= bumps.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor Author

Superseded: the bio submodule bump (053e73d→726d3c3) + Operator Action #11 already landed on master via #69; residual commits already shipped via #74. Closing.

ahmetabdullahgultekin added a commit that referenced this pull request May 28, 2026
api rebuilt (8 security fixes live + JWT-aud env fix + #112 go-offline fix);
scan merges (#70/#94/#101/#102/#99 + bio #104/#106/#108/#109), closes
(#18/#68/#107), and holds (#105/#90/#54/#56); card detection now client-side
but the deployed model is the 51MB YOLOv8m — Ayşenur's 12MB nano binary is
not in the repo (gitignored) and must be delivered.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin added a commit that referenced this pull request May 30, 2026
…/P2-1/P2-2/P0-2b + frontend tests) (#101)

- identity-core-api → 3180c5c: P1-1 isolation ITs CI gate (#155) + unit-test mocks
  (#156) + P1-5 V29/V40/V41 DR-safety fix (#157, deployed w/ flyway repair).
- web-app → c5fc878: 80 frontend edge-case specs (#133, 831→911) locking the
  consent-path + userType-authority regressions.
- biometric-processor → 4b956d4: P2-2 bio CI honestly green (#124-#129) + P0-2b
  canonical digest-pinned reproducible build (#125, DEPLOYED — segfault retired).
spoof-detector #68 (P2-1 integrity) + parent #100 (P2-3 runbooks) also merged.

Co-authored-by: Ahmet Abdullah Gultekin <rollingcat.help@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin added a commit that referenced this pull request May 30, 2026
…30 + bump submodule pointers (#103)

Records the merged+deployed 2026-05-30 stabilize-&-harden backlog (P0-1/P0-2/P0-2b,
P1-1..P1-5, P2-1/P2-2/P2-3 + frontend tests) as COMPLETE in ROADMAP.md + CHANGELOG.md,
with the two remaining operator follow-ups (branch-protection IT status check;
execute OPERATOR_SECURITY_RUNBOOKS.md). Existing 2026-05-30 Identity/ROOT entries
left intact.

Submodule pointer bumps to each origin/main (doc-only PRs just merged + spoof-detector
#68 results-integrity):
- identity-core-api -> 0c50841 (#158 P1-1/P1-5 operator-reality docs)
- biometric-processor -> 84a4f4c (#130 P0-2b/P2-2 changelog)
- spoof-detector      -> 851d4d2 (#68 results-integrity cleanup, P2-1)
- web-app             -> 8d08646 (#135 frontend-tests changelog)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants