Skip to content

fix(amispoof): incident-aware threat type + COOP/COEP multi-threading + drop dead launcher.js#90

Merged
ahmetabdullahgultekin merged 1 commit into
mainfrom
claude/threat-attribution-and-coop
Jun 1, 2026
Merged

fix(amispoof): incident-aware threat type + COOP/COEP multi-threading + drop dead launcher.js#90
ahmetabdullahgultekin merged 1 commit into
mainfrom
claude/threat-attribution-and-coop

Conversation

@ahmetabdullahgultekin

Copy link
Copy Markdown
Contributor

Three changes, all surfaced by live low-light testing on 2026-06-01.

1. Threat-type attribution (user-reported bug)

A low-light phone replay was correctly verdicted SPOOF but mislabelled static_image — even though it visibly moves (12 blinks) and fired 30 video_replay incidents. Cause: dominant_threat came purely from the fooled fusion category_scores (static_image 0.08 > video_replay 0.06), ignoring the incidents that flipped the verdict. SessionEngine.getVerdict() now:

  1. lets the most-frequent incident category name the threat, and
  2. re-labels static_image → strongest dynamic category when ≥1 blink was observed (a frozen photo cannot blink).

Label-only — the live/spoof decision is unchanged. +2 locking tests (256 green), typecheck clean.

2. COOP/COEP → multi-threaded WASM on the domain

The live site ran single-threaded ORT (numThreads … crossOriginIsolated warning) because Hostinger sent no COOP/COEP (the local server.mjs already does — hence higher local fps). Added both headers to .htaccess. Verified safe: every cross-origin subresource is jsdelivr, which replies access-control-allow-origin: * + cross-origin-resource-policy: cross-origin. Rollback = delete the two lines (Hostinger picks it up instantly).

3. Remove dead launcher.js

https://app.fivucsas.com/launcher.js is unused on amispoof (no FivucsasAuth/login refs), threw a CORS error in console every load, and was the only COEP-non-compliant resource — so removing it unblocks #2.

Plus tooling: notebooks/yolo_bench.py (CVZone YOLOv8 fake/real benchmark) + notebooks/v3_check.py (V3 separability summary). Cache-bust → 2026-06-01-threat-coop.

🤖 Generated with Claude Code

…ncher.js

THREAT TYPE (user-reported 2026-06-01): a low-light phone replay was
verdicted SPOOF correctly but labelled 'static_image' — wrong, since it
visibly moves (12 blinks) and fired 30 video_replay incidents. Root cause:
dominant_threat was taken purely from the fooled fusion category_scores
(static_image 0.08 > video_replay 0.06), ignoring the incidents that
actually flipped the verdict. SessionEngine.getVerdict() now:
  1. lets the most-frequent incident category name the threat, and
  2. re-labels static_image to the strongest dynamic category when >=1 blink
     was observed (a frozen photo cannot blink).
Label-only change; the live/spoof decision is untouched. +2 locking tests
(254 -> 256 green), typecheck clean.

COOP/COEP: add Cross-Origin-Opener-Policy + Cross-Origin-Embedder-Policy to
the amispoof .htaccess so the live domain gets SharedArrayBuffer ->
multi-threaded ORT WASM (was single-threaded; local server.mjs already had
these, which is why local fps was higher). Verified safe: every cross-origin
subresource is jsdelivr, which sends ACAO:* + CORP:cross-origin. Rollback =
delete the two header lines.

LAUNCHER: remove the dead https://app.fivucsas.com/launcher.js script — it is
unused on amispoof (no FivucsasAuth/login references), was throwing a CORS
error in console, and was the only COEP-non-compliant resource on the page.

tooling: notebooks/yolo_bench.py (CVZone YOLOv8 fake/real benchmark, +--imgsz)
and notebooks/v3_check.py (per-session V3 separability summary).

Cache-bust -> 2026-06-01-threat-coop (HTML + app.js + lib import).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 1, 2026 08:50
@ahmetabdullahgultekin ahmetabdullahgultekin merged commit 603e59d into main Jun 1, 2026
1 check passed

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

ahmetabdullahgultekin added a commit that referenced this pull request Jun 1, 2026
…in mic (#91)

Re-applied on top of #90 (the prior #89 conflicted). Source-verified counts: 23 analyzers (20 active by default; hand + voice/audio opt-in), 18 liveness-proof axes, 3 gates. Fixed across index.html meta/OG/Twitter/JSON-LD + README/ROADMAP/web README. Also microphone=() -> microphone=(self) so the opt-in voice/audio analyzers can actually request mic permission in prod.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants