diff --git a/faceai/README.md b/faceai/README.md index 2dfa1cb7..5c36e47c 100644 --- a/faceai/README.md +++ b/faceai/README.md @@ -5,7 +5,8 @@ This folder scaffolds the new FaceAI app described in the integration plan. It includes: - a Vue frontend for the FaceAI upload and polling flow -- a Node/Express backend for session exchange, mocked searches, and return handoff +- a Node/Express backend for session exchange, queueing, and return handoff +- a dedicated processor runner that consumes matcher jobs from Redis and executes `face_matcher` - a local legacy simulator so the launch and return flow can be tested without the old Java site - a Dockerized PHP Apache stack for exercising the real `www/faceai_handoff.php` and `www/faceai_return.php` bridge files @@ -16,64 +17,91 @@ faceai/ apps/ backend/ frontend/ + processor/ docker/ Dockerfile ``` -## What The Local Test Covers +## Runtime Topology + +The scaffold currently expects four runtime roles: + +- `faceai`: public HTTP service on port `3001`, serving the built Vue app and the authenticated API +- `processor`: background matcher runner consuming BullMQ jobs from Redis and executing the Linux `face_matcher` binary +- `redis`: short-lived queue and search-state store +- `legacy-php`: local-only PHP Apache simulator for exercising the real bridge files under `www/` + +For hosted deployment, the long-lived application topology is `faceai` + `processor` + `redis`. The PHP simulator stays local-only and the real legacy site remains on its existing stack. + +## What The End-To-End Local Test Covers The local simulator exercises the exact flow the plan is aiming for: -1. a legacy-like race page shows a `Face ID` button instead of `tipoPuntoFoto` -2. clicking it hits a mock legacy handoff endpoint +1. a legacy-like race page loads the original `www/_js/rus-ecom-240621.js` script and shows a `Face ID` button instead of `tipoPuntoFoto` +2. clicking it hits the real PHP handoff bridge at `www/faceai_handoff.php` 3. the backend signs a short-lived handoff token and redirects to the Vue app 4. the Vue app exchanges the token for its own FaceAI session cookie -5. the user uploads a selfie and starts a mocked race-scoped search +5. the user uploads a selfie and starts a Redis-backed race-scoped search 6. the frontend polls until the job completes 7. FaceAI requests a signed return URL -8. the browser is redirected back to a legacy-like filtered race page showing only the matched photos +8. the browser is redirected back to the real PHP return bridge at `www/faceai_return.php` +9. the PHP bridge fetches the signed result from FaceAI and renders a filtered legacy-like race page -## Local Run +## Local Testing With The Legacy PHP Simulator + +This is the recommended local test path because it exercises the public site, the processor, Redis, and the real PHP bridge files together. + +### Prerequisites + +- Docker Desktop or another Docker Engine with Compose support +- local npm dependencies installed in this `faceai/` workspace + +### Start The Stack From this folder: -```bash -npm install -npm run dev -``` - -Then open: - -```text -http://localhost:3001/dev/legacy/race?raceId=101&lang=it -``` - -That page simulates the old site and launches the FaceAI app at `http://localhost:5173`. - -## Docker Run With PHP Simulator - -If you do not have PHP locally, use Docker instead: - ```bash npm install npm run build docker compose up --build ``` -The Docker stack reuses the local FaceAI workspace and only containerizes the runtime services. That means PHP is fully containerized, while the Node service runs inside Docker against the already-installed local workspace dependencies and the already-built frontend assets. +The checked-in `docker-compose.yml` starts: -This starts: +- FaceAI public site on `http://localhost:3001` +- processor runner on the internal Compose network +- Redis on the internal Compose network +- PHP Apache serving `../www` on `http://localhost:8080` -- FaceAI app on `http://localhost:3001` -- PHP Apache serving `www` on `http://localhost:8080` +The local stack also mounts: -For the end-to-end test through the PHP bridge, open: +- `../bin/Face_Recognition_Unix` into the processor container as the matcher binary source +- `../test_pkl` into the processor container as fallback PKL test data +- `../www` into the PHP container so the real bridge files are used + +### Run The Browser Test + +Open: ```text http://localhost:8080/faceai_simulator.php?raceId=101&lang=it ``` -That page loads the original race-page JavaScript from `www/_js/rus-ecom-240621.js`, lets the script replace the visible `tipoPuntoFoto` selector with the new `Face ID` button, and launches the real PHP handoff bridge at `www/faceai_handoff.php`. +That page simulates the legacy race page, loads the original race-page JavaScript from `www/_js/rus-ecom-240621.js`, lets the script replace the visible `tipoPuntoFoto` selector with the new `Face ID` button, and launches the real PHP handoff bridge at `www/faceai_handoff.php`. + +### Expected Local Flow + +Use the page above and verify this sequence: + +1. the simulator page renders on port `8080` +2. the visible checkpoint selector is replaced with the `Face ID` launch button +3. clicking `Face ID` redirects through `faceai_handoff.php` into `http://localhost:3001/auth/callback?token=...` +4. the FaceAI app establishes its session and loads the upload flow +5. uploading a selfie creates a queued search that the processor picks up +6. when polling completes, FaceAI redirects back to `http://localhost:8080/faceai_return.php?...` +7. the PHP return page renders the filtered photo list from the FaceAI result payload + +### Rebuild Notes If you change frontend code and want Docker to serve the updated UI, rebuild first with: @@ -81,62 +109,38 @@ If you change frontend code and want Docker to serve the updated UI, rebuild fir npm run build ``` -## Production Deployment From Registry +If you want to stop and remove the local containers afterward, run: -The published container is the user-facing FaceAI site only. It already contains: +```bash +docker compose down +``` -- the Node/Express backend -- the built Vue frontend assets served by that backend +## Optional Backend And Frontend Dev Loop -It does not include: +If you only want to iterate on the app without the PHP simulator, you can still run the public site and the processor separately. The queue-backed flow now requires Redis and the processor, so `npm run dev` alone is no longer the full stack. -- the legacy PHP simulator -- the existing `www` site -- the future queue/processor worker +One workable loop is: -In production, deploy a single FaceAI container behind HTTPS on its own host name, for example `faceai.regalamiunsorriso.it`, and keep the legacy site on its existing stack. +```bash +npm install +docker compose up redis -d +npm run dev +``` -### What The Production Container Exposes +Then start the processor in a second shell, either with its own local environment or by keeping the Compose-managed processor service running. -- HTTP service on port `3001` inside the container -- health endpoint at `/health` -- frontend and API from the same process +## Docker Compose Deployment For The Public Site And Matcher Runner -The image should be run with a reverse proxy or ingress that terminates TLS and forwards traffic to the container. +The checked-in `docker-compose.yml` is for local integration testing because it also includes the PHP simulator and local bind mounts. For hosted deployment, keep the same three-service application topology but remove `legacy-php` and replace the local mounts with your production matcher and PKL paths. -### Required Runtime Configuration +The public FaceAI site and the matcher runner can both use the same application image. The difference is only the process command: -Set these environment variables for production: +- `npm run start` for the public site +- `npm run start:processor` for the matcher runner -| Variable | Required | Example | Purpose | -| --- | --- | --- | --- | -| `NODE_ENV` | yes | `production` | disables development defaults | -| `PORT` | optional | `3001` | internal listen port | -| `FACEAI_FRONTEND_URL` | yes | `https://faceai.regalamiunsorriso.it` | URL used when the legacy bridge redirects into the app | -| `FACEAI_PUBLIC_BASE_URL` | yes | `https://faceai.regalamiunsorriso.it` | public base URL used for local links and return flow generation | -| `FACEAI_LEGACY_RETURN_URL` | yes | `https://www.regalamiunsorriso.it/faceai_return.php` | legacy endpoint that receives the signed FaceAI result handoff | -| `FACEAI_SHARED_SECRET` | yes | long random secret | shared signing secret between FaceAI and the legacy handoff/return bridge | -| `FACEAI_SESSION_COOKIE` | optional | `rus_faceai_session` | cookie name for the FaceAI session | -| `FACEAI_ENABLE_LOCAL_LEGACY_STATIC` | recommended | `0` | disables development-only static serving of local legacy assets | +### Production Compose Example -Do not enable `FACEAI_ENABLE_LOCAL_LEGACY_STATIC` in production. That mode exists only for local simulator flows. - -### Legacy-Side Configuration That Must Match - -The container will not work correctly in production unless the legacy bridge is configured consistently. - -The legacy site must: - -- redirect users into `FACEAI_FRONTEND_URL` with a valid signed handoff token -- use the same `FACEAI_SHARED_SECRET` as the FaceAI container -- expose the configured `FACEAI_LEGACY_RETURN_URL` -- validate the signed return token and fetch the result payload from FaceAI - -The shared secret is the trust boundary between the legacy site and FaceAI. Treat it like any other production secret and inject it through the platform secret store, not through source control. - -### Example Docker Compose For Production - -Replace the registry path and secret values with the real ones from Forgejo. +Replace the registry path, secrets, and host paths with the real deployment values. ```yaml services: @@ -147,35 +151,104 @@ services: environment: NODE_ENV: production PORT: 3001 - FACEAI_FRONTEND_URL: https://faceai.regalamiunsorriso.it - FACEAI_PUBLIC_BASE_URL: https://faceai.regalamiunsorriso.it + FACEAI_FRONTEND_URL: https://ai.regalamiunsorriso.it + FACEAI_PUBLIC_BASE_URL: https://ai.regalamiunsorriso.it FACEAI_LEGACY_RETURN_URL: https://www.regalamiunsorriso.it/faceai_return.php FACEAI_SHARED_SECRET: change-this-to-a-long-random-secret FACEAI_SESSION_COOKIE: rus_faceai_session + FACEAI_REDIS_URL: redis://redis:6379 + FACEAI_QUEUE_NAME: faceai-searches + FACEAI_RUNTIME_ROOT: /data/runtime + FACEAI_UPLOAD_ROOT: /data/runtime/uploads FACEAI_ENABLE_LOCAL_LEGACY_STATIC: 0 + volumes: + - faceai-runtime:/data/runtime ports: - "127.0.0.1:3001:3001" + depends_on: + - redis + + processor: + image: registry.example.com/my-namespace/faceai:latest + container_name: regalami-faceai-processor + restart: unless-stopped + command: npm run start:processor + environment: + NODE_ENV: production + FACEAI_REDIS_URL: redis://redis:6379 + FACEAI_QUEUE_NAME: faceai-searches + FACEAI_RUNTIME_ROOT: /data/runtime + FACEAI_PKL_ROOT: /data/pkl + FACEAI_MATCHER_BINARY: /opt/face-recognition/face_matcher + FACEAI_WORKER_CONCURRENCY: 2 + FACEAI_WORKER_TIMEOUT_MS: 300000 + volumes: + - faceai-runtime:/data/runtime + - /srv/faceai/pkl:/data/pkl:ro + - /srv/faceai/bin/Face_Recognition_Unix:/opt/face-recognition:ro + depends_on: + - redis + + redis: + image: redis:7-alpine + container_name: regalami-faceai-redis + restart: unless-stopped + command: redis-server --appendonly no + +volumes: + faceai-runtime: ``` -This pattern assumes a reverse proxy on the host publishes `https://faceai.regalamiunsorriso.it` and forwards to `127.0.0.1:3001`. +This pattern assumes a reverse proxy on the host publishes `https://ai.regalamiunsorriso.it` and forwards to `127.0.0.1:3001`. The processor is internal-only and does not expose any public port. -### Example Docker Run +### Required Runtime Configuration -```bash -docker run -d \ - --name regalami-faceai \ - --restart unless-stopped \ - -p 127.0.0.1:3001:3001 \ - -e NODE_ENV=production \ - -e PORT=3001 \ - -e FACEAI_FRONTEND_URL=https://faceai.regalamiunsorriso.it \ - -e FACEAI_PUBLIC_BASE_URL=https://faceai.regalamiunsorriso.it \ - -e FACEAI_LEGACY_RETURN_URL=https://www.regalamiunsorriso.it/faceai_return.php \ - -e FACEAI_SHARED_SECRET=change-this-to-a-long-random-secret \ - -e FACEAI_SESSION_COOKIE=rus_faceai_session \ - -e FACEAI_ENABLE_LOCAL_LEGACY_STATIC=0 \ - registry.example.com/my-namespace/faceai:latest -``` +Shared application settings: + +| Variable | Required | Example | Purpose | +| --- | --- | --- | --- | +| `NODE_ENV` | yes | `production` | disables development defaults | +| `FACEAI_REDIS_URL` | yes | `redis://redis:6379` | queue and search-state backend | +| `FACEAI_QUEUE_NAME` | optional | `faceai-searches` | BullMQ queue name | +| `FACEAI_RUNTIME_ROOT` | yes | `/data/runtime` | shared writable runtime root between site and processor | +| `FACEAI_SHARED_SECRET` | yes | long random secret | trust boundary between FaceAI and the legacy bridge | + +Public site settings: + +| Variable | Required | Example | Purpose | +| --- | --- | --- | --- | +| `PORT` | optional | `3001` | internal listen port | +| `FACEAI_FRONTEND_URL` | yes | `https://ai.regalamiunsorriso.it` | URL used when the legacy bridge redirects into the app | +| `FACEAI_PUBLIC_BASE_URL` | yes | `https://ai.regalamiunsorriso.it` | public base URL used for local links and return flow generation | +| `FACEAI_LEGACY_RETURN_URL` | yes | `https://www.regalamiunsorriso.it/faceai_return.php` | legacy endpoint that receives the signed FaceAI result handoff | +| `FACEAI_SESSION_COOKIE` | optional | `rus_faceai_session` | cookie name for the FaceAI session | +| `FACEAI_UPLOAD_ROOT` | optional | `/data/runtime/uploads` | upload directory inside the shared runtime volume | +| `FACEAI_ENABLE_LOCAL_LEGACY_STATIC` | recommended | `0` | disables development-only static serving of local legacy assets | + +Processor settings: + +| Variable | Required | Example | Purpose | +| --- | --- | --- | --- | +| `FACEAI_PKL_ROOT` | yes | `/data/pkl` | mounted race-to-PKL dataset root | +| `FACEAI_TEST_PKL_ROOT` | optional | `/data/pkl/test` | local-only fallback PKL location | +| `FACEAI_MATCHER_BINARY` | yes | `/opt/face-recognition/face_matcher` | matcher executable inside the processor container | +| `FACEAI_WORKER_CONCURRENCY` | optional | `2` | BullMQ worker concurrency | +| `FACEAI_WORKER_TIMEOUT_MS` | optional | `300000` | matcher timeout in milliseconds | + +Do not enable `FACEAI_ENABLE_LOCAL_LEGACY_STATIC` in production. That mode exists only for local simulator flows. + +### Legacy-Side Configuration That Must Match + +The deployment will not work correctly unless the legacy bridge is configured consistently. + +The legacy site must: + +- redirect users into `FACEAI_FRONTEND_URL` with a valid signed handoff token +- use the same `FACEAI_SHARED_SECRET` as the FaceAI deployment +- expose the configured `FACEAI_LEGACY_RETURN_URL` +- validate the signed return token and fetch the result payload from FaceAI + +The shared secret is the trust boundary between the legacy site and FaceAI. Treat it like any other production secret and inject it through the platform secret store, not through source control. ### Reverse Proxy Expectations @@ -188,25 +261,27 @@ The app should sit behind HTTPS. In practice that means: ### Post-Deploy Validation -After the container is up, validate at least the following: +After the Compose stack is up, validate at least the following: 1. `GET /health` returns `{"ok":true}` through the public FaceAI host. 2. The legacy handoff endpoint redirects to `https://faceai.../auth/callback?token=...`. 3. FaceAI can exchange the token and establish a session. -4. Completing a search produces a redirect URL that points to `FACEAI_LEGACY_RETURN_URL`. -5. The legacy return endpoint can resolve the signed result and render the filtered race page. +4. A search is enqueued in Redis and picked up by the processor. +5. Completing a search produces a redirect URL that points to `FACEAI_LEGACY_RETURN_URL`. +6. The legacy return endpoint can resolve the signed result and render the filtered race page. ### Current Production Limitations -This image can be published and deployed, but the current scaffold still has important limitations: +This scaffold can now be deployed with the public site, processor, and Redis, but it still has important limitations: -- sessions and search results are stored only in memory, so container restarts lose state -- there is no real queue or processor yet -- there is no persistent storage layer yet +- search state is short-lived in Redis and is not backed by a durable database +- runtime uploads and matcher output still need an agreed production retention and cleanup policy +- the final production PKL/NAS layout is not yet locked down - the backend currently sets the FaceAI session cookie with `secure: false`, which should be hardened before final public rollout - the local simulator endpoints under `/dev/*` are still present in the app and should be treated as non-production scaffolding +- the processor CSV parser is still based on the current scaffolded matcher output assumptions -So the registry deployment is appropriate for early hosted integration and controlled production-like rollout, but not yet for the final hardened architecture described in the integration plan +So the Compose deployment is appropriate for hosted integration and controlled production-like rollout, but not yet for the final hardened architecture described in the integration plan. ## Environment @@ -219,6 +294,13 @@ FACEAI_PUBLIC_BASE_URL=http://localhost:3001 FACEAI_LEGACY_RETURN_URL=http://localhost:3001/dev/legacy/return FACEAI_SHARED_SECRET=change-me FACEAI_SESSION_COOKIE=rus_faceai_session +FACEAI_REDIS_URL=redis://redis:6379 +FACEAI_QUEUE_NAME=faceai-searches +FACEAI_RUNTIME_ROOT=/data/runtime +FACEAI_UPLOAD_ROOT=/data/runtime/uploads +FACEAI_PKL_ROOT=/data/pkl +FACEAI_TEST_PKL_ROOT=/data/pkl/test +FACEAI_MATCHER_BINARY=/opt/face-recognition/face_matcher ``` If you want FaceAI to return through the new PHP bridge prepared under `www`, point `FACEAI_LEGACY_RETURN_URL` to that endpoint instead, for example `http://localhost/faceai_return.php` or the equivalent URL in your local PHP setup. @@ -231,8 +313,8 @@ FACEAI_LEGACY_RETURN_URL=http://localhost:8080/faceai_return.php ## Notes -- The backend currently uses in-memory stores and mocked search results. -- No database or real queue is wired yet. +- Search orchestration now uses Redis and a dedicated processor worker. +- The checked-in Compose file is meant for local integration testing, not as-is production use. - The local legacy simulator is intentionally backend-driven so the handoff can be tested without compiling the existing Java application. - `www/faceai_simulator.php` exists only for local testing. It does not replace the actual JSP race page. - The final legacy integration still needs a real signed identity source and a real return-filter implementation on the old site. diff --git a/faceai/docker/Dockerfile b/faceai/docker/Dockerfile index 57879377..12248770 100644 --- a/faceai/docker/Dockerfile +++ b/faceai/docker/Dockerfile @@ -5,6 +5,7 @@ WORKDIR /app COPY package.json ./ COPY apps/frontend/package.json apps/frontend/package.json COPY apps/backend/package.json apps/backend/package.json +COPY apps/processor/package.json apps/processor/package.json RUN npm install diff --git a/sync/www-deploy-manifest.md b/sync/www-deploy-manifest.md index b5e9090d..696c5505 100644 --- a/sync/www-deploy-manifest.md +++ b/sync/www-deploy-manifest.md @@ -1,117 +1,47 @@ # WWW Deployment Manifest -This document lists the files under `www/` that changed after the initial `www` import baseline and should be copied to the remote staging path: +This document lists the files under `www/` in the current FaceAI feature-flag rollout that should be copied to the remote staging path: `/home/marco/regalamiunsorriso/incoming/www` -## Baseline Used +## Deployment Set -- Excluded the initial `www` import history by using commit `cc69770608bd0f1c32eeac01e16042f4e8a47012` (`First commit`) as the baseline. -- Included committed changes after that baseline up to `HEAD`. -- Included the current uncommitted workspace change in `www/controlCode.jsp`. +All files in this rollout are deployed from the current working tree. ## New Files -- `www/faceai_config.php` -- `www/faceai_handoff.php` -- `www/faceai_return.php` -- `www/faceai_simulator.php` -- `www/faceai_simulator_view.php` +- None in this rollout. ## Updated Files -- `www/_inc_footer.jsp` - `www/_js/rus-ecom-240621.js` -- `www/associazione-en.jsp` -- `www/associazione.jsp` -- `www/atleticaImmagine_chiSiamo-en.jsp` -- `www/atleticaImmagine_chiSiamo.jsp` -- `www/controlCode-en.jsp` -- `www/controlCode.jsp` -- `www/includes/inc-header.php` -- `www/lostPwd.jsp` -- `www/mailMessage/noMorePic.html` -- `www/mailMessage/noMorePic.txt` -- `www/mailMessage/noMorePicCc.html` -- `www/mailMessage/noMorePicScad.html` -- `www/mailMessage/noMorePicScad.txt` -- `www/mailMessage/perScadereMsg.html` -- `www/mailMessage/userMsg_it.html` -- `www/mailMessage/userMsg_itCC.html` -- `www/newsCR-en.jsp` -- `www/newsCR.jsp` -- `www/pg/controlCode.jsp` -- `www/pg/logon.jsp` -- `www/pg/registra.jsp` -- `www/users-en.jsp` -- `www/users.jsp` - -## Local Workspace-Only Change Included - -- `www/controlCode.jsp` currently has an uncommitted local modification and should be deployed from the working tree version, not just from `HEAD`. +- `www/faceai_config.php` +- `www/faceai_handoff.php` +- `www/faceai_simulator_view.php` +- `www/fotoCR-en.jsp` +- `www/fotoCR.jsp` ## Remote Copy Target - Source root: `K:\various\regalamiunsorriso` - Remote host: `marco@83.149.164.4:410` -- Remote path: `/home/marco/regalamiunsorriso/incoming/www` -- Total files in this manifest: `30` +- Remote staging path: `/home/marco/regalamiunsorriso/incoming/www` +- Remote live path: `/home/sites/regalamiunsorriso/www` +- Total files in this manifest: `6` -## Transfer Notes +## Transfer Method -- Transfer completed by streaming a tar archive over SSH and extracting it into `/home/marco/regalamiunsorriso/incoming` so the `www/...` directory structure was preserved. -- Representative remote verification succeeded for new files and updated files, including `www/faceai_config.php`, `www/faceai_handoff.php`, `www/faceai_return.php`, `www/faceai_simulator.php`, `www/faceai_simulator_view.php`, `www/controlCode.jsp`, `www/_js/rus-ecom-240621.js`, `www/includes/inc-header.php`, and `www/pg/logon.jsp`. -- `www/controlCode.jsp` was uploaded from the local working tree, which includes an uncommitted change. +- Stage by streaming a tar archive over SSH and extracting it into `/home/marco/regalamiunsorriso/incoming` so the `www/...` directory structure is preserved. +- Promote with `/home/marco/promote-file.sh` through `sudo tcsh` so the live destination keeps its required owner, group, and mode. -## Issues Encountered +## Verification Expectations -- The remote login shell behaves as `tcsh`, so POSIX shell loops like `for ...; do ...; done` fail unless they are explicitly run through `sh -c`. -- The server `sh` does not accept the `-l` option, so verification commands must use `sh -c`, not `sh -lc`. -- The direct SSH and tar-based copy path works; the MCP SSH tools were not used for this transfer because they were previously failing authentication or transport checks. +- Verify staged files with `ls -l` and `cksum`. +- Verify live files with `ls -l`, `stat -f`, and `cksum`. +- Existing destination files should retain their original metadata after promotion. -## Single-File Live Promotion Test +## Known Shell Quirks -- Tested file: `www/associazione-en.jsp` -- Staged source: `/home/marco/regalamiunsorriso/incoming/www/associazione-en.jsp` -- Live destination: `/home/sites/regalamiunsorriso/www/associazione-en.jsp` -- Original live metadata before copy: owner `jenkins`, group `www`, mode `100644`, size `6289` -- Live metadata after copy: owner `jenkins`, group `www`, mode `100644`, size `6139` -- Content verification after copy succeeded: `cksum` matched for staged and live files. - -## Promotion Script - -- Local template: `sync/promote-file.sh` -- Remote installed script: `/home/marco/promote-file.sh` -- Purpose: copy one source file to one destination file, then restore the destination file owner, group, and mode from the original live file. -- Supports an optional third argument: a metadata source file to use when the destination file does not exist yet and the target directory has mixed permission patterns. - -### Command That Worked - -```powershell -ssh -tt -i C:\Users\Maddo\.ssh\id_rsa -p 410 marco@83.149.164.4 "sudo tcsh -c '/home/marco/promote-file.sh /home/marco/regalamiunsorriso/incoming/www/associazione-en.jsp /home/sites/regalamiunsorriso/www/associazione-en.jsp'" -``` - -## Additional Problems Found During Live Promotion - -- Uploading a multi-line script inline from PowerShell was unreliable in the local terminal because the prompt layer interfered with the here-string before SSH execution. Using a normal local file plus `scp` worked cleanly. -- The live-site verification command was interrupted once when run in parallel with the promotion command. Re-running verification separately avoided that issue. -- Promotion to `/home/sites/regalamiunsorriso/www` must run through `sudo tcsh`; copying as `marco` alone is not sufficient for the live path and would not preserve the required live ownership. -- Root-level PHP files on the live site do not have a single uniform mode. For example, `_inc_footer.php` and `gallery1.php` are `775`, while `test.php` is `644`. The promotion helper was extended to accept an explicit metadata source so new files can follow a chosen live pattern instead of relying on the first sibling match. - -## Recommended Replication Procedure - -1. Stage the file under `/home/marco/regalamiunsorriso/incoming/www/...`. -2. Inspect the live destination metadata before changing anything. -3. Run `/home/marco/promote-file.sh [metadata-source]` through `sudo tcsh` in an SSH session opened with `-tt`. -4. Verify the live file with `ls -l`, `stat -f`, and `cksum` against the staged source. - -## Full Live Promotion Result - -- After the single-file test with `www/associazione-en.jsp`, the remaining `29` files in the manifest were promoted successfully to `/home/sites/regalamiunsorriso/www`. -- Existing destination files kept their original live owner, group, and mode. -- The new `faceai_*.php` files were created as `jenkins:www` with mode `775`, using `/home/sites/regalamiunsorriso/www/_inc_footer.php` as the explicit metadata source. -- Representative content verification succeeded with matching `cksum` values for: - - `www/faceai_config.php` - - `www/controlCode.jsp` - - `www/pg/logon.jsp` -- Representative metadata verification succeeded for updated files in root, `pg`, `includes`, and `mailMessage` directories. \ No newline at end of file +- The remote login shell behaves as `tcsh`, so POSIX shell loops fail unless run through `sh -c`. +- The server `sh` does not support `-l`, so use `sh -c`, not `sh -lc`. +- Direct SSH plus tar works reliably on this host; MCP SSH was previously unreliable and is avoided. \ No newline at end of file diff --git a/www/_js/rus-ecom-240621.js b/www/_js/rus-ecom-240621.js index 5e82edf8..b217394d 100644 --- a/www/_js/rus-ecom-240621.js +++ b/www/_js/rus-ecom-240621.js @@ -114,6 +114,79 @@ function getCurrentLangValue() { return $("html").attr("lang") || "it"; } +function faceAiFeatureEnabled() { + var config = window.faceAiConfig || {}; + var simulatorConfig = window.faceAiSimulator || {}; + var value = typeof config.enabled !== "undefined" ? config.enabled : simulatorConfig.enabled; + + if (typeof value === "string") { + value = value.toLowerCase(); + return value === "1" || value === "true" || value === "yes" || value === "on"; + } + + return value === true; +} + +function faceAiEscapeHtml(value) { + return String(value || "") + .replace(/&/g, "&") + .replace(//g, ">") + .replace(/"/g, """) + .replace(/'/g, "'"); +} + +function getFaceAiErrorState() { + if (typeof URLSearchParams === "undefined") { + return null; + } + + var params = new URLSearchParams(window.location.search || ""); + if (params.get("faceaiError") !== "1") { + return null; + } + + return { + title: params.get("faceaiErrorTitle") || "Face ID non disponibile", + message: params.get("faceaiErrorMessage") || "Il servizio Face ID non e al momento disponibile. Riprova piu tardi." + }; +} + +function clearFaceAiErrorState() { + if (!window.history || !window.history.replaceState || typeof URL === "undefined") { + return; + } + + var cleanUrl = new URL(window.location.href); + cleanUrl.searchParams.delete("faceaiError"); + cleanUrl.searchParams.delete("faceaiErrorTitle"); + cleanUrl.searchParams.delete("faceaiErrorMessage"); + window.history.replaceState({}, document.title, cleanUrl.pathname + cleanUrl.search + cleanUrl.hash); +} + +function showFaceAiErrorModal(title, message) { + var modal = $("#faceAiErrorModal"); + + if (!modal.length) { + $("body").append(''); + modal = $("#faceAiErrorModal"); + } + + $("#faceAiErrorModalLabel").html(faceAiEscapeHtml(title)); + $("#faceAiErrorModalMessage").html(faceAiEscapeHtml(message)); + modal.modal("show"); +} + +function initFaceAiErrorModal() { + var errorState = getFaceAiErrorState(); + if (!errorState) { + return; + } + + showFaceAiErrorModal(errorState.title, errorState.message); + clearFaceAiErrorState(); +} + function buildFaceAiLaunchUrl() { var raceId = $("#id_gara").val() || ""; var raceSlug = $("#garaDesc").val() || ""; @@ -153,7 +226,7 @@ function launchFaceAi() { function initFaceAiRaceSearchButton() { var select = $("#tipoPuntoFoto"); - if (!select.length || $("#faceaiLaunchButton").length) { + if (!select.length || $("#faceaiLaunchButton").length || !faceAiFeatureEnabled()) { return; } @@ -377,6 +450,7 @@ function goPage() $(function() { initFaceAiRaceSearchButton(); + initFaceAiErrorModal(); }); diff --git a/www/faceai_config.php b/www/faceai_config.php index c5ad0f98..5c01cea3 100644 --- a/www/faceai_config.php +++ b/www/faceai_config.php @@ -6,6 +6,69 @@ function faceai_env($key, $default = null) return $value === false ? $default : $value; } +function faceai_env_flag($key, $default = false) +{ + $value = strtolower(trim((string) faceai_env($key, $default ? '1' : '0'))); + return in_array($value, array('1', 'true', 'yes', 'on'), true); +} + +function faceai_request_host() +{ + if (empty($_SERVER['HTTP_HOST'])) { + return ''; + } + + return strtolower(trim((string) $_SERVER['HTTP_HOST'])); +} + +function faceai_is_local_host($host) +{ + $normalized = strtolower(trim((string) $host)); + if ($normalized === '') { + return false; + } + + $withoutPort = preg_replace('/:\d+$/', '', $normalized); + return in_array($withoutPort, array('localhost', '127.0.0.1', '::1'), true); +} + +function faceai_request_targets_local_frontend() +{ + if (faceai_is_local_host(faceai_request_host())) { + return true; + } + + $returnUrl = faceai_request_value('returnUrl'); + if ($returnUrl === '') { + return false; + } + + $host = parse_url($returnUrl, PHP_URL_HOST); + if (!is_string($host) || $host === '') { + return false; + } + + return faceai_is_local_host($host); +} + +function faceai_default_frontend_url() +{ + if (faceai_request_targets_local_frontend()) { + return 'http://localhost:3001'; + } + + return 'https://ai.regalamiunsorriso.it'; +} + +function faceai_default_backend_internal_url() +{ + if (faceai_is_local_host(faceai_request_host())) { + return 'http://localhost:3001'; + } + + return 'https://ai.regalamiunsorriso.it'; +} + function faceai_config() { static $config = null; @@ -15,10 +78,11 @@ function faceai_config() } $config = array( - 'frontend_url' => rtrim(faceai_env('FACEAI_FRONTEND_URL', 'http://localhost:5173'), '/'), - 'backend_internal_url' => rtrim(faceai_env('FACEAI_BACKEND_INTERNAL_URL', 'http://localhost:3001'), '/'), + 'feature_enabled' => faceai_env_flag('FACEAI_FEATURE_ENABLED', false), + 'frontend_url' => rtrim(faceai_env('FACEAI_FRONTEND_URL', faceai_default_frontend_url()), '/'), + 'backend_internal_url' => rtrim(faceai_env('FACEAI_BACKEND_INTERNAL_URL', faceai_default_backend_internal_url()), '/'), 'shared_secret' => (string) faceai_env('FACEAI_SHARED_SECRET', 'change-me'), - 'allow_dev_handoff' => faceai_env('FACEAI_ALLOW_DEV_HANDOFF', '1') === '1', + 'allow_dev_handoff' => faceai_env_flag('FACEAI_ALLOW_DEV_HANDOFF', true), 'identity_cookie' => (string) faceai_env('FACEAI_IDENTITY_COOKIE', 'rus_faceai_identity'), 'return_forward_url' => rtrim((string) faceai_env('FACEAI_RETURN_FORWARD_URL', ''), '/') ); @@ -80,6 +144,22 @@ function faceai_build_url($baseUrl, array $params) return $baseUrl . (strpos($baseUrl, '?') === false ? '?' : '&') . http_build_query($params); } +function faceai_redirect_with_error($returnUrl, $message, $title = 'Face ID non disponibile') +{ + if (is_string($returnUrl) && trim($returnUrl) !== '') { + header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0'); + header('Pragma: no-cache'); + header('Location: ' . faceai_build_url($returnUrl, array( + 'faceaiError' => '1', + 'faceaiErrorTitle' => $title, + 'faceaiErrorMessage' => $message + )), true, 302); + exit; + } + + faceai_render_message_page($title, $message, array(), 503); +} + function faceai_request_value($key, $default = '') { if (!isset($_GET[$key])) { diff --git a/www/faceai_handoff.php b/www/faceai_handoff.php index 73cbe10e..8d6231e8 100644 --- a/www/faceai_handoff.php +++ b/www/faceai_handoff.php @@ -11,6 +11,10 @@ try { $lang = faceai_request_value('lang', 'it'); $returnUrl = faceai_request_value('returnUrl'); + if (empty($config['feature_enabled'])) { + faceai_redirect_with_error($returnUrl, 'La ricerca Face ID non e ancora disponibile.'); + } + if ($raceId === '' || $returnUrl === '') { faceai_render_message_page( 'FaceAI handoff non disponibile', @@ -25,25 +29,11 @@ try { $identity = faceai_resolve_identity($config); if ($identity === null) { - faceai_render_message_page( - 'FaceAI handoff in attesa del bridge legacy', - 'Questo endpoint PHP non puo leggere la sessione Java esistente. Per funzionare in produzione deve ricevere una identita firmata dal layer legacy o dal reverse proxy.', - array( - 'Opzione consigliata: cookie firmato ' . $config['identity_cookie'] . ' con payload type=legacy-identity.', - 'Per test locale e possibile passare devUserId, devDisplayName, devEmail e devMembershipStatus se FACEAI_ALLOW_DEV_HANDOFF=1.', - 'Esempio locale: faceai_handoff.php?raceId=101&raceSlug=mezza-di-firenze&lang=it&returnUrl=http%3A%2F%2Flocalhost%2Fold&devUserId=1&devDisplayName=Mario%20Rossi&devEmail=mario%40example.test&devMembershipStatus=active' - ), - 501 - ); + faceai_redirect_with_error($returnUrl, 'Il servizio Face ID non e al momento disponibile. Riprova piu tardi.'); } if (($identity['membershipStatus'] ?? 'inactive') !== 'active') { - faceai_render_message_page( - 'FaceAI non disponibile', - 'L utente corrente non risulta abilitato all uso di FaceAI in base allo stato di membership.', - array('Stato attuale: ' . ($identity['membershipStatus'] ?? 'unknown')), - 403 - ); + faceai_redirect_with_error($returnUrl, 'Il tuo account non e abilitato all uso di Face ID.'); } $payload = array( @@ -72,5 +62,5 @@ try { header('Location: ' . $targetUrl, true, 302); exit; } catch (Throwable $error) { - faceai_render_message_page('Errore handoff FaceAI', $error->getMessage(), array(), 500); + faceai_redirect_with_error(isset($returnUrl) ? $returnUrl : '', 'Il servizio Face ID non e al momento disponibile. Riprova piu tardi.'); } diff --git a/www/faceai_simulator_view.php b/www/faceai_simulator_view.php index 8ebccf3d..473de53d 100644 --- a/www/faceai_simulator_view.php +++ b/www/faceai_simulator_view.php @@ -166,6 +166,7 @@ function faceai_sim_render_page(array $options) + +