Levandor

FaceKom Topics

5 min read

For Agents

Living index of themes for the FaceKom KYC platform (vuer_oss / vuer_css / vuer_cv). Each H2 is a topic; bullets are wikilinks to related notes. Updated by obsidian-documenter when documenting work. Read by historian at bootstrap. Topics kept alphabetical.

Build / probe-build workflow (UBI10)

  • FKITDEV-8252 — podman + libkrun on macOS Apple Silicon for emulated linux/amd64 builds; needs 8 GiB RAM minimum (4 GiB OOMs on gcc-c++ family installs), 6 CPUs sufficient; iteration counts as complexity proxy (portal_css 3, vuer_css 3, vuer_oss 5, janus 7, vuer_cv 7); subagent Bash allowlist is more restrictive than main-session shell — plan Phase B with this in mind

Container migration / UBI10

  • FKITDEV-8252 — fleet-wide UBI8/UBI9 → UBI10 migration ahead of RHEL 9 EOL; Phase A.6.1 DONE (all 5 base images probe-build green; 2 new commits f38c8e2 + b984006; branch 17 ahead of origin/main, not pushed); Phase A.6.2 (remaining 3 base/* likely under common/*), Phase B (vuer-release 62 Dockerfiles), Phase C (vuer_docker PR #203) still open; vuer_cv now in-scope (5.93 GB UBI10 base added)

Crypto policy / GPG SHA1

  • FKITDEV-8252decision revised: original per-key rpmkeys --import --allow-sha1-signatures plan did not survive UBI10 reality (flag disappears after microdnf -y update strips it from rpm-libs; DEFAULT:SHA1 sub-policy doesn’t exist — no SHA1.pmod ships); now using update-crypto-policies --set LEGACY in all 7 SHA1-key-importing build stages across portal_css, vuer_css, vuer_oss, janus (×2), vuer_cv; order matters: install crypto-policies-scripts from UBI10 BaseOS BEFORE COPY-ing the CentOS Stream 10 repo

CSP / log noise

  • ASSICASH-71 — InstaCash CSS log noise: WebServer.js setupCSPReportViolation() writes every report unthrottled; amplifies any hosts.portal / portal.url config drift

Customization branches

  • ASSICASH-71customization/instacash (Express 4, HEAD b0a4a37a, deployed) vs devel (Express 5, PR 689 fixes); next core sync needs to carry route-array fix
  • FKITDEV-8787customization/raiffeisen overrides on SelfServiceRoomService.js and SelfServiceV2Service.js; PRDEBUG instrumentation gated by raiffeisen.debug.phantomRoomLog
  • FKITDEV-8533customization/generali-atvilagitas is the base branch for the Generali videoOrientExt tablet fix (PR #7893)

Device detection

  • FKITDEV-8533 — server-side UA parsing cannot detect a modern iPad: iPadOS 13+ Safari sends a Macintosh desktop UA, ua-parser-js v1 returns device.type === undefined; customer.isTablet() (device.type === 'tablet') is a strict logical subset of customer.isMobile() ('mobile' OR 'tablet') so it adds no detection power; customer.userAgent is the only client signal the server has (no Sec-CH-UA hints); reliable detection = client-side navigator.maxTouchPoints > 1 && /Macintosh/.test(navigator.userAgent)

Face comparison

  • face-comparison-different-face-db-query — face-comparison results are persisted: faceComparisons table (server/db/model/faceComparison.js:18-37) stores status ∈ {created,failed,success} + euclideanDistance (FLOAT nullable, actually cosine distance 0–2 despite the name); euclideanDistance written unconditionally by FaceRecognitionService.createFaceComparisonModel() regardless of threshold; different_face is not stored — it’s the CHECK_FAILURE read-time verdict from SelfServiceCheckerService.getFaceComparisonResult() (:132-153) when distance exceeds all thresholds; thresholds resolve per-room (selfService:v2:config:state activity log) → global Setting key faceComparison → code default probable:0.6; 4 call sites — liveness-V2 (SelfServiceV2Service.js:1390) gated by task.options.recognitionOptions.compareFaceWith (base V2 proto doesn’t set it), portrait/ID-doc (server/flow/FlowService.js:2943), videochat-close hook, V1; faceComparisons has no step column — portrait vs liveness only via joined FaceRecognition.imageCategory; queryable with one read-only SQL, no release

Express 5 migration

  • ASSICASH-71 — PR #666 (closed unmerged) → PR #670 (merged) for _router → router and /password-recovery/:token?/:lang? array rewrite; PR #689 follow-up

InstaCash

  • ASSICASH-71 — PROD vuer_css local.json portal.url UAT misconfig (FKITSYS-9486 fix 2026-01-06); pending log-volume confirmation; portal_css hosts.portal parallel risk

Oracle Instant Client

  • FKITDEV-8252 — Oracle has not published OL10 yum repos (404 across yum.oracle.com/repo/OracleLinux/OL10/); decision to use OL9 .el9 instantclient RPMs on UBI10 base for kh and bb partner Dockerfiles (Option 1 ship-it); memo at /Users/levander/coding/facekom/FKITDEV-8252-oracle-ol10-memo.md awaiting Bence sign-off and partner-contract escalation

Package renames / repo drift (UBI10)

  • FKITDEV-8252 — already-applied renames: pcre-devel→pcre2-devel, zlib-devel→zlib-ng-compat-devel, redis→valkey (with compat symlinks), coturn .el8 pin dropped → plain EPEL10 4.10.0-1.el10_3, rabbitmq /el/10/ empty → fallback /el/9/ 3.13.7 .el8.noarch, shadow-utils for groupadd/useradd, x86_64→$basearch in OL10 repos; A.6.1 additions: libopusopus/opus-devel, libmicrohttpd lives in EPEL10 not BaseOS, gzip missing from UBI10 minimal, GitHub archive URL strips v prefix (cd ${VAR#v}), git-lfs install --system must run before clone; on-probe-build watchlist for Phase B: ffmpeg-devel, libogg-devel, libconfig-devel, gtk-doc, jansson-devel, pkgconf, gengetopt, libsrtp2

Phantom room

  • FKITDEV-8787 — Raiffeisen Myra mobile self-service rooms with vestigial duplicates; SDK-local Already authorized / Already has some kind of room guards; OSS V2 SelfServiceV2Service.start() silently resumes any non-closed room; partial-unique-index gap

portal_css

  • portal_css — slim portal sister of vuer_css: registration, login, SCA, password recovery, JWT handoff (no Janus, no waiting-room)
  • ASSICASH-71hosts.portal config feeds CSP connect-src and PortalService.js:48 password-recovery email URL; empty default is a silent foot-gun

Raiffeisen

  • FKITDEV-8787 — Myra mobile KYC; customization/raiffeisen overrides; resolveExternalToken() reuses customer.id per offerId (mechanism for csökevény szoba); flow handler myra-self-service-v2-phase-1; m3szi owns prior fix (FKITDEV-7667 / SLARAFIPI-53)

Self-service v2

  • FKITDEV-8787SelfServiceV2Service.start() silently resumes; _findOpenRoomForCustomer race; status enum ['waiting','incall','left','closed','deleted','archived'] — only last three treated as not-open; V1 throw at SelfServiceRoomService.js:217 swallowed by SelfServiceActions.js:27-34

Validation / log analysis

  • ASSICASH-71 — 2026-05-18 validation: PROD + 2 UAT log pulls (~1.1M lines total) confirm CSP-channel flood is gone; FKITSYS-9486 holding (0 ohp-uat.mbhbank.hu refs in PROD); both UATs silent for 12-19 months; status moved to validated

vuer_cv

  • FKITDEV-8252in scope for FKITDEV-8252 (Q3 resolved by execution); new base/vuer_cv/Dockerfile UBI10 base, probe-builds green at 5.93 GB (iter 7); needs EPEL10 for libmicrohttpd, git-lfs install --system before clone, ENV_VERSION=8 matching config/docker.json requiredEnvVersion; size-reduction (multi-stage drop of git-lfs/gcc-c++/python3-devel) flagged as follow-up; cleanup microdnf remove --allowerasing cascade through git-core deps worth a sanity audit

WebRTC / video orientation

  • FKITDEV-8533videoOrientExt (the urn:3gpp:video-orientation RTP header extension) lets the receiver correct rotated video; gated off for Safari/mobile by !(isSafari() || isMobile()) at 4 sites — server/cv/VuerCVListenerSession.js, server/socket/events/videochat.js, server/transport/session/RoomTransportSession.js, server/transport/session/SelfServiceTransportSession.js (keep in sync); enabling it for iPads is the intended fix for rotated WebRTC screenshots/recordings (Generali)

Graph View