Skip to content

Integrate 2026-05-12 branch into master: links hub, poster, docs-site, Traefik, amispoof subdomain#69

Merged
ahmetabdullahgultekin merged 46 commits into
masterfrom
fix/2026-05-12-bake-mini-fasnet-models
May 21, 2026
Merged

Integrate 2026-05-12 branch into master: links hub, poster, docs-site, Traefik, amispoof subdomain#69
ahmetabdullahgultekin merged 46 commits into
masterfrom
fix/2026-05-12-bake-mini-fasnet-models

Conversation

@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor

Summary

Integrates the fix/2026-05-12-bake-mini-fasnet-models working branch into master — 41 commits, ~+7,831 / −14 across 35 files. Combines today's links-hub / poster / attribution work with the accumulated 2026-05-12 branch work (docs-site, Traefik, amispoof subdomain migration, cross-site nav, operator actions).

What's included

Links hub (links.fivucsas.com) — new

  • New links-website/ static hub (+ QR assets).
  • API tile now points to /swagger-ui.html (was the raw API root → bare 401) with a gated / kısıtlı badge + tooltip — Swagger is admin-IP gated (operator / VPN / Marmara campus).
  • Turkish i18n fixes: real TR role translations (English text under lang="tr" was İ-mangling Latin i via locale-aware text-transform:uppercase); de-mixed the Grafana tooltip.

Poster (fivucsas.com/poster/)

  • Author contact block: added marun.edu.tr academic emails + github.com/aysegulsum.
  • Regenerated A0 PDF (1 page, 2383.92×3370.08 pt) + preview PNG (3179×4494 px) from the updated HTML.

Attribution (submodule bumps)

  • spoof-detector + practice-and-test: confirm Ayşe Gülsüm Eren's GitHub @aysegulsum + academic email across AUTHORS / ATTRIBUTION / research / iBeta docs. Forensic git-author records (real commit emails) left intact.

Prior 2026-05-12 branch work

  • docs-site/: new static docs site (identity + biometric OpenAPI, SDK, nginx/Docker).
  • infra/traefik/: dynamic config + XFF strip + README.
  • spoof-detector: subdomain migration to amispoof.fivucsas.com (301 from old path), proctoring phases A–D, SEO, replay fixes, paper updates (many pointer bumps).
  • cross-site nav: suite-bar across landing, bys-demo, amispoof, docs, download, verify-widget.
  • verify-widget: static landing block + SEO for verify.fivucsas.com root.
  • operator actions: OPERATOR_ACTIONS_2026-05-12.md + bio submodule bump.

Notes

🤖 Generated with Claude Code

ahmetabdullahgultekin and others added 30 commits May 12, 2026 17:40
P1 hygiene from 2026-05-12 senior reviews (backend, DB, infra, security):

* infra/traefik: vendored copy of /opt/projects/infra/traefik/config/
  with forwardedHeaders.trustedIPs: [] on both :80 and :443 entryPoints.
  RateLimitInterceptor.getClientIP in identity-core-api consumes
  `XFF.split(",")[0]` so the prior config (no forwardedHeaders block)
  let an attacker bypass every per-IP bucket (login, MFA, biometric,
  qr-generate) by setting their own X-Forwarded-For. Empty trustedIPs
  causes Traefik to strip incoming XFF and write its own using the peer
  IP. Internal Docker bridge (172.20.0.0/24) is NOT trusted because
  external clients never connect from that range — only Docker-network
  containers, and those don't set XFF. README.md documents the
  vendored-vs-live split and the sync workflow.

* OPERATOR_ACTIONS_2026-05-12.md: 5 items agents shouldn't autonomously
  execute. Per-item severity, blast radius, maintenance window,
  dependencies, explicit commands:
    1. audit_logs partman bootstrap (V57 was a silent no-op; runbook
       at infra/RUNBOOK_AUDIT_LOG_PARTMAN.md prepped Option A image)
    2. RLS theatre (V25 left FORCE commented; 9 tables relforcerowsecurity=f;
       app role is postgres superuser → RLS bypassed)
    3. web-app/.env.production still byte-identical to leaked literal
       6bdedd2; live bundle is clean but rebuild-from-tree would regress
    4. parent main fast-forward: master 220 ahead, main 134 ahead but
       all already merged via PR #51 — `git push origin master:main
       --force-with-lease` reconciles
    5. HS512 kid hs-2026-04 revocation pending Team Auth-Java PR;
       rebuild api container after merge

Companion api PR fix/2026-05-12-infra-hygiene ships V61 NOT NULL for
audit_logs.tenant_id (locks down the V59 backfill).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… cleanup

Closes loop on the 4th recurrence of feedback_readonly_rootfs_cache_dirs.
Bio repo PR (`fix/2026-05-12-bake-mini-fasnet-models`) bakes the four
DeepFace/Facenet weights into the image layer and adds an entrypoint
shim that chowns the cache volume to 100:101 + seeds missing weights
from /opt/baked-models on boot — so `docker volume rm` is now safe and
operator memory of the manual `docker cp` MiniFASNet workaround is no
longer load-bearing.

Parent changes:

- Bump `biometric-processor` submodule pointer to the merged tip
  (053e73d -> 726d3c3) with `fix(docker): bake DeepFace/Facenet weights
  + self-healing cache volume`. Includes new `model-fetcher` Dockerfile
  stage with SHA256 verification, deploy/entrypoint.sh shim with gosu
  privilege drop, explicit uid/gid 100/101 pinning, and `.env.example`
  documenting `DEEPFACE_FACENET512_SHA256` for the PR #102 runtime gate.

- Add Operator Action item 11 to OPERATOR_ACTIONS_2026-05-12.md with
  the post-merge cleanup runbook (Option A: wipe + verify self-heal;
  Option B: chown in place + restart). Updates the dependency matrix
  and execution-order recipe to thread item 11 between items 8 and 1.

No prod rebuild from this PR — operator owns deployment per the runbook
in item 11.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…o main (#19 merged)

- CLAUDE.md Production URLs: new row for the browser anti-spoof tester
  at fivucsas.com/amispoof/.
- CLAUDE.md Key Commands: scp recipe for the amispoof bundle (rebuild
  + scp index.html + app.js + lib bundle to Hostinger).
- spoof-detector submodule bumped from eb154e3 → b04856d (PR #19 squash
  merge: TypeScript port + browser tester + full Aysenur algorithmic
  surface landed on main).

No changes to biometric-processor, identity-core-api, web-app submodule
pointers (their staged status pre-dates this commit).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #20 — Browser-cache invalidation + measured-fps blink rate + smoothed
eyes_open. Follow-up to the Phase-3 merge (#19).
…warmup fix + lib cache-bust + gate smoother)
… Turkish-locale casing fix

User asked: are amispoof/spoof-detector/paper surfaced on fivucsas.com?
Adding the landing-page hooks now:

- Hero CTA row: amber/rose pill button → /amispoof/ (browser anti-spoof
  tester, /amispoof/ slug on fivucsas.com).
- Footer link row: amispoof + spoof-detector GitHub link (new) +
  rename FIVUCSAS GitHub link, keeping all existing rows.

Also fixes a Turkish-locale casing leak in the navbar tagline:
"identity · verified" was being uppercased by CSS text-transform
under <html lang="tr">, which applies Turkish casing rules and turned
lowercase "i" into "İ" (dotted capital I) — rendering as
"İDENTİTY · VERİFİED". Tagged the span lang="en" so the CSS engine
uses English casing rules regardless of the document lang. Added a
:lang(en) defensive rule in index.css so future English-tagged spans
inside Turkish pages get the same treatment.

Live: amispoof button appears on https://fivucsas.com/ once the JS
hydrates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… normalization

Submodule spoof-detector dae24c8..4f601e7 (3 PRs, all merged to main):
  #25 fix(session): remove verdictLockedSpoof latch — live faces wrongly
       verdicted as SPOOF on slow-fps cameras (Chrome/Brave mobile @ ~9 fps).
       Wires LivenessProver into SessionEngine. Adds 7 regression tests on
       a previously-untested engine. 126 → 133 vitest green.
  #26 fix(amispoof): normalize displayed confidence to [0, 100] — engine
       confidence is structurally capped at 0.88, normalized at the display
       layer so a clearly-live face reads as 92% instead of 81%. Engine
       v.summary untouched (SDK consumers keep the raw scale).
  #27 fix(amispoof): also normalize on-screen verdict-text line — extracts
       a single displaySummary(v) helper so badge, on-screen text, and
       copy-to-clipboard all read the same number.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-16 16:04 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rs surfaced

Submodule spoof-detector 4f601e7..806b291 (PR #28):
  feat(amispoof): surface LivenessProver proof panel + 2 hidden analyzers

  - Added 2 analyzer rows to the panel (Face motion + Background grid)
    that were running but unrendered.
  - New "Liveness proof" panel reading detector.getProof(): total /100,
    per-axis bars (blink/landmark/rotation/expression/challenge points),
    active-challenge banner, yaw/pitch range seen in degrees,
    challenges passed/failed counter.
  - Per-row tooltips now include live per-region/per-axis details
    (eye_var/mouth_var/forehead_var, tremor_x/y, EAR + blink rate, etc).
  - Download report + Copy-to-clipboard include the proof payload.
  - Tiny additive SDK change: LivenessProof now exposes
    yaw_range_seen_deg + pitch_range_seen_deg. 133 vitest still green.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-16 16:39 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Submodule spoof-detector 806b291..e6cd5d4 (PR #29):
  feat(prover): passive-only proctoring mode — track every movement, no challenges

  - 3 new passive movement axes (additive, no breaking change):
      eye_motion_points / 12, mouth_motion_points / 10, face_motion_points / 8
    sourced from LandmarkVarianceAnalyzer eye_var + mouth_var and
    TemporalAnalyzer motion (data was already computed, just unscored).
    Passive max 75 → 105; 60-pt proven-live threshold reachable from
    natural webcam observation alone.
  - Made 3 prover gates tunable via constructor options (Python defaults
    preserved): expressionRatioGate, rotationThreshold, landmarkVarThreshold.
  - SpoofDetector gains enableLivenessChallenges + livenessProverThresholds
    pass-through options.
  - amispoof switched to proctoring profile:
      enableLivenessChallenges: false
      livenessProverThresholds: { 0.4, 2.0°, 0.5 }
    UI hides ACTIVE CHALLENGES section + active-challenge banner; adds
    Eye/Mouth/Face motion proof-panel rows.
  - LivenessProver tests 10 → 16; full suite 133 → 139, all green.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-16 16:45 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…clamp, visible bars

Submodule spoof-detector e6cd5d4..e359860 (PR #30):
  - SessionEngine: NO_BLINK_ALERT_SEC stretches linearly when measured
    fps < 15 (clamped at 4×). Eliminates the 2026-05-17 Chrome-mobile
    false positive where a real user blinking 22× had a
    "static-image attack suspected" incident in their ledger.
  - LivenessProver: estimateHeadPose() clamps per-frame yaw/pitch to
    ±60° to absorb degenerate MediaPipe outliers. yawRangeSeen now
    caps at 120° instead of 180° — fixes the "yaw 112.8°" display
    bug; score path unchanged (rotation_points already capped at 15).
  - amispoof CSS: display: block on .fill (was inline span, ignored
    width). Bars in all three score panels now render proportional
    fills instead of empty rails.
  - Tests: 5 new (139 → 144 green).

Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 07:28 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ix unlock

Submodule spoof-detector e359860..99b6f36 (PR #31):
  feat(phase-A): unlock MediaPipe blendshapes + 3D matrix → 5 new
  analyzers + 5 new proof axes

  - Flipped outputFaceBlendshapes + outputFacialTransformationMatrixes
    to true on the existing FaceLandmarker (zero new model load).
  - Extended FaceROI with optional blendshapes (Map<string, number>)
    and transformMatrix (Float32Array, 16 floats).
  - Added 5 main-thread analyzers (Eyebrow, BlinkSymmetry, Gaze,
    ExpressionDynamics, Pose3DConsistency) reading directly from the
    new blendshape + matrix data.
  - Added 5 LivenessProver passive axes: eyebrow_motion (cap 8),
    blink_symmetry (cap 6, corr≥0.7), gaze_variation (cap 8),
    expression_dynamics (cap 8), pose_3d_consistency (cap 6).
    Passive ceiling 105 → 141 pts.
  - amispoof UI: 5 new analyzer rows, 5 new proof panel rows,
    per-row detail tooltips for the new analyzers.
  - Bundle delta: +3.4 kB gz (plan budget +10).
  - Tests 144 → 176 green.

Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 07:50 UTC.
First phase of the multi-signal liveness roadmap; Phases B–D queued.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…alyzer

PR #32: BehavioralPatternAnalyzer + behavioral_pattern_points axis.
Passive ceiling 141 → 151. Tests 176 → 183 green.
Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 08:02 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…re drift

PR #33: TextureAnalyzer gains a 300-frame ring buffer of mean HSV per
face crop; folds into existing texture score via rebalanced weights
(0.35/0.27/0.27/0.11). No new proof axis (per plan). Tests 183 → 187.
Operator note: also need to scp the regenerated lazy chunks
spoof-detector-TextureAnalyzer-*.js to Hostinger (CLAUDE.md deploy
runbook is missing this; fixed manually for PR #33).
Verified live at https://fivucsas.com/amispoof/ at 2026-05-17 08:06 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ground motion

PR #34. Optional MediaPipe SelfieSegmenter (~250 KB) lazy-loaded;
BackgroundMotionAnalyzer rate-limited 1/5 frames; new axis
background_motion_points (cap 8). Passive ceiling 151 → 159.
Tests 187 → 193 green. Verified live at fivucsas.com/amispoof/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #35. Optional MediaPipe HandLandmarker (~6 MB) lazy-loaded;
HandTrackingAnalyzer rate-limited 1/4 frames; new axis
hand_naturalness_points (cap 8). Passive ceiling 159 → 167.
amispoof opt-in via ?hand=1 URL param. Tests 193 → 199 green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #36 completes Phases A-D of the multi-signal roadmap. AudioCapture
(Web Audio API, rolling RMS), VoiceActivityAnalyzer, AudioMouthSyncAnalyzer.
New axes voice_activity_points (cap 6) + audio_mouth_sync_points (cap 12).
Passive ceiling 167 → 185. amispoof gets a 🎤 button. Tests 199 → 209 green.
Verified live at fivucsas.com/amispoof/ at 2026-05-17 08:18 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…l-clock rate

PR #37 fixes two correctness bugs surfaced in the post-Phase-D3 mobile
trace: Pose3DConsistencyAnalyzer was reading the transform matrix as
row-major (MediaPipe is column-major; tz was always 0); GazeAnalyzer
saccade rate divided by historyLen/30 (inflated 3.3× on mobile).
Tests 209 → 212 green. Verified live at fivucsas.com/amispoof/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…m head pose

PR #38: re-routes eye_motion_points + mouth_motion_points from raw
landmark variance (head-pose contaminated) to face-relative blendshape
stddevs (blink_symmetry + gaze + expression_dynamics). Tests 212 → 214.
Verified live at fivucsas.com/amispoof/ at 2026-05-17 08:43 UTC.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lity pause

PR #39: blink_points becomes a rolling 60s rate (decays if blinking
stops), amispoof loop skips analyzeFrame() while document.hidden
(closes the backgrounded-tab static-incident false positive + the
proctoring backdoor where stale frames kept reporting LIVE).
Tests 214 → 217 green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…+ recorder

PR #40 (UI-only): bench gets a HEAD-probe preflight and explains
'samples not bundled' instead of a stack trace; new ✋ Hand toggle
button mirrors the 🎤 Mic button two-step UX; new ⏺ Record session
button captures MediaRecorder webm + per-frame analytics JSON
downloads on stop. No SDK changes, 217 tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #41 (UI-only): camera-recovery on visibility-return (fixes the
'face frozen after backgrounding' bug from PR #39 — mobile suspends
MediaStreamTrack, we now call play()/re-acquire); tighter SEO meta
description (Google snippet ready); in-page replay UI loads recorded
session JSON and shows verdict + proof timeline. No SDK changes,
217 tests still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #42: shortened all button labels (titles preserved) so they fit on
mobile widths; added ?autorec=1 URL param that auto-starts MediaRecorder
on session Start and auto-stops on session Stop. No SDK changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…aper §10.1 update

PR #43: fixes mobile NotFoundError on .json replay file pick (FileReader
snapshot instead of Blob.text); refreshes paper conclusion §10.1 to
reflect the current 19-analyzer / 15-axis / 173 kB browser bundle state
plus README count update.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…paper §7.6

PR #44: docs-only. Operator runbook for amispoof.fivucsas.com migration
(accounts for TurkTicaret-registered + Hostinger-hosted topology) plus
.htaccess 301 template plus paper §7.6 refresh (projection → measured).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #45 (docs only). Per user direction, the academic paper now leads
with the browser/client-side bundle as the primary deliverable and
documents the Python reference as the prototyping starting point +
evaluation harness rather than the production target. No empirical
claims changed; §6-§8 evaluation still produced by Python because
the dataset benchmarks live there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
PR #46 in spoof-detector flips canonical/og:url/JSON-LD to
amispoof.fivucsas.com. Deployed to both locations. Old URL serves
a 301 via Hostinger .htaccess. Also updated this CLAUDE.md to
document the new deploy commands + the 301 fallback path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin and others added 13 commits May 17, 2026 09:53
Migrated 2026-05-17. The src/App.tsx had two anchors pointing to the
old /amispoof/ relative path which served from fivucsas.com/amispoof/
(now 301s to the subdomain). Updated both to absolute
https://amispoof.fivucsas.com/ with target=_blank + rel=noopener for
the SEO/UX signal. Rebuilt + deployed to Hostinger.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…lease tag

PR #48 + #49: real 1200x630 og:image, ROADMAP refresh, package.json
bumped 0.1.0 → 0.3.0, GitHub release v0.3.0 published. Tier 1.5
complete (A og:image + B ROADMAP + C release tag).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… roadmap tooling

PR #50: surfaces 'Am I spoof?' query intent across title/h1/meta/og/twitter,
adds FAQPage JSON-LD with 5 Q&A entries for natural-language SERP visibility,
documents analytics + error-tracking + Cloudflare next-steps in ROADMAP.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Hardens amispoof.fivucsas.com replay loader against Android Chrome 148
picker-handle revocation: snapshotFile() races Blob.arrayBuffer() and
FileReader in parallel inside the change handler, drag-and-drop on
#replayPanel, clipboard-paste fallback when both readers fail.
Version 2026-05-18-replayfix deployed to Hostinger.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…sas.com root

Previously verify.fivucsas.com served a noindex shell that was blank for
direct visitors. Now the index.html ships a static landing block
(#verify-landing) with brand, value prop, 3 method cards, 10 auth-method
pills, integration snippet, footer — visible to crawlers and direct
visitors. React main.tsx sets #verify-root[data-mounted=true] on first
paint; a CSS sibling selector hides the landing for iframe/OAuth consumers
with no flash. Robots lifted to "index, follow"; added description,
canonical, og, twitter, JSON-LD SoftwareApplication. /login behaviour
unchanged — same shell, React routes to HostedLoginApp.

Deployed: docker compose build verify-widget && up -d. Image f7af736a.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Closes the cross-site navigation gap supervisor flagged (couldn't
navigate from demo to landing). Two scoped changes:

* bys-demo/index.html: replaces dead onclick="return false;" placeholders
  in the utility-bar with real links to landing + Dashboard + Widget +
  amispoof + Status.
* spoof-detector bump 310b746: adds same suite-bar to amispoof page,
  which previously had no outbound link to any sister site.

(web-app dashboard sidebar also got the suite-bar, in feature branch
fix/2026-05-12-liveness-and-puzzles — parent pointer not bumped here
since that branch has unrelated in-flight work; will land via PR.)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…emo subpages + download)

Earlier today's nav-fix only covered top-level pages. Audit found 7
surfaces still missing cross-site links. This commit closes the gap:

* docs.fivucsas.com (4 pages: index + identity + biometric + sdk) —
  recreated the docs-site/ source dir which had been deleted (extracted
  Dockerfile + nginx.conf + html/ + compose from the running fivucsas-docs
  container), patched each HTML with the suite-bar, rebuilt + redeployed.
* bys-demo callback.html + dashboard.html + test-elements.html — suite-bar
  block injected right after <body>. Previously only index.html had nav.
* landing-website/public/download.html — extended primary nav with
  amispoof + Widget + Status links (was missing).

Also corrected an earlier mis-statement: status.fivucsas.com is NOT an
external service — it's our self-hosted Uptime Kuma at
/opt/projects/uptime-kuma/, multi-hosted on the same container as
status.rollingcatsoftware.com via Traefik label.

