fix: HEIC 프리뷰 placeholder + 모바일 사진함 접근 허용

1. issue-report.js updatePhotoSlot: 브라우저가 <img> 로 렌더링 못하는 포맷(HEIC 등) 감지해서 녹색 placeholder("📷 HEIC 첨부됨") 로 대체. photos[index] 데이터는 유지해서 업로드는 정상 동작 (서버 ImageMagick fallback 이 HEIC→JPEG 변환). 데스크톱 Chrome 에서 깨진 이미지 아이콘 보이던 문제 해결. 2. m/management.html editPhotoInput: capture="environment" 제거. 이 속성이 있으면 모바일에서 카메라 직접 호출만 되고 사진함 선택 UI 가 나오지 않음. 관리함 사진 보충 시 기존 사진에서 고를 수 있어야 함. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix(tkqc): iPhone HEIC 업로드 실패 → ImageMagick fallback 추가
2026-04-09 14:01:29 +09:00 · 2026-04-09 13:51:24 +09:00 · 2026-04-09 13:46:46 +09:00 · 2026-04-09 13:28:24 +09:00 · 2026-04-01 15:50:00 +09:00 · 2026-04-01 15:47:32 +09:00
101 changed files with 763 additions and 48 deletions
--- a/gateway/html/dashboard.html
+++ b/gateway/html/dashboard.html
@@ -489,7 +489,7 @@

        // ===== Card Definitions =====
        var SYSTEM_CARDS = [
-            { id: 'factory', name: '공장관리', desc: '작업장 현황, TBM, 설비관리', icon: '\uD83C\uDFED', subdomain: 'tkfb', path: '/pages/dashboard.html', pageKey: 'dashboard', color: '#1a56db' },
+            { id: 'factory', name: '공장관리', desc: '작업장 현황, TBM, 설비관리', icon: '\uD83C\uDFED', subdomain: 'tkfb', path: '/pages/dashboard-new.html', pageKey: 'dashboard', color: '#1a56db' },
            { id: 'report_sys', name: '신고', desc: '사건·사고 신고 접수', icon: '\uD83D\uDEA8', subdomain: 'tkreport', accessKey: 'system2', color: '#dc2626' },
            { id: 'quality', name: '부적합관리', desc: '부적합 이슈 추적·처리', icon: '\uD83D\uDCCA', subdomain: 'tkqc', accessKey: 'system3', color: '#059669' },
            { id: 'purchase', name: '구매관리', desc: '자재 구매, 일용직 관리', icon: '\uD83D\uDED2', subdomain: 'tkpurchase', color: '#d97706' },
@@ -781,7 +781,8 @@

                var redirect = new URLSearchParams(location.search).get('redirect');
                if (redirect && isSafeRedirect(redirect)) {
-                    window.location.href = redirect;
+                    var sep = redirect.indexOf('#') === -1 ? '#' : '&';
+                    window.location.href = redirect + sep + '_sso=' + encodeURIComponent(data.access_token);
                } else {
                    window.location.href = '/dashboard';
                }
@@ -840,7 +841,8 @@
                        // Already logged in + redirect param
                        var redirect = params.get('redirect');
                        if (redirect && isSafeRedirect(redirect)) {
-                            window.location.href = redirect;
+                            var sep = redirect.indexOf('#') === -1 ? '#' : '&';
+                            window.location.href = redirect + sep + '_sso=' + encodeURIComponent(token);
                            return;
                        }

--- a/shared/frontend/sso-relay.js
+++ b/shared/frontend/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/system1-factory/web/index.html
+++ b/system1-factory/web/index.html
@@ -10,6 +10,7 @@
  if('serviceWorker' in navigator){navigator.serviceWorker.getRegistrations().then(function(r){r.forEach(function(reg){reg.unregister()});})}
  if('caches' in window){caches.keys().then(function(k){k.forEach(function(key){caches.delete(key)})})}
  </script>
+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script>
    // SSO 토큰 확인
--- a/system1-factory/web/js/sso-relay.js
+++ b/system1-factory/web/js/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/system1-factory/web/nginx.conf
+++ b/system1-factory/web/nginx.conf
@@ -100,12 +100,19 @@ server {
        proxy_send_timeout 180s;
    }

-    # 레거시 /login, /dashboard → gateway 리다이렉트
+    # /login → 로그인 페이지 (gateway 대시보드)
+    # tkfb.technicalkorea.net이 system1-web을 직접 가리키므로
+    # 외부 리다이렉트 대신 gateway 내부 프록시로 처리
    location = /login {
-        return 302 $scheme://tkfb.technicalkorea.net/dashboard$is_args$args;
+        set $gw http://gateway:80;
+        rewrite ^/login$ /dashboard break;
+        proxy_pass $gw;
+        proxy_set_header Host $host;
    }
    location = /dashboard {
-        return 301 $scheme://tkfb.technicalkorea.net/dashboard;
+        set $gw http://gateway:80;
+        proxy_pass $gw;
+        proxy_set_header Host $host;
    }

    # Health check
--- a/system1-factory/web/pages/admin/attendance-report.html
+++ b/system1-factory/web/pages/admin/attendance-report.html
@@ -190,6 +190,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/admin/equipment-detail.html
+++ b/system1-factory/web/pages/admin/equipment-detail.html
@@ -314,6 +314,7 @@
    </div>
  </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/admin/equipments.html
+++ b/system1-factory/web/pages/admin/equipments.html
@@ -190,6 +190,7 @@
    </div>
  </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/admin/purchase-analysis.html
+++ b/system1-factory/web/pages/admin/purchase-analysis.html
@@ -135,6 +135,7 @@
            </div>
        </div>
    </div>
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/static/js/purchase-analysis.js?v=2026040103"></script>
 </body>
--- a/system1-factory/web/pages/admin/repair-management.html
+++ b/system1-factory/web/pages/admin/repair-management.html
@@ -507,6 +507,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031401"></script>
    <script>
--- a/system1-factory/web/pages/attendance/annual-overview.html
+++ b/system1-factory/web/pages/attendance/annual-overview.html
@@ -390,6 +390,7 @@
    </div>
  </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/checkin.html
+++ b/system1-factory/web/pages/attendance/checkin.html
@@ -234,6 +234,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/daily.html
+++ b/system1-factory/web/pages/attendance/daily.html
@@ -70,6 +70,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/monthly-comparison.html
+++ b/system1-factory/web/pages/attendance/monthly-comparison.html
@@ -162,6 +162,7 @@
    <!-- Toast -->
    <div id="toastContainer" class="toast-container"></div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031701"></script>
    <script src="/js/monthly-comparison.js?v=2026040109"></script>
--- a/system1-factory/web/pages/attendance/monthly.html
+++ b/system1-factory/web/pages/attendance/monthly.html
@@ -489,6 +489,7 @@
    </div>
  </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/my-monthly-confirm.html
+++ b/system1-factory/web/pages/attendance/my-monthly-confirm.html
@@ -104,6 +104,7 @@
    <!-- Toast -->
    <div id="toastContainer" class="toast-container"></div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031701"></script>
    <script src="/js/my-monthly-confirm.js?v=2026040106"></script>
--- a/system1-factory/web/pages/attendance/my-vacation-info.html
+++ b/system1-factory/web/pages/attendance/my-vacation-info.html
@@ -267,6 +267,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/vacation-allocation.html
+++ b/system1-factory/web/pages/attendance/vacation-allocation.html
@@ -353,6 +353,7 @@
    </div>
  </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script type="module" src="/js/vacation-allocation.js" defer></script>
--- a/system1-factory/web/pages/attendance/vacation-approval.html
+++ b/system1-factory/web/pages/attendance/vacation-approval.html
@@ -130,6 +130,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/vacation-input.html
+++ b/system1-factory/web/pages/attendance/vacation-input.html
@@ -123,6 +123,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/vacation-management.html
+++ b/system1-factory/web/pages/attendance/vacation-management.html
@@ -215,6 +215,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/vacation-request.html
+++ b/system1-factory/web/pages/attendance/vacation-request.html
@@ -117,6 +117,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/attendance/work-status.html
+++ b/system1-factory/web/pages/attendance/work-status.html
@@ -286,6 +286,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="https://cdn.jsdelivr.net/npm/axios/dist/axios.min.js"></script>
--- a/system1-factory/web/pages/dashboard-new.html
+++ b/system1-factory/web/pages/dashboard-new.html
@@ -47,6 +47,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/production-dashboard.js?v=2026040103"></script>
    <script src="/static/js/shared-bottom-nav.js?v=2026040103"></script>
--- a/system1-factory/web/pages/dashboard.html
+++ b/system1-factory/web/pages/dashboard.html
@@ -324,6 +324,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031401"></script>
    <script type="module" src="/js/modern-dashboard.js?v=2026031401"></script>
--- a/system1-factory/web/pages/inspection/daily-patrol.html
+++ b/system1-factory/web/pages/inspection/daily-patrol.html
@@ -209,6 +209,7 @@
      }, 50);
    })();
  </script>
+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="/js/daily-patrol.js?v=2026031401"></script>
--- a/system1-factory/web/pages/inspection/zone-detail.html
+++ b/system1-factory/web/pages/inspection/zone-detail.html
@@ -304,6 +304,7 @@
      }, 50);
    })();
  </script>
+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="/js/zone-detail.js?v=2026031401"></script>
--- a/system1-factory/web/pages/profile/info.html
+++ b/system1-factory/web/pages/profile/info.html
@@ -320,6 +320,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script type="module" src="/js/my-profile.js"></script>
--- a/system1-factory/web/pages/profile/password.html
+++ b/system1-factory/web/pages/profile/password.html
@@ -390,6 +390,7 @@
        </div>
    </div>

+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script>initAuth();</script>
  <script src="/js/change-password.js?v=2026040101"></script>
--- a/system1-factory/web/pages/purchase/request-mobile.html
+++ b/system1-factory/web/pages/purchase/request-mobile.html
@@ -97,6 +97,7 @@
        <div class="pm-sheet-body" id="detailContent"></div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/static/js/purchase-request-mobile.js?v=2026040104"></script>
    <script src="/static/js/shared-bottom-nav.js?v=2026040103"></script>
--- a/system1-factory/web/pages/purchase/request.html
+++ b/system1-factory/web/pages/purchase/request.html
@@ -312,6 +312,7 @@
            </div>
        </div>
    </div>
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/static/js/purchase-request.js?v=2026040104"></script>
 </body>
--- a/system1-factory/web/pages/work/analysis.html
+++ b/system1-factory/web/pages/work/analysis.html
@@ -277,6 +277,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031401"></script>
    <script type="module" src="/js/work-analysis.js?v=2026031401"></script>
@@ -2871,4 +2872,4 @@
    </script>
    <script>initAuth();</script>
 </body>
-</html>
+</html>
--- a/system1-factory/web/pages/work/daily-status.html
+++ b/system1-factory/web/pages/work/daily-status.html
@@ -163,6 +163,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031701"></script>
    <script src="/js/daily-status.js?v=2026033001"></script>
--- a/system1-factory/web/pages/work/meeting-detail.html
+++ b/system1-factory/web/pages/work/meeting-detail.html
@@ -193,6 +193,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/meeting-detail.js?v=2026031701"></script>
 </body>
--- a/system1-factory/web/pages/work/meetings.html
+++ b/system1-factory/web/pages/work/meetings.html
@@ -80,6 +80,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/meetings.js?v=2026031701"></script>
 </body>
--- a/system1-factory/web/pages/work/proxy-input.html
+++ b/system1-factory/web/pages/work/proxy-input.html
@@ -114,6 +114,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031701"></script>
    <script src="/js/proxy-input.js?v=2026033202"></script>
--- a/system1-factory/web/pages/work/report-create-mobile.html
+++ b/system1-factory/web/pages/work/report-create-mobile.html
@@ -190,6 +190,7 @@
  </div>

  <!-- 공통 모듈 -->
+  <script src="/js/sso-relay.js?v=20260401"></script>
  <script src="/static/js/tkfb-core.js?v=2026040105"></script>
  <script src="/js/api-base.js?v=2026031401"></script>
  <script src="/js/common/utils.js?v=2026031401"></script>
--- a/system1-factory/web/pages/work/report-create.html
+++ b/system1-factory/web/pages/work/report-create.html
@@ -149,6 +149,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031401"></script>
    <script src="/js/common/utils.js?v=2026031401"></script>
--- a/system1-factory/web/pages/work/schedule.html
+++ b/system1-factory/web/pages/work/schedule.html
@@ -347,6 +347,7 @@
        </div>
    </div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/schedule.js?v=2026031701"></script>
    <script>
--- a/system1-factory/web/pages/work/tbm-create.html
+++ b/system1-factory/web/pages/work/tbm-create.html
@@ -843,6 +843,7 @@
    </div>

    <!-- Scripts -->
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026040101"></script>
    <!-- 공통 모듈 -->
--- a/system1-factory/web/pages/work/tbm-mobile.html
+++ b/system1-factory/web/pages/work/tbm-mobile.html
@@ -264,6 +264,7 @@
    </div>

    <!-- 공통 모듈 -->
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026040101"></script>
    <script src="/js/common/utils.js?v=2026040101"></script>
--- a/system1-factory/web/pages/work/tbm.html
+++ b/system1-factory/web/pages/work/tbm.html
@@ -573,6 +573,7 @@
    <!-- 토스트 -->
    <div class="toast-container" id="toastContainer"></div>

+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkfb-core.js?v=2026040105"></script>
    <script src="/js/api-base.js?v=2026031602"></script>
    <script src="/js/common/utils.js?v=2026031602"></script>
--- a/system1-factory/web/sw.js
+++ b/system1-factory/web/sw.js
@@ -20,10 +20,12 @@ self.addEventListener('activate', function(event) {
 });

 self.addEventListener('fetch', function(event) {
-  // API, POST, cross-origin 요청은 캐싱하지 않음
+  // API, POST, cross-origin, 로그인/대시보드 프록시 경로는 캐싱하지 않음
  if (event.request.url.includes('/api/')) return;
  if (event.request.method !== 'GET') return;
  if (!event.request.url.startsWith(self.location.origin)) return;
+  var path = new URL(event.request.url).pathname;
+  if (path === '/dashboard' || path === '/login' || path === '/auth' || path.startsWith('/auth/')) return;

  event.respondWith(
    fetch(event.request)
--- a/system2-report/api/controllers/workIssueController.js
+++ b/system2-report/api/controllers/workIssueController.js
@@ -257,12 +257,36 @@ exports.createReport = async (req, res) => {
        if (result.success && result.mProjectId) {
          await workIssueModel.updateMProjectId(reportId, result.mProjectId);
          console.log(`[System3 연동] m_project_id=${result.mProjectId} 업데이트 완료`);
+        } else {
+          // ⚠ System3 연동 실패 감지 — silent data loss 방지 (2026-04-09 사고 교훈)
+          console.error(`[System3 연동 실패] report_id=${reportId} error=${result.error || 'unknown'}`);
+          notify.send({
+            type: 'system',
+            title: 'tkqc 연동 실패',
+            message: `부적합 신고 #${reportId} (사진 ${photoBase64List.length}장) 전달 실패 — ${result.error || 'unknown'}`,
+            link_url: `/pages/safety/issue-detail.html?id=${reportId}`,
+            reference_type: 'work_issue_reports',
+            reference_id: reportId,
+            created_by: req.user.id || req.user.user_id
+          }).catch(e => console.error('[알림 전송 실패]', e.message));
        }
      } else {
        console.log(`[System3 연동] 부적합 아님, 건너뜀`);
      }
    } catch (e) {
      console.error('[System3 연동 실패]', e.message, e.stack);
+      // 예외 케이스도 알림
+      try {
+        notify.send({
+          type: 'system',
+          title: 'tkqc 연동 예외',
+          message: `부적합 신고 #${reportId} 전달 중 예외: ${e.message}`,
+          link_url: `/pages/safety/issue-detail.html?id=${reportId}`,
+          reference_type: 'work_issue_reports',
+          reference_id: reportId,
+          created_by: req.user.id || req.user.user_id
+        }).catch(() => {});
+      } catch (_) {}
    }
  } catch (error) {
    console.error('신고 생성 에러:', error);
--- a/system2-report/web/js/issue-report.js
+++ b/system2-report/web/js/issue-report.js
@@ -1090,22 +1090,38 @@ function resizeImage(file, maxSize, quality) {

 /**
 * 사진 슬롯 업데이트
+ * 브라우저가 렌더링 못하는 포맷(HEIC 등) 은 img 대신 placeholder 로 표시하되
+ * photos[index] 데이터 자체는 유지해서 업로드는 정상 동작.
 */
 function updatePhotoSlot(index) {
  const slot = document.querySelector(`.photo-slot[data-index="${index}"]`);

+  // 기존 img 나 placeholder 제거
+  const existingImg = slot.querySelector('img');
+  if (existingImg) existingImg.remove();
+  const existingPlaceholder = slot.querySelector('.photo-placeholder');
+  if (existingPlaceholder) existingPlaceholder.remove();
+
  if (photos[index]) {
    slot.classList.add('has-photo');
-    let img = slot.querySelector('img');
-    if (!img) {
-      img = document.createElement('img');
+    const data = photos[index];
+    // 브라우저가 <img> 로 렌더링 가능한 포맷만 img 사용, 그 외엔 placeholder
+    const isRenderable = /^data:image\/(jpeg|jpg|png|gif|webp|bmp|svg)/i.test(data);
+
+    if (isRenderable) {
+      const img = document.createElement('img');
+      img.src = data;
      slot.insertBefore(img, slot.firstChild);
+    } else {
+      // HEIC 등 렌더링 불가 포맷 — placeholder 표시 (업로드는 정상)
+      const ph = document.createElement('div');
+      ph.className = 'photo-placeholder';
+      ph.style.cssText = 'width:100%;height:100%;display:flex;flex-direction:column;align-items:center;justify-content:center;background:#ecfdf5;color:#059669;font-size:0.625rem;font-weight:600;text-align:center;gap:2px;';
+      ph.innerHTML = '<div style="font-size:1.25rem">&#128247;</div><div>HEIC</div><div style="font-size:0.5625rem;color:#10b981">첨부됨</div>';
+      slot.insertBefore(ph, slot.firstChild);
    }
-    img.src = photos[index];
  } else {
    slot.classList.remove('has-photo');
-    const img = slot.querySelector('img');
-    if (img) img.remove();
  }
 }

--- a/system2-report/web/js/sso-relay.js
+++ b/system2-report/web/js/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/system2-report/web/pages/safety/chat-report.html
+++ b/system2-report/web/pages/safety/chat-report.html
@@ -6,6 +6,7 @@
    <title>AI 신고 도우미 | (주)테크니컬코리아</title>
    <link rel="icon" type="image/png" href="/img/favicon.png">
    <link rel="stylesheet" href="/css/chat-report.css?v=2026031401">
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/js/api-base.js?v=2026040101"></script>
    <script src="/js/app-init.js?v=2026031401" defer></script>
 </head>
--- a/system2-report/web/pages/safety/issue-detail.html
+++ b/system2-report/web/pages/safety/issue-detail.html
@@ -8,6 +8,7 @@
    <link rel="stylesheet" href="/css/common.css?v=2026031401">
    <link rel="stylesheet" href="/css/project-management.css?v=2026031401">
    <link rel="icon" type="image/png" href="/img/favicon.png">
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/js/api-base.js?v=2026040101"></script>
    <script src="/js/app-init.js?v=2026031401" defer></script>
    <script src="https://instant.page/5.2.0" type="module"></script>
--- a/system2-report/web/pages/safety/issue-report.html
+++ b/system2-report/web/pages/safety/issue-report.html
@@ -5,6 +5,7 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
    <title>신고 등록 | (주)테크니컬코리아</title>
    <link rel="icon" type="image/png" href="/img/favicon.png">
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/js/api-base.js?v=2026040101"></script>
    <script src="/js/app-init.js?v=2026031401" defer></script>
    <style>
@@ -782,6 +783,6 @@
    <input type="file" id="photoInput" accept="image/*" style="display:none">

    <script src="/js/cross-nav.js?v=2026031401"></script>
-    <script src="/js/issue-report.js?v=2026031401"></script>
+    <script src="/js/issue-report.js?v=2026040901"></script>
 </body>
 </html>
--- a/system2-report/web/pages/safety/report-status.html
+++ b/system2-report/web/pages/safety/report-status.html
@@ -8,6 +8,7 @@
    <link rel="stylesheet" href="/css/common.css?v=2026031401">
    <link rel="stylesheet" href="/css/project-management.css?v=2026031401">
    <link rel="icon" type="image/png" href="/img/favicon.png">
+    <script src="/js/sso-relay.js?v=20260401"></script>
    <script src="/js/api-base.js?v=2026040101"></script>
    <script src="/js/app-init.js?v=2026031401" defer></script>
    <script src="https://instant.page/5.2.0" type="module"></script>
--- a/system3-nonconformance/api/Dockerfile
+++ b/system3-nonconformance/api/Dockerfile
@@ -3,9 +3,15 @@ FROM python:3.11-slim
 WORKDIR /app

 # 시스템 패키지 설치
+# - gosu: entrypoint 에서 root→appuser 강등용
+# - imagemagick + libheif: HEIC(iPhone) 등 pillow_heif 가 처리 못하는 이미지 fallback (2026-04-09)
 RUN apt-get update && apt-get install -y \
    gcc \
-    && rm -rf /var/lib/apt/lists/*
+    gosu \
+    imagemagick \
+    libheif1 \
+    && rm -rf /var/lib/apt/lists/* \
+    && sed -i 's|<policy domain="coder" rights="none" pattern="HEIC" />|<policy domain="coder" rights="read\|write" pattern="HEIC" />|' /etc/ImageMagick-6/policy.xml 2>/dev/null || true

 # Python 의존성 설치
 COPY requirements.txt .
@@ -17,12 +23,16 @@ RUN groupadd -r appuser && useradd -r -g appuser appuser
 # 애플리케이션 파일 복사
 COPY --chown=appuser:appuser . .

-# uploads 디렉토리 생성
+# uploads 디렉토리 생성 (entrypoint 가 볼륨 마운트 후 재-chown)
 RUN mkdir -p /app/uploads && chown appuser:appuser /app/uploads

+# entrypoint 실행권한
+RUN chmod +x /app/entrypoint.sh
+
 # 포트 노출
 EXPOSE 8000

-# 실행 명령
-USER appuser
+# 실행 (root 로 시작 → entrypoint 에서 chown → gosu 로 appuser 강등)
+# USER 지시어는 entrypoint 에서 직접 처리하므로 생략한다.
+ENTRYPOINT ["/app/entrypoint.sh"]
 CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
--- a/system3-nonconformance/api/database/schemas.py
+++ b/system3-nonconformance/api/database/schemas.py
@@ -240,6 +240,12 @@ class ManagementUpdateRequest(BaseModel):
    completion_photo3: Optional[str] = None  # Base64 - 완료 사진 3
    completion_photo4: Optional[str] = None  # Base64 - 완료 사진 4
    completion_photo5: Optional[str] = None  # Base64 - 완료 사진 5
+    # 원본(부적합) 사진 보충 — NULL 슬롯에만 채워넣도록 클라이언트에서 제어 (2026-04-09)
+    photo: Optional[str] = None   # Base64 - 원본 사진 1
+    photo2: Optional[str] = None  # Base64 - 원본 사진 2
+    photo3: Optional[str] = None  # Base64 - 원본 사진 3
+    photo4: Optional[str] = None  # Base64 - 원본 사진 4
+    photo5: Optional[str] = None  # Base64 - 원본 사진 5
    review_status: Optional[ReviewStatus] = None

 class OpinionRequest(BaseModel):
--- a/system3-nonconformance/api/entrypoint.sh
+++ b/system3-nonconformance/api/entrypoint.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# entrypoint.sh — 볼륨 권한 보정 후 appuser 로 강등 실행
+#
+# Why: Dockerfile 의 `chown /app/uploads` 는 이미지 레이어에만 반영되고,
+# docker-compose 의 named volume 은 최초 생성 시점의 소유자를 유지한다.
+# 재배포해도 볼륨은 root 소유로 남아 appuser(999) 가 write 불가.
+# → 컨테이너 시작 시마다 root 로 chown 하고 gosu 로 appuser 강등.
+#
+# 2026-04-09: 이 보정 누락으로 tkqc 사진이 silent 하게 유실됐다 (qc_issues.id=185~191).
+set -e
+
+UPLOAD_DIR="/app/uploads"
+
+if [ -d "$UPLOAD_DIR" ]; then
+  chown -R appuser:appuser "$UPLOAD_DIR" || {
+    echo "[entrypoint] WARNING: chown $UPLOAD_DIR 실패 — 이미 appuser 소유이거나 read-only 볼륨일 수 있음" >&2
+  }
+fi
+
+exec gosu appuser "$@"
--- a/system3-nonconformance/api/routers/issues.py
+++ b/system3-nonconformance/api/routers/issues.py
@@ -372,9 +372,30 @@ async def update_issue_management(
            except Exception as e:
                raise HTTPException(status_code=400, detail=f"완료 사진 저장 실패: {str(e)}")

-    # 나머지 필드 처리 (완료 사진 제외)
+    # 원본(부적합) 사진 보충 처리 — 클라이언트가 빈 슬롯에만 채우도록 제어함
+    # (2026-04-09: tkreport→tkqc 연동 중 유실된 사진 복구 용도로 추가)
+    photo_fields = []
+    for i in range(1, 6):
+        photo_field = f"photo{i if i > 1 else ''}"
+        path_field = f"photo_path{i if i > 1 else ''}"
+
+        if photo_field in update_data and update_data[photo_field]:
+            photo_fields.append(photo_field)
+            try:
+                # 기존 사진이 있으면 교체 (클라이언트가 의도적으로 지정한 경우)
+                existing_path = getattr(issue, path_field, None)
+                if existing_path:
+                    delete_file(existing_path)
+
+                # 새 사진 저장 (prefix "image" — inbox/신규 생성과 동일)
+                new_path = save_base64_image(update_data[photo_field], "image")
+                setattr(issue, path_field, new_path)
+            except Exception as e:
+                raise HTTPException(status_code=400, detail=f"사진 저장 실패: {str(e)}")
+
+    # 나머지 필드 처리 (사진 필드 제외)
    for field, value in update_data.items():
-        if field not in completion_photo_fields:
+        if field not in completion_photo_fields and field not in photo_fields:
            try:
                setattr(issue, field, value)
            except Exception as e:
--- a/system3-nonconformance/api/services/file_service.py
+++ b/system3-nonconformance/api/services/file_service.py
@@ -84,11 +84,48 @@ def save_base64_image(base64_string: str, prefix: str = "image") -> Optional[str
                    print(f"✅ HEIF 재시도 성공: {image.format}, 모드: {image.mode}, 크기: {image.size}")
                except Exception as heif_e:
                    print(f"❌ HEIF 처리도 실패: {heif_e}")
-                    print("❌ 지원되지 않는 이미지 형식")
-                    raise e
+                    image = None  # ImageMagick fallback 시도
            else:
                print("❌ HEIF 지원 라이브러리가 설치되지 않거나 처리 불가")
-                raise e
+
+            # ImageMagick fallback (pillow_heif 가 특정 iPhone HEIC 메타데이터를 처리 못하는 경우)
+            if image is None:
+                print("🔄 ImageMagick 으로 fallback 시도...")
+                try:
+                    import subprocess
+                    import tempfile
+                    with tempfile.NamedTemporaryFile(suffix='.bin', delete=False, dir='/tmp') as tmp_in:
+                        tmp_in.write(image_data)
+                        tmp_in_path = tmp_in.name
+                    tmp_out_path = tmp_in_path + '.jpg'
+                    # convert 는 ImageMagick 6, magick 은 ImageMagick 7
+                    cmd = None
+                    for binary in ('magick', 'convert'):
+                        try:
+                            subprocess.run([binary, '-version'], capture_output=True, timeout=5, check=True)
+                            cmd = binary
+                            break
+                        except (FileNotFoundError, subprocess.CalledProcessError, subprocess.TimeoutExpired):
+                            continue
+                    if not cmd:
+                        raise Exception("ImageMagick not installed")
+                    result = subprocess.run(
+                        [cmd, tmp_in_path, tmp_out_path],
+                        capture_output=True, timeout=30, text=True
+                    )
+                    if result.returncode != 0:
+                        raise Exception(f"ImageMagick 변환 실패: {result.stderr[:200]}")
+                    image = Image.open(tmp_out_path)
+                    image.load()  # 파일 삭제 전 강제 로드
+                    print(f"✅ ImageMagick fallback 성공: {image.format}, 모드: {image.mode}, 크기: {image.size}")
+                    try:
+                        os.unlink(tmp_in_path)
+                        os.unlink(tmp_out_path)
+                    except OSError:
+                        pass
+                except Exception as magick_e:
+                    print(f"❌ ImageMagick fallback 실패: {magick_e}")
+                    raise e  # 원래 PIL 에러를 올림

        # 이미지가 성공적으로 로드되지 않은 경우
        if image is None:
@@ -122,7 +159,10 @@ def save_base64_image(base64_string: str, prefix: str = "image") -> Optional[str
        
    except Exception as e:
        print(f"이미지 저장 실패: {e}")
-        return None
+        # ⚠ silent failure 금지 — 저장 실패는 반드시 상위로 전파해서
+        # system2/클라이언트가 "성공"으로 오인하지 않도록 한다.
+        # (2026-04-09: named volume 권한 이슈로 사진 유실 사고 재발 방지)
+        raise RuntimeError(f"Image save failed: {e}") from e

 def delete_file(filepath: str):
    """파일 삭제"""
--- a/system3-nonconformance/web/ai-assistant.html
+++ b/system3-nonconformance/web/ai-assistant.html
@@ -277,6 +277,7 @@
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/core/page-manager.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
    <script src="/static/js/utils/toast.js?v=2026031401"></script>
--- a/system3-nonconformance/web/issue-view.html
+++ b/system3-nonconformance/web/issue-view.html
@@ -111,6 +111,7 @@
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/core/page-manager.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
    <script src="/static/js/utils/photo-modal.js?v=2026031401"></script>
--- a/system3-nonconformance/web/issues-archive.html
+++ b/system3-nonconformance/web/issues-archive.html
@@ -201,6 +201,7 @@
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/core/page-manager.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
    <script src="/static/js/utils/photo-modal.js?v=2026031401"></script>
--- a/system3-nonconformance/web/issues-dashboard.html
+++ b/system3-nonconformance/web/issues-dashboard.html
@@ -554,6 +554,7 @@
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/core/page-manager.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
    <script src="/static/js/utils/photo-modal.js?v=2026031401"></script>
--- a/system3-nonconformance/web/issues-inbox.html
+++ b/system3-nonconformance/web/issues-inbox.html
@@ -373,6 +373,7 @@
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/core/page-manager.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/components/mobile-calendar.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
--- a/system3-nonconformance/web/issues-management.html
+++ b/system3-nonconformance/web/issues-management.html
@@ -343,11 +343,12 @@
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/core/page-manager.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
    <script src="/static/js/utils/photo-modal.js?v=2026031401"></script>
    <script src="/static/js/utils/toast.js?v=2026031401"></script>
    <script src="/static/js/components/mobile-bottom-nav.js?v=2026031401"></script>
-    <script src="/static/js/pages/issues-management.js?v=2026031401"></script>
+    <script src="/static/js/pages/issues-management.js?v=2026040902"></script>
 </body>
 </html>
--- a/system3-nonconformance/web/m/dashboard.html
+++ b/system3-nonconformance/web/m/dashboard.html
@@ -186,6 +186,7 @@

    <!-- 스크립트 -->
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
--- a/system3-nonconformance/web/m/inbox.html
+++ b/system3-nonconformance/web/m/inbox.html
@@ -194,6 +194,7 @@

    <!-- 스크립트 -->
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
--- a/system3-nonconformance/web/m/management.html
+++ b/system3-nonconformance/web/m/management.html
@@ -92,6 +92,15 @@
                <label class="m-label"><i class="fas fa-calendar-alt" style="color:#ef4444;margin-right:4px"></i>조치 예상일</label>
                <input type="date" id="editExpectedDate" class="m-input">
            </div>
+            <!-- 원본 사진 보충 (빈 슬롯에만 채움) -->
+            <div class="m-form-group" id="editPhotoGroup">
+                <label class="m-label"><i class="fas fa-camera" style="color:#10b981;margin-right:4px"></i>사진 보충 <span id="editPhotoSlotInfo" style="font-size:11px;color:#6b7280"></span></label>
+                <div id="editExistingPhotos" style="display:flex;flex-wrap:wrap;gap:6px;margin-bottom:8px"></div>
+                <input type="file" id="editPhotoInput" accept="image/*" multiple
+                       class="m-input" style="padding:8px;font-size:12px" onchange="previewEditPhotos(event)">
+                <div id="editPhotoPreview" style="display:flex;flex-wrap:wrap;gap:6px;margin-top:6px"></div>
+                <p style="font-size:11px;color:#9ca3af;margin-top:4px">※ 비어있는 슬롯에만 자동 채움. 기존 사진은 유지됩니다.</p>
+            </div>
        </div>
        <div class="m-sheet-footer">
            <button class="m-submit-btn" onclick="saveManagementEdit()">
@@ -174,10 +183,11 @@

    <!-- 스크립트 -->
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/utils/issue-helpers.js?v=2026031401"></script>
    <script src="/static/js/m/m-common.js?v=2026031401"></script>
-    <script src="/static/js/m/m-management.js?v=2026031401"></script>
+    <script src="/static/js/m/m-management.js?v=2026040901"></script>
 </body>
 </html>
--- a/system3-nonconformance/web/reports-daily.html
+++ b/system3-nonconformance/web/reports-daily.html
@@ -185,6 +185,7 @@
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>

    <script>
--- a/system3-nonconformance/web/reports-monthly.html
+++ b/system3-nonconformance/web/reports-monthly.html
@@ -72,6 +72,7 @@
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>

    <script>
--- a/system3-nonconformance/web/reports-weekly.html
+++ b/system3-nonconformance/web/reports-weekly.html
@@ -71,6 +71,7 @@
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>

    <script>
--- a/system3-nonconformance/web/reports.html
+++ b/system3-nonconformance/web/reports.html
@@ -173,6 +173,7 @@
    <script src="/static/js/core/permissions.js?v=2026031401"></script>
    <script src="/static/js/components/common-header.js?v=2026031401"></script>
    <script src="/static/js/api.js?v=2026031401"></script>
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/core/auth-manager.js?v=2026031401"></script>

    <script>
--- a/system3-nonconformance/web/static/js/m/m-management.js
+++ b/system3-nonconformance/web/static/js/m/m-management.js
@@ -265,9 +265,59 @@ function openEditMgmtSheet(issueId) {
    document.getElementById('editResponsibleDept').value = issue.responsible_department || '';
    document.getElementById('editResponsiblePerson').value = issue.responsible_person || '';
    document.getElementById('editExpectedDate').value = issue.expected_completion_date ? issue.expected_completion_date.split('T')[0] : '';
+
+    // 원본 사진 보충 UI 초기화
+    var slotKeys = ['photo_path', 'photo_path2', 'photo_path3', 'photo_path4', 'photo_path5'];
+    var existingPhotos = slotKeys.map(function (k) { return issue[k]; }).filter(function (p) { return p; });
+    var emptyCount = 5 - existingPhotos.length;
+
+    var existingEl = document.getElementById('editExistingPhotos');
+    existingEl.innerHTML = existingPhotos.length
+        ? existingPhotos.map(function (p) {
+            return '<img src="' + escapeHtml(p) + '" style="width:52px;height:52px;object-fit:cover;border-radius:6px;border:1px solid #d1d5db" alt="기존 사진">';
+          }).join('')
+        : '<span style="font-size:12px;color:#9ca3af">기존 사진 없음</span>';
+
+    var slotInfoEl = document.getElementById('editPhotoSlotInfo');
+    slotInfoEl.textContent = emptyCount > 0 ? '(남은 슬롯: ' + emptyCount + '장)' : '(가득 참)';
+
+    var photoInput = document.getElementById('editPhotoInput');
+    photoInput.value = '';
+    photoInput.disabled = (emptyCount === 0);
+    document.getElementById('editPhotoPreview').innerHTML = '';
+
    openSheet('editMgmt');
 }

+// 파일 input change 시 미리보기 렌더
+function previewEditPhotos(event) {
+    var files = event.target.files;
+    var preview = document.getElementById('editPhotoPreview');
+    preview.innerHTML = '';
+    if (!files || !files.length) return;
+
+    Array.prototype.forEach.call(files, function (file) {
+        var reader = new FileReader();
+        reader.onload = function (e) {
+            var img = document.createElement('img');
+            img.src = e.target.result;
+            img.style.cssText = 'width:52px;height:52px;object-fit:cover;border-radius:6px;border:2px solid #10b981';
+            img.alt = '추가 예정';
+            preview.appendChild(img);
+        };
+        reader.readAsDataURL(file);
+    });
+}
+
+function fileToBase64(file) {
+    return new Promise(function (resolve, reject) {
+        var reader = new FileReader();
+        reader.onload = function (e) { resolve(e.target.result); };
+        reader.onerror = reject;
+        reader.readAsDataURL(file);
+    });
+}
+
 async function saveManagementEdit() {
    if (!currentIssueId) return;
    try {
@@ -278,6 +328,34 @@ async function saveManagementEdit() {
            expected_completion_date: document.getElementById('editExpectedDate').value ? document.getElementById('editExpectedDate').value + 'T00:00:00' : null
        };

+        // 원본 사진 보충 — 빈 슬롯에만 채움
+        var photoInput = document.getElementById('editPhotoInput');
+        if (photoInput && photoInput.files && photoInput.files.length > 0) {
+            var currentIssue = issues.find(function (i) { return i.id === currentIssueId; });
+            if (currentIssue) {
+                var slotKeys = ['photo_path', 'photo_path2', 'photo_path3', 'photo_path4', 'photo_path5'];
+                var emptySlots = [];
+                slotKeys.forEach(function (k, idx) { if (!currentIssue[k]) emptySlots.push(idx + 1); });
+
+                if (emptySlots.length === 0) {
+                    showToast('원본 사진 슬롯이 가득 찼습니다', 'warning');
+                    return;
+                }
+
+                var filesToUpload = Array.prototype.slice.call(photoInput.files, 0, emptySlots.length);
+                if (photoInput.files.length > emptySlots.length) {
+                    showToast('빈 슬롯 ' + emptySlots.length + '장 중 처음 ' + emptySlots.length + '장만 업로드됩니다', 'info');
+                }
+
+                for (var i = 0; i < filesToUpload.length; i++) {
+                    var base64 = await fileToBase64(filesToUpload[i]);
+                    var slotNum = emptySlots[i];
+                    var fieldName = slotNum === 1 ? 'photo' : 'photo' + slotNum;
+                    updates[fieldName] = base64;
+                }
+            }
+        }
+
        // 프로젝트 변경 확인
        var newProjectId = parseInt(document.getElementById('editProject').value);
        var issue = issues.find(function (i) { return i.id === currentIssueId; });
--- a/system3-nonconformance/web/static/js/pages/issues-management.js
+++ b/system3-nonconformance/web/static/js/pages/issues-management.js
@@ -427,25 +427,37 @@ function createInProgressRow(issue, project) {
                    <div>
                        <label class="block text-sm font-medium text-gray-700 mb-2">업로드 사진</label>
                        ${(() => {
-                            const photos = [
+                            const photoSlots = [
                                issue.photo_path,
                                issue.photo_path2,
                                issue.photo_path3,
                                issue.photo_path4,
                                issue.photo_path5
-                            ].filter(p => p);
+                            ];
+                            const filled = photoSlots.filter(p => p);
+                            const emptyCount = 5 - filled.length;

-                            if (photos.length === 0) {
-                                return '<div class="w-20 h-20 bg-gray-100 rounded-lg flex items-center justify-center text-gray-400 text-xs border-2 border-dashed border-gray-300">사진 없음</div>';
-                            }
+                            const existing = filled.length === 0
+                                ? '<div class="w-20 h-20 bg-gray-100 rounded-lg flex items-center justify-center text-gray-400 text-xs border-2 border-dashed border-gray-300">사진 없음</div>'
+                                : `<div class="flex flex-wrap gap-2">
+                                     ${filled.map((path, idx) => `
+                                         <img src="${path}" class="w-20 h-20 object-cover rounded-lg cursor-pointer border-2 border-gray-200 hover:border-blue-400 transition-colors" onclick="openPhotoModal('${path}')" alt="업로드 사진 ${idx + 1}">
+                                     `).join('')}
+                                   </div>`;

-                            return `
-                                <div class="flex flex-wrap gap-2">
-                                    ${photos.map((path, idx) => `
-                                        <img src="${path}" class="w-20 h-20 object-cover rounded-lg cursor-pointer border-2 border-gray-200 hover:border-blue-400 transition-colors" onclick="openPhotoModal('${path}')" alt="업로드 사진 ${idx + 1}">
-                                    `).join('')}
+                            // 사진 보충 UI (빈 슬롯에만 채움, 저장 버튼 클릭 시 업로드)
+                            const uploadUi = isPendingCompletion ? '' : (emptyCount > 0 ? `
+                                <div class="mt-3 pt-3 border-t border-gray-200">
+                                    <label class="block text-xs font-medium text-gray-600 mb-1">
+                                        <i class="fas fa-plus-circle text-blue-500 mr-1"></i>사진 보충 (남은 슬롯: ${emptyCount}장)
+                                    </label>
+                                    <input type="file" id="original_photo_${issue.id}" accept="image/*" multiple
+                                           class="block w-full text-xs text-gray-500 file:mr-3 file:py-1.5 file:px-3 file:rounded-md file:border-0 file:text-xs file:font-semibold file:bg-blue-50 file:text-blue-700 hover:file:bg-blue-100">
+                                    <p class="text-xs text-gray-400 mt-1">※ 비어있는 슬롯에만 자동으로 채워집니다 (기존 사진은 유지). 저장 버튼 클릭 시 업로드.</p>
                                </div>
-                            `;
+                            ` : '<p class="text-xs text-gray-400 mt-2"><i class="fas fa-info-circle mr-1"></i>5장 모두 찬 상태입니다</p>');
+
+                            return existing + uploadUi;
                        })()}
                    </div>
                </div>
@@ -909,6 +921,36 @@ async function saveIssueChanges(issueId) {
            }
        }

+        // 원본 사진 보충 — 빈 슬롯에만 자동 채움 (기존 사진 유지)
+        const originalPhotoInput = document.getElementById(`original_photo_${issueId}`);
+        if (originalPhotoInput && originalPhotoInput.files && originalPhotoInput.files.length > 0) {
+            const currentIssue = issues.find(i => i.id === issueId);
+            if (currentIssue) {
+                const slotKeys = ['photo_path', 'photo_path2', 'photo_path3', 'photo_path4', 'photo_path5'];
+                const emptySlots = [];
+                slotKeys.forEach((key, idx) => {
+                    if (!currentIssue[key]) emptySlots.push(idx + 1);
+                });
+
+                if (emptySlots.length === 0) {
+                    alert('원본 사진 슬롯이 가득 찼습니다. 보충할 수 없습니다.');
+                    return;
+                }
+
+                const files = Array.from(originalPhotoInput.files).slice(0, emptySlots.length);
+                if (originalPhotoInput.files.length > emptySlots.length) {
+                    alert(`빈 슬롯은 ${emptySlots.length}개인데 ${originalPhotoInput.files.length}개를 선택하셨습니다. 처음 ${emptySlots.length}장만 업로드됩니다.`);
+                }
+
+                for (let i = 0; i < files.length; i++) {
+                    const slotNum = emptySlots[i];
+                    const base64 = await fileToBase64(files[i]);
+                    const fieldName = slotNum === 1 ? 'photo' : `photo${slotNum}`;
+                    updates[fieldName] = base64;
+                }
+            }
+        }
+
        // API 호출
        const response = await fetch(`/api/issues/${issueId}/management`, {
            method: 'PUT',
@@ -1153,25 +1195,39 @@ function createModalContent(issue, project) {
                    <div>
                        <label class="block text-sm font-medium text-gray-700 mb-1">업로드 사진</label>
                        ${(() => {
-                            const photos = [
+                            const photoSlots = [
                                issue.photo_path,
                                issue.photo_path2,
                                issue.photo_path3,
                                issue.photo_path4,
                                issue.photo_path5
-                            ].filter(p => p);
+                            ];
+                            const filled = photoSlots.filter(p => p);
+                            const emptyCount = 5 - filled.length;

-                            if (photos.length === 0) {
-                                return '<div class="w-20 h-20 bg-gray-200 rounded flex items-center justify-center text-gray-500 text-xs">없음</div>';
-                            }
+                            const existingHtml = filled.length === 0
+                                ? '<div class="w-20 h-20 bg-gray-200 rounded flex items-center justify-center text-gray-500 text-xs">없음</div>'
+                                : `<div class="flex flex-wrap gap-2">
+                                     ${filled.map((path, idx) => `
+                                         <img src="${path}" class="w-20 h-20 object-cover rounded cursor-pointer border-2 border-gray-300 hover:border-blue-400 transition-colors" onclick="openPhotoModal('${path}')" alt="업로드 사진 ${idx + 1}">
+                                     `).join('')}
+                                   </div>`;

-                            return `
-                                <div class="flex flex-wrap gap-2">
-                                    ${photos.map((path, idx) => `
-                                        <img src="${path}" class="w-20 h-20 object-cover rounded cursor-pointer border-2 border-gray-300 hover:border-blue-400 transition-colors" onclick="openPhotoModal('${path}')" alt="업로드 사진 ${idx + 1}">
-                                    `).join('')}
+                            // 사진 보충 업로드 UI (빈 슬롯에만 채움)
+                            const uploadHtml = emptyCount > 0 ? `
+                                <div class="mt-3 pt-3 border-t border-gray-200">
+                                    <label class="block text-xs font-medium text-gray-600 mb-1">
+                                        <i class="fas fa-plus-circle text-blue-500 mr-1"></i>사진 보충 (남은 슬롯: ${emptyCount}장)
+                                    </label>
+                                    <input type="file" id="modal_original_photo" accept="image/*" multiple
+                                           class="block w-full text-xs text-gray-500 file:mr-3 file:py-1.5 file:px-3 file:rounded-md file:border-0 file:text-xs file:font-semibold file:bg-blue-50 file:text-blue-700 hover:file:bg-blue-100">
+                                    <p class="text-xs text-gray-400 mt-1">※ 비어있는 슬롯에만 자동으로 채워집니다 (기존 사진은 유지)</p>
                                </div>
+                            ` : `
+                                <p class="text-xs text-gray-400 mt-2"><i class="fas fa-info-circle mr-1"></i>5장 모두 찬 상태입니다</p>
                            `;
+
+                            return existingHtml + uploadHtml;
                        })()}
                    </div>
                </div>
@@ -1294,6 +1350,37 @@ async function saveModalChanges() {

        }

+        // 원본 사진 보충 처리 — 빈 슬롯에만 채움 (기존 사진 유지)
+        const originalPhotoInput = document.getElementById('modal_original_photo');
+        if (originalPhotoInput && originalPhotoInput.files && originalPhotoInput.files.length > 0) {
+            const currentIssue = issues.find(i => i.id === currentModalIssueId);
+            if (currentIssue) {
+                // 빈 슬롯 번호 수집 (1~5)
+                const slotKeys = ['photo_path', 'photo_path2', 'photo_path3', 'photo_path4', 'photo_path5'];
+                const emptySlots = [];
+                slotKeys.forEach((key, idx) => {
+                    if (!currentIssue[key]) emptySlots.push(idx + 1);
+                });
+
+                if (emptySlots.length === 0) {
+                    alert('원본 사진 슬롯이 모두 찼습니다. 보충할 수 없습니다.');
+                    return;
+                }
+
+                const files = Array.from(originalPhotoInput.files).slice(0, emptySlots.length);
+                if (originalPhotoInput.files.length > emptySlots.length) {
+                    alert(`빈 슬롯은 ${emptySlots.length}개인데 ${originalPhotoInput.files.length}개를 선택하셨습니다. 처음 ${emptySlots.length}장만 업로드됩니다.`);
+                }
+
+                for (let i = 0; i < files.length; i++) {
+                    const slotNum = emptySlots[i];
+                    const base64 = await fileToBase64(files[i]);
+                    const fieldName = slotNum === 1 ? 'photo' : `photo${slotNum}`;
+                    updates[fieldName] = base64;
+                }
+            }
+        }
+
        console.log('Modal sending updates:', updates);

        // API 호출
--- a/system3-nonconformance/web/static/js/sso-relay.js
+++ b/system3-nonconformance/web/static/js/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/tkpurchase/web/accounts.html
+++ b/tkpurchase/web/accounts.html
@@ -133,6 +133,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-accounts.js?v=2026031601"></script>
    <script>initAccountsPage();</script>
--- a/tkpurchase/web/daylabor.html
+++ b/tkpurchase/web/daylabor.html
@@ -148,6 +148,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-daylabor.js?v=2026031601"></script>
    <script>initDayLaborPage();</script>
--- a/tkpurchase/web/index.html
+++ b/tkpurchase/web/index.html
@@ -88,6 +88,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-dashboard.js?v=2026031601"></script>
    <script>initDashboard();</script>
--- a/tkpurchase/web/partner-history.html
+++ b/tkpurchase/web/partner-history.html
@@ -61,6 +61,7 @@
        <div id="historyPagination" class="mt-4 flex justify-center gap-2"></div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-partner-history.js?v=2026031602"></script>
    <script>initPartnerHistory();</script>
--- a/tkpurchase/web/partner-portal.html
+++ b/tkpurchase/web/partner-portal.html
@@ -81,6 +81,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-partner-portal.js?v=2026031602"></script>
    <script>initPartnerPortal();</script>
--- a/tkpurchase/web/partner.html
+++ b/tkpurchase/web/partner.html
@@ -294,6 +294,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-partner.js?v=2026031601"></script>
    <script>initPartnerPage();</script>
--- a/tkpurchase/web/schedule.html
+++ b/tkpurchase/web/schedule.html
@@ -275,6 +275,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-schedule.js?v=2026031602"></script>
    <script>initSchedulePage();</script>
--- a/tkpurchase/web/static/js/sso-relay.js
+++ b/tkpurchase/web/static/js/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/tkpurchase/web/workreport-summary.html
+++ b/tkpurchase/web/workreport-summary.html
@@ -100,6 +100,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-workreport-summary.js?v=2026031601"></script>
    <script>initSummaryPage();</script>
--- a/tkpurchase/web/workreport.html
+++ b/tkpurchase/web/workreport.html
@@ -114,6 +114,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkpurchase-core.js?v=2026040101"></script>
    <script src="/static/js/tkpurchase-workreport.js?v=2026031601"></script>
    <script>initWorkReportPage();</script>
--- a/tksafety/web/checklist.html
+++ b/tksafety/web/checklist.html
@@ -164,6 +164,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-checklist.js?v=2026031401"></script>
    <script>initChecklistPage();</script>
--- a/tksafety/web/education.html
+++ b/tksafety/web/education.html
@@ -190,6 +190,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-education.js?v=2026031401"></script>
    <script>initEducationPage();</script>
--- a/tksafety/web/entry-dashboard.html
+++ b/tksafety/web/entry-dashboard.html
@@ -106,6 +106,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-entry-dashboard.js?v=2026031401"></script>
    <script>initEntryDashboard();</script>
--- a/tksafety/web/index.html
+++ b/tksafety/web/index.html
@@ -277,6 +277,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-visit.js?v=2026031401"></script>
    <script>initVisitPage();</script>
--- a/tksafety/web/risk-assess.html
+++ b/tksafety/web/risk-assess.html
@@ -210,6 +210,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-risk.js?v=2026031501"></script>
    <script>initRiskAssessPage();</script>
--- a/tksafety/web/risk-projects.html
+++ b/tksafety/web/risk-projects.html
@@ -166,6 +166,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-risk.js?v=2026031501"></script>
    <script>
--- a/tksafety/web/static/js/sso-relay.js
+++ b/tksafety/web/static/js/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/tksafety/web/training.html
+++ b/tksafety/web/training.html
@@ -214,6 +214,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-training.js"></script>
    <script>initTrainingPage();</script>
--- a/tksafety/web/visit-management.html
+++ b/tksafety/web/visit-management.html
@@ -184,6 +184,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-visit-management.js?v=2026031401"></script>
    <script>initVisitManagementPage();</script>
--- a/tksafety/web/visit-request.html
+++ b/tksafety/web/visit-request.html
@@ -148,6 +148,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksafety-core.js?v=2026040101"></script>
    <script src="/static/js/tksafety-visit-request.js?v=2026031401"></script>
    <script>initVisitRequestPage();</script>
--- a/tksupport/web/company-holidays.html
+++ b/tksupport/web/company-holidays.html
@@ -108,6 +108,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    async function initPage() {
--- a/tksupport/web/index.html
+++ b/tksupport/web/index.html
@@ -123,6 +123,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    let vacationTypes = [];
--- a/tksupport/web/static/js/sso-relay.js
+++ b/tksupport/web/static/js/sso-relay.js
@@ -0,0 +1,39 @@
+/**
+ * SSO Token Relay — 인앱 브라우저(카카오톡 등) 서브도메인 쿠키 미공유 대응
+ *
+ * Canonical source: shared/frontend/sso-relay.js
+ * 전 서비스 동일 코드 — 수정 시 아래 파일 <20><><EFBFBD>체 갱신 필요:
+ *   system1-factory/web/js/sso-relay.js
+ *   system2-report/web/js/sso-relay.js
+ *   system3-nonconformance/web/static/js/sso-relay.js
+ *   user-management/web/static/js/sso-relay.js
+ *   tkpurchase/web/static/js/sso-relay.js
+ *   tksafety/web/static/js/sso-relay.js
+ *   tksupport/web/static/js/sso-relay.js
+ *
+ * 동작: URL hash에 _sso= 파라미터가 있으면 토큰을 로컬 쿠키+localStorage에 설정하고 hash를 제거.
+ * gateway/dashboard.html에서 로그인 성공 후 redirect URL에 #_sso=<token>을 붙여 전달.
+ */
+(function() {
+  var hash = location.hash;
+  if (!hash || hash.indexOf('_sso=') === -1) return;
+
+  var match = hash.match(/[#&]_sso=([^&]*)/);
+  if (!match) return;
+
+  var token = decodeURIComponent(match[1]);
+  if (!token) return;
+
+  // 로컬(1st-party) 쿠키 설정
+  var cookie = 'sso_token=' + encodeURIComponent(token) + '; path=/; max-age=604800';
+  if (location.hostname.indexOf('technicalkorea.net') !== -1) {
+    cookie += '; domain=.technicalkorea.net; secure; samesite=lax';
+  }
+  document.cookie = cookie;
+
+  // localStorage 폴백
+  try { localStorage.setItem('sso_token', token); } catch (e) {}
+
+  // URL에서 hash 제거
+  history.replaceState(null, '', location.pathname + location.search);
+})();
--- a/tksupport/web/vacation-admin.html
+++ b/tksupport/web/vacation-admin.html
@@ -113,6 +113,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    const TYPE_COLOR = {
--- a/tksupport/web/vacation-approval.html
+++ b/tksupport/web/vacation-approval.html
@@ -203,6 +203,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    let reviewAction = '';
--- a/tksupport/web/vacation-dashboard.html
+++ b/tksupport/web/vacation-dashboard.html
@@ -145,6 +145,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    const TYPE_COLOR = {
--- a/tksupport/web/vacation-request.html
+++ b/tksupport/web/vacation-request.html
@@ -84,6 +84,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    async function initRequestPage() {
--- a/tksupport/web/vacation-status.html
+++ b/tksupport/web/vacation-status.html
@@ -120,6 +120,7 @@
        </div>
    </div>

+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tksupport-core.js?v=2026040101"></script>
    <script>
    let cachedRequests = [];
--- a/user-management/web/index.html
+++ b/user-management/web/index.html
@@ -2418,6 +2418,7 @@
    </div>

    <!-- JS: Core (config, token, api, toast, helpers, init) -->
+    <script src="/static/js/sso-relay.js?v=20260401"></script>
    <script src="/static/js/tkuser-core.js?v=2026040101"></script>
    <!-- JS: Tabs