MicroClub-USTHB · Tyjfre-j · May 26, 2026 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/.env.example b/.env.example
@@ -41,6 +41,6 @@ totp_issuer=MultiAI
 
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
-GOOGLE_REDIRECT_URI=http://localhost:8000/staff/drive/callback
+GOOGLE_REDIRECT_URI=http://127.0.0.1:8000/stuff/drive/callback
 GOOGLE_OAUTH_SCOPES=https://www.googleapis.com/auth/drive.readonly openid email profile
 FACE_ENCRYPTION_KEY=hkbribvfirirbvivbibvib
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -38,22 +38,12 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=raw,value=latest
-            type=sha,prefix=
-
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
           platforms: linux/amd64,linux/arm64
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,5 @@ db/schema.sql
 multiai-c9380-firebase-adminsdk-fbsvc-cb6e5ce41b.json
 db.txt
 
+.venv
+multiai-c9380-firebase-adminsdk-fbsvc-cb6e5ce41b.json
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@ FROM python:3.12-slim
 # Install PostgreSQL client libraries and build tools
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends libpq-dev build-essential \
-		libglib2.0-0 libgfortran5 \
+		libglib2.0-0 libgfortran5 libgl1 libxext6 libsm6 libxrender1 libxcb1 \
 	&& rm -rf /var/lib/apt/lists/*
 
 ENV PYTHONDONTWRITEBYTECODE=1

diff --git a/README.md b/README.md
@@ -1 +1,11 @@
-s7a 3idkom
+# multAI Backend
+
+Project run instructions are documented here:
+
+- [Run Modes Guide](docs/RUN_MODES.md)
+
+Use the guide to choose the right workflow:
+
+- Backend Dev Mode (hot reload on host)
+- Staging Mode (shared image-based containers)
+- Backend Staging-Check Mode (local code in staging-like containers)
diff --git a/app/container.py b/app/container.py
@@ -13,15 +13,21 @@
 from app.service.staff_user import StaffUserService
 
 from app.service.audit import AuditService
+from app.service.photo_approval import PhotoApprovalService
+from app.service.user_photo import UserPhotoService
 from app.service.upload_requests import UploadRequestsService
 from app.service.users import AuthService
 from app.service.user_notification import UserNotificationService
 from db.generated import devices as device_queries
+from db.generated import photo_approvals as photo_approval_queries
+from db.generated import processing_jobs as processing_job_queries
+from db.generated import photo_faces as photo_face_queries
 from db.generated import photos as photo_queries
 from db.generated import session as session_queries
 from db.generated import staff_drive_connections as staff_drive_queries
 from db.generated import staff_notifications as staff_notification_queries
 from db.generated import stuff_user as staff_user_queries
+from db.generated import upload_request_groups as upload_request_group_queries
 from db.generated import upload_request_photos as upload_request_photo_queries
 from db.generated import upload_requests as upload_request_queries
 from db.generated import user as user_queries
@@ -51,9 +57,13 @@ def __init__(
         self.device_querier = device_queries.AsyncQuerier(conn)
         self.staff_user_querier = staff_user_queries.AsyncQuerier(conn)
         self.staff_drive_querier = staff_drive_queries.AsyncQuerier(conn)
+        self.upload_request_group_querier = upload_request_group_queries.AsyncQuerier(conn)
         self.upload_request_querier = upload_request_queries.AsyncQuerier(conn)
         self.upload_request_photo_querier = upload_request_photo_queries.AsyncQuerier(conn)
         self.photo_querier = photo_queries.AsyncQuerier(conn)
+        self.photo_approval_querier = photo_approval_queries.AsyncQuerier(conn)
+        self.photo_face_querier = photo_face_queries.AsyncQuerier(conn)
+        self.processing_job_querier = processing_job_queries.AsyncQuerier(conn)
         self.staff_notification_querier = staff_notification_queries.AsyncQuerier(conn)
         self.notification_querier = notification_queries.AsyncQuerier(conn)
         self.audit_querier = audit_queries.AsyncQuerier(conn)
@@ -93,29 +103,31 @@ def __init__(
         )
         self.staged_upload_storage_service = StagedUploadStorageService()
 
+        self.audit_service = AuditService(
+            audit_querier=self.audit_querier,
+            user_querier=self.user_querier,
+        )
+
         self.upload_requests_service = UploadRequestsService(
+            upload_request_group_querier=self.upload_request_group_querier,
             upload_request_querier=self.upload_request_querier,
             upload_request_photo_querier=self.upload_request_photo_querier,
             photo_querier=self.photo_querier,
             staged_upload_storage=self.staged_upload_storage_service,
             staff_drive_service=self.staff_drive_service,
             staff_notifications_service=self.staff_notifications_service,
+            audit_service=self.audit_service,
         )
 
         notification_queue = NotificationQueue(settings=NotifSetting)
 
         self.user_notifications_service = UserNotificationService(
             notification_querier=self.notification_querier,
             notification_queue=notification_queue,
-        )
-
-        self.audit_service = AuditService(
-            audit_querier=self.audit_querier,
-            user_querier=self.user_querier,
+            device_querier=self.device_querier,
         )
 
         self.staff_user_service = StaffUserService()
-
         self.staff_user_service.init(
             staff_user_querier=self.staff_user_querier,)
 
@@ -124,6 +136,20 @@ def __init__(
             p_querier=self.participant_querier,
         )
 
+        self.photo_approval_service = PhotoApprovalService(
+            photo_approval_querier=self.photo_approval_querier,
+            photo_querier=self.photo_querier,
+            storage_service=self.staged_upload_storage_service,
+            audit_service=self.audit_service,
+        )
+
+        self.user_photo_service = UserPhotoService(
+            photo_querier=self.photo_querier,
+            photo_face_querier=self.photo_face_querier,
+            photo_approval_querier=self.photo_approval_querier,
+            staff_drive_service=self.staff_drive_service,
+        )
+
 async def get_container(
     conn: sqlalchemy.ext.asyncio.AsyncConnection = Depends(get_db),
 ) -> Container:

diff --git a/app/core/config.py b/app/core/config.py
@@ -1,4 +1,5 @@
-from pydantic_settings import BaseSettings
+from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import field_validator
 
 
 class Settings(BaseSettings):
@@ -16,13 +17,13 @@ class Settings(BaseSettings):
     NATS_HOST: str
     NATS_PASSWORD: str
     NATS_USER: str
-
-
     # MinIO
     MINIO_API_PORT: int
     MINIO_ROOT_USER: str
     MINIO_ROOT_PASSWORD: str
     MINIO_HOST: str
+    MINIO_RETRY_ATTEMPTS: int = 3
+    MINIO_RETRY_BASE_SECONDS: float = 0.5
 
     # PostgreSQL
     POSTGRES_USER: str
@@ -35,13 +36,22 @@ class Settings(BaseSettings):
     MOBILE_SESSION_LIMIT: int = 3
     MOBILE_SESSION_TTL_SECONDS: int = 180
     MOBILE_SESSION_DAYS: int = 7
-
+    # Admin list defaults
+    ADMIN_USERS_DEFAULT_LIMIT: int = 20
+    ADMIN_USERS_MAX_LIMIT: int = 100
     # Security
     jwt_secret: str
     jwt_algorithm: str = "HS256"
     encryption_key: str
     totp_issuer: str = "multAI"
 
+    # Face embedding model
+    FACE_EMBEDDING_MODEL_NAME: str = "buffalo_l"
+    FACE_EMBEDDING_PROVIDERS: str = "CPUExecutionProvider"
+    FACE_EMBEDDING_CTX_ID: int = -1
+    FACE_EMBEDDING_DET_WIDTH: int = 640
+    FACE_EMBEDDING_DET_HEIGHT: int = 640
+
     # Google Drive OAuth
     GOOGLE_CLIENT_ID: str = ""
     GOOGLE_CLIENT_SECRET: str = ""
@@ -53,9 +63,24 @@ class Settings(BaseSettings):
     FACE_ENCRYPTION_KEY: str
     FIREBASE_CREDENTIALS_PATH: str = "multiai-c9380-firebase-adminsdk-fbsvc-cb6e5ce41b.json"
 