8 surfaces verified live with the suite-bar.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pulls in practice-and-test/8e9bb5b which removes build artifacts (gradle-temp,
old report zips, regeneratable demo output) + abandoned R&D dirs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…te fixes)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
links-website/ (links.fivucsas.com hub): API tile now points to /swagger-ui.html instead of the raw API root (which returned a bare 401); real Turkish translations for the Ahmet/Ayşe role labels (were English under lang=tr, which Turkish-uppercased Latin i into dotted İ); de-mixed the Grafana tooltip; Ayşe Gülsüm GitHub @aysegulsum + ayse.gulsum@marun.edu.tr; Ayşenur aysenurarici@marun.edu.tr.

poster (FIVUCSAS_Poster_v3.html + landing-website/public/poster/files/fivucsas-poster.html): add marun.edu.tr academic emails + Gülsüm GitHub to the author contact block.

Bump spoof-detector + practice-and-test submodule pointers (attribution-doc commits).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Swagger is admin-IP gated (works for operator/VPN/Marmara campus, 403 for public). Keep the tile clickable but add a 'kısıtlı'/'gated' badge + tooltip so the restriction is visible — a middle tier between fully-public tiles and the disabled (no-public-DNS) Grafana card.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re-rendered from fivucsas-poster.html (headless Chrome, A0 841×1189mm) so the binaries match the updated author contact block (marun.edu.tr emails + github.com/aysegulsum). PDF 1pp A0 558KB; PNG 3179×4494px.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 21, 2026 14:09
The ASCII slug aysenur-arici 404s; restore the originally-provided ayşenur-arıcı (percent-encoded ay%C5%9Fenur-ar%C4%B1c%C4%B1). LinkedIn blocks server-side verification (999), so this needs a browser confirm.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR integrates the fix/2026-05-12-bake-mini-fasnet-models working branch into master, adding new public-facing static sites (links hub + docs), updating the verify-widget root landing/SEO, and vendoring Traefik configuration + cross-site navigation updates across the suite.

Changes:

  • Add new links-website/ static link hub (TR/EN toggle + QR asset).
  • Add docs-site/ static docs site (Identity + Biometric + SDK pages) and a production compose for Traefik.
  • Update verify-widget root HTML for SEO + a static landing section, and add cross-site navigation links across landing + BYS demo + docs.

Reviewed changes

Copilot reviewed 29 out of 35 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
verify-widget/html/index.html SEO metadata and static landing content for verify root; CSP tweaks.
links-website/index.html New links hub page with TR/EN language toggle, team cards, and subdomain links.
links-website/qr-links.svg QR SVG asset for the links hub.
landing-website/src/index.css Add TR-locale casing workaround for English uppercase text.
landing-website/src/App.tsx Add amispoof + spoof-detector links; set lang="en" for uppercase English tagline.
landing-website/public/download.html Add cross-site nav links (Widget/amispoof/Status).
infra/traefik/README.md Document “vendored reference” workflow and XFF hardening rationale.
infra/traefik/config/traefik.yml Traefik static config including forwardedHeaders hardening and access logs.
infra/traefik/config/dynamic.yml Traefik dynamic routers/middlewares incl. redirects, admin gating, headers, rate limiting.
docs-site/nginx.conf Nginx SPA config with /health endpoint and gzip enabled.
docs-site/Dockerfile Nginx image for docs-site.
docs-site/docker-compose.prod.yml Traefik-labeled production compose for docs-site container.
docs-site/html/index.html Docs landing page (cards + quickstart + suite-bar).
docs-site/html/identity/index.html Identity API Swagger UI page + fallback endpoint listing.
docs-site/html/identity/openapi.json Identity OpenAPI spec shipped with the static docs.
docs-site/html/biometric/index.html Biometric API Swagger UI page.
docs-site/html/biometric/openapi.json Biometric OpenAPI spec shipped with the static docs.
docs-site/html/robots.txt Robots + sitemap for docs site.
docs-site/html/sitemap.xml Sitemap for docs site.
docs-site/html/sdk/index.html Widget SDK documentation page.
CLAUDE.md Update deployment notes and surface list (amispoof subdomain + deploy commands).
bys-demo/index.html Replace placeholder utility links with suite navigation.
bys-demo/dashboard.html Add suite-bar cross-site navigation.
bys-demo/callback.html Add suite-bar cross-site navigation.
bys-demo/test-elements.html Add suite-bar cross-site navigation.
archive/2026-05/plans/PHASE_4_PRODUCTIZATION_PLAN_2026-05-11.md New archived Phase 4 productization plan document.
archive/2026-05/plans/OPERATOR_ACTIONS_2026-05-12.md New operator runbook/checklist document for infra/security items.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

<div id="fallback" style="display: none;">
<div class="fallback-message">
<h2>Identity Core API Reference</h2>
<p>The OpenAPI specification is available for authenticated users. Below is a summary of all available endpoints.</p>
Comment on lines +25 to +33
* Force English-locale casing on any uppercase'd English text in
* Turkish-mode pages. CSS text-transform uses the html lang attribute
* to pick casing rules — Turkish maps lowercase "i" to "İ" (dotted
* capital), so "identity" becomes "İDENTİTY" even though the source
* text is English. Marking the element `lang="en"` solves it cleanly.
*
* Belt-and-braces: also force the codepoints below to render with
* Latin small/capital "I" inside English-attributed nodes regardless
* of which font fallback the browser picks.
- "traefik.http.routers.fivucsas-docs.tls.certresolver=letsencrypt"
- "traefik.http.services.fivucsas-docs.loadbalancer.server.port=80"
healthcheck:
test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://127.0.0.1:80/ || exit 1"]
ahmetabdullahgultekin and others added 2 commits May 21, 2026 14:24
…cs-site, verify-widget)

Poster suite: POSTER_BRIEF.md + landing-website/public/poster/ (viewer, brief, presentation script, assets) + poster/ design brief + script + assets + 4 style variants (showcase/visual).

bys-demo / docs-site / verify-widget: complete the TR/EN language switcher + data-tr/data-en i18n (matches the links-hub pattern; toggles <html lang> so locale-aware uppercasing is correct).

Deliberately EXCLUDES node_modules/ and the WIP submodule pointer bumps (biometric-processor / identity-core-api / web-app fix branches; web-app is -dirty) so no WIP submodule state ships to master.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…commands

Status carry-forward for the links hub / poster / attribution / i18n work; add links-website/ to Repository Structure; add links-hub + poster-regeneration deploy commands; note api.fivucsas.com gate behavior (401 root / 403 swagger / 200 OIDC discovery).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ahmetabdullahgultekin ahmetabdullahgultekin merged commit 3692572 into master May 21, 2026
1 check passed
ahmetabdullahgultekin added a commit that referenced this pull request May 28, 2026
Low-risk doc/config polish for items Copilot flagged on PR #67 (and PR #69
where those files reached master). No behavior change to running services;
the only executable change is a more-robust docs-site healthcheck path.

- archive/.../OPERATOR_ACTIONS_2026-05-12.md:
  - redact partial live secret (API_KEY_SECRET=fcb06b7… → <redacted>)
  - main update: normal fast-forward `git push origin master:main`,
    reserve --force-with-lease for documented recovery only
  - add LOW to the severity legend (items 9-11 use it)
  - make item-count self-reference consistent (states 11; notes five→11 growth)
  - grammar: "a deliberately misuse" → "a deliberate misuse"
- docs-site/html/identity/index.html: fallback copy now says the OpenAPI
  spec is publicly available at /identity/openapi.json (it ships public)
- landing-website/src/index.css: comment now accurately describes the
  locale-aware :lang(en) uppercasing; drop the false belt-and-braces /
  codepoint-forcing claim and the duplicate text-transform line
- docs-site/docker-compose.prod.yml: healthcheck probes /health (the
  dedicated nginx endpoint) instead of /
- infra/traefik/README.md: add a Traefik-config dry-run validate step
  (compose config only validates the Compose file) and note access logs
  go to /var/log/traefik/access.log per accessLog.filePath, not stdout

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin added a commit that referenced this pull request May 31, 2026
…5-31) (#107)

Concurrent 4-repo read-only audit (api/web/bio/spoof) against SOLID/DRY/YAGNI/
KISS/clean-code/design-patterns, focused on hardcoded strings + sloppy impls.
Prioritized P1/P2/P3 backlog with file:line evidence + a remediation order.
Already fixed this session: amispoof UNCERTAIN tri-state (spoof #69). Captures
the amispoof runtime regressions (flash branch unmerged; replay-passes-as-live
Nyquist+planarity) as DECISION-NEEDED items.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ahmetabdullahgultekin added a commit that referenced this pull request May 31, 2026
…5-31) (#112)

api: SMS-OTP prefix constant + dead authz service removed + email-token log dropped (#171).
web: dead userEnrollment feature deleted, useCamera relocated (#146); dashboard chip (#145).
spoof: amispoof single-source weight badges (#70) + UNCERTAIN tri-state (#69).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants