From 18ca23636d99483006992fefb16bddcfa201c087 Mon Sep 17 00:00:00 2001
From: Vishnu Satis <vishnu@rootflo.ai>
Date: Sat, 10 Jan 2026 20:36:06 +0530
Subject: [PATCH 1/8] Update gold_image_request.py

---
 .../gold_module/models/gold_image_request.py           | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py b/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py
index ef8d8305..6f63ff26 100644
--- a/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py
+++ b/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py
@@ -41,11 +41,11 @@ class ImageMetadata(BaseModel):
 
     items: List[Item] = None
 
-    metadata_1: str = None
-    metadata_2: str = None
-    metadata_3: str = None
-    metadata_4: str = None
-    metadata_5: str = None
+    metadata_1: dict = None
+    metadata_2: dict = None
+    metadata_3: dict = None
+    metadata_4: dict = None
+    metadata_5: dict = None
 
     filter_1: str = None
     filter_2: str = None

From 648497c9fb7fa957f6e94ee6889578e720a495d1 Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Sat, 10 Jan 2026 22:43:12 +0530
Subject: [PATCH 2/8] Adding more logs tp debug auth

---
 .../authorization/require_auth.py                | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
index 969046bc..4a1d8b57 100644
--- a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
+++ b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
@@ -271,7 +271,7 @@ async def validate_mtls_auth(request: Request) -> bool:
             principal = match.group(1)
             if not principal.startswith(
                 'spiffe://cluster.local/ns/client-applications'
-            ):
+            ) and not principal.startswith('spiffe://cluster.local/ns/gpu-processing'):
                 logger.error(f'Invalid mTLS authentication. Principal: {principal}')
                 return False
 
@@ -418,9 +418,21 @@ async def dispatch(
                     return await call_next(request)
 
                 # Check for mTLS authentication if no token is present
-                if request.headers.get('X-Forwarded-Client-Cert'):
+                mtls_header = request.headers.get('X-Forwarded-Client-Cert')
+                if mtls_header:
+                    logger.info(f'mTLS authentication by {mtls_header}')
                     if await validate_mtls_auth(request):
                         return await call_next(request)
+                    else:
+                        logger.error(
+                            f'Invalid mTLS authentication for {request.url.path}'
+                        )
+                        return JSONResponse(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            content=response_formatter.buildErrorResponse(
+                                error='Invalid mTLS authentication'
+                            ),
+                        )
 
                 if not token:
                     request_id = getattr(

From 14fefbfcaa6faf30f1e9e309dd005cae5ebe3067 Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Sat, 10 Jan 2026 23:19:51 +0530
Subject: [PATCH 3/8] Adding spiffe case

---
 .../authorization/require_auth.py                      | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
index 4a1d8b57..df229af1 100644
--- a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
+++ b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
@@ -264,11 +264,15 @@ async def validate_mtls_auth(request: Request) -> bool:
         if not xfcc:
             return False
 
-        # Extract SPIFFE ID from URI field
-        # Format: Hash=...;URI=spiffe://...;...
+        # Extract SPIFFE ID from URI field or use the whole header if it's a SPIFFE ID
+        principal = None
         match = re.search(r'URI=(spiffe://[^;,]+)', xfcc)
         if match:
             principal = match.group(1)
+        elif xfcc.startswith('spiffe://'):
+            principal = xfcc
+
+        if principal:
             if not principal.startswith(
                 'spiffe://cluster.local/ns/client-applications'
             ) and not principal.startswith('spiffe://cluster.local/ns/gpu-processing'):
@@ -290,7 +294,7 @@ async def validate_mtls_auth(request: Request) -> bool:
 
         request_id = getattr(request.state, 'request_id', get_current_request_id())
         logger.warning(
-            f'mTLS header present but no valid URI found: {xfcc} [Request ID: {request_id}]'
+            f'mTLS header present but no valid principal found: {xfcc} [Request ID: {request_id}]'
         )
         return False
 

From 940473284b452ce7b98667e8dfdd1350ed7bf627 Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Sun, 11 Jan 2026 01:22:18 +0530
Subject: [PATCH 4/8] Ignoring mtls if token is present

---
 .../user_management_module/authorization/require_auth.py        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
index df229af1..4cefcca0 100644
--- a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
+++ b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
@@ -423,7 +423,7 @@ async def dispatch(
 
                 # Check for mTLS authentication if no token is present
                 mtls_header = request.headers.get('X-Forwarded-Client-Cert')
-                if mtls_header:
+                if mtls_header and not token:
                     logger.info(f'mTLS authentication by {mtls_header}')
                     if await validate_mtls_auth(request):
                         return await call_next(request)

From 864ad1475f8228cf9fd9af1a2d2ffed498c7efb1 Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Tue, 13 Jan 2026 20:10:40 +0530
Subject: [PATCH 5/8] fix for container isolation

---
 wavefront/server/docker/floware.Dockerfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/wavefront/server/docker/floware.Dockerfile b/wavefront/server/docker/floware.Dockerfile
index 1aeacb5d..a47141e5 100644
--- a/wavefront/server/docker/floware.Dockerfile
+++ b/wavefront/server/docker/floware.Dockerfile
@@ -39,6 +39,12 @@ COPY wavefront/server/apps/floware /app/apps/floware
 
 RUN uv sync --package floware --frozen --no-dev
 
+# Create a non-root user and change ownership of the /app directory
+RUN useradd -m -u 1000 floware && \
+    chown -R floware:floware /app
+
+USER floware
+
 WORKDIR /app/apps/floware/floware
 
 CMD ["uv", "run", "server.py"]

From 7d141b296ad1fb26b17ded4de3fa674d37b8a482 Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Thu, 15 Jan 2026 12:38:06 +0530
Subject: [PATCH 6/8] fix to consider authorization over hmac

---
 .../user_management_module/authorization/require_auth.py  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
index 4cefcca0..d37b30bd 100644
--- a/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
+++ b/wavefront/server/modules/user_management_module/user_management_module/authorization/require_auth.py
@@ -335,8 +335,9 @@ async def dispatch(
             if request.method == 'OPTIONS':
                 return await call_next(request)
 
+            authorization = request.headers.get('Authorization')
             # Check if this endpoint requires HMAC validation (skip JWT validation then)
-            if request.url.path in required_hmac_apis:
+            if request.url.path in required_hmac_apis and not authorization:
                 if not await validate_hmac_signature(request, auth_secrets_repository):
                     request_id = getattr(
                         request.state, 'request_id', get_current_request_id()
@@ -367,9 +368,8 @@ async def dispatch(
                             'Invalid service authentication'
                         ),
                     )
-            else:  # Do the JWT validation or passthrough
-                authorization = request.headers.get('Authorization')
-
+            else:
+                # Normal auth token flow
                 token = None
                 if authorization and authorization.startswith('Bearer '):
                     token = authorization.split(' ')[1]

From 6b6b266e98d78b6a90ac2c9ae47a93ae8f78c765 Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Sat, 17 Jan 2026 17:49:16 +0530
Subject: [PATCH 7/8] Fixing singleton issue in inference module

---
 .../inference_app/inference_app/inference_app_container.py  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/wavefront/server/apps/inference_app/inference_app/inference_app_container.py b/wavefront/server/apps/inference_app/inference_app/inference_app_container.py
index c7eb3055..8666dcbe 100644
--- a/wavefront/server/apps/inference_app/inference_app/inference_app_container.py
+++ b/wavefront/server/apps/inference_app/inference_app/inference_app_container.py
@@ -20,12 +20,12 @@ class InferenceAppContainer(containers.DeclarativeContainer):
         cloud_storage_manager=cloud_storage_manager,
     )
 
-    model_inference = providers.Factory(ModelInferenceService)
+    model_inference = providers.Singleton(ModelInferenceService)
 
-    image_analyser = providers.Factory(
+    image_analyser = providers.Singleton(
         ImageClarityService,
     )
 
-    image_embedding = providers.Factory(
+    image_embedding = providers.Singleton(
         ImageEmbedding,
     )

From 3a0b0155ffc1f2775afe8c8cb99973f94f95819c Mon Sep 17 00:00:00 2001
From: vizsatiz <satis.vishnu@gmail.com>
Date: Sun, 18 Jan 2026 23:04:29 +0530
Subject: [PATCH 8/8] fix for adding validation for stone weight, net weight &
 gross weight

---
 .../gold_module/models/gold_image_request.py         | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py b/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py
index 6f63ff26..8d43711a 100644
--- a/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py
+++ b/wavefront/server/modules/gold_module/gold_module/models/gold_image_request.py
@@ -28,14 +28,14 @@ class ImageMetadata(BaseModel):
     item_id: str = None  # Unique indentifier for gold image
 
     timestamp: datetime = None
-    loan_date: datetime = None
+    loan_date: datetime
     gold_loan_category: str = None
     loan_tenure: int = None
     loan_amount: float = None
 
-    gross_weight: float = None
-    stone_weight: float = None
-    net_weight: float = None
+    gross_weight: float
+    stone_weight: float
+    net_weight: float
     jewellery_items_count: int = None
     gold_purity: float = None
 
@@ -85,6 +85,4 @@ def to_str_recursive(val):
 
 class ImageAnalysisRequest(BaseModel):
     image: str  # data URL (base64 with MIME) or direct URL
-    metadata: ImageMetadata = (
-        ImageMetadata()
-    )  # Ensure metadata is always an ImageMetadata instance
+    metadata: ImageMetadata