-    class Config:
-        env_file = ".env"
-        extra = "ignore"
+    model_config = SettingsConfigDict(
+        env_file=".env",
+        extra="ignore",
+    )
+
+    @field_validator("debug", mode="before")
+    @classmethod
+    def _parse_debug(cls, value):  # type: ignore[no-untyped-def]
+        if value is None:
+            return True
+        if isinstance(value, str):
+            lowered = value.strip().lower()
+            if lowered in {"release", "prod", "production", "false", "0", "no"}:
+                return False
+            if lowered in {"true", "1", "yes"}:
+                return True
+            return value
+        return value
 
 
 settings = Settings()  # type: ignore
diff --git a/app/core/constant.py b/app/core/constant.py
@@ -9,6 +9,12 @@ class RedisKey(str, Enum):
 
 NOTIFICATION_EVENT_SUBJECT = "notification_event"
 AUDIT_EVENT_SUBJECT = "audit.event"
+FINAL_BUCKET_CLEANUP_SUBJECT = "ai.final_bucket.completed"
+FINAL_BUCKET_CLEANUP_STREAM = "ai-final-bucket-cleanup"
+FINAL_BUCKET_CLEANUP_DURABLE_NAME = "ai-final-bucket-cleaner"
+UPLOAD_GROUP_IMPORT_SUBJECT = "staff.upload_group.import.requested"
+UPLOAD_GROUP_IMPORT_STREAM = "staff-upload-group-import"
+UPLOAD_GROUP_IMPORT_DURABLE_NAME = "staff-upload-group-import-worker"
 
 
 class AuditEventType(str, Enum):
@@ -18,7 +24,8 @@ class AuditEventType(str, Enum):
     UPLOAD_REQUEST_CREATED = "upload_request.created"
     UPLOAD_REQUEST_APPROVED = "upload_request.approved"
     UPLOAD_REQUEST_REJECTED = "upload_request.rejected"
-
+    PHOTO_PROCESSED = "photo.processed"
+    PHOTO_APPROVAL_DECIDED = "photo_approval.decided"
 
 
 IMAGE_ALLOWED_TYPES = {
@@ -28,6 +35,19 @@ class AuditEventType(str, Enum):
     "image/heif"
 }
 
+DEFAULT_CONTENT_TYPE = "application/octet-stream"
+DRIVE_ALLOWED_HOSTS = {"drive.google.com", "docs.google.com"}
+MINIO_URL_PREFIX = "minio://"
+
+IMAGES_BUCKET_NAME = "images"
+DOCUMENTS_BUCKET_NAME = "documents"
+WA_SIM_BUCKET_NAME = "wa-sim"
+
+GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth"
+GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token"
+GOOGLE_USERINFO_URL = "https://www.googleapis.com/oauth2/v2/userinfo"
+GOOGLE_DRIVE_FILES_URL = "https://www.googleapis.com/drive/v3/files/{file_id}"
+
 MAX_IMAGE_SIZE = 5 * 1024 * 1024
 MIN_ENROLL_IMAGES = 3
 MAX_ENROLL_IMAGES = 5
diff --git a/app/core/exceptions.py b/app/core/exceptions.py
@@ -75,6 +75,9 @@ def handle_check_violation(exc: Exception) -> HTTPException:
     def handle(exc: Exception) -> HTTPException:
         logger.error("Database error: %s", exc)
 
+        if isinstance(exc, HTTPException):
+            return exc
+
         if isinstance(exc, IntegrityError):
             orig = getattr(exc, "orig", None)
             sqlstate = getattr(orig, "sqlstate", None)

diff --git a/app/deps/token_auth.py b/app/deps/token_auth.py
@@ -43,6 +43,8 @@ async def get_current_mobile_user(
     user = await container.auth_service.user_querier.get_user_by_id(id=session.user_id)
     if not user:
         raise HTTPException(status_code=401, detail="User not found")
+    if user.blocked:
+        raise HTTPException(status_code=403, detail="User is blocked")
 
     return MobileUserSchema(
         user_id=user.id,
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,3 +7,5 @@ db/schema.sql @@
     multiai-c9380-firebase-adminsdk-fbsvc-cb6e5ce41b.json
     db.txt
+    .venv
+    multiai-c9380-firebase-adminsdk-fbsvc-cb6e5ce41b.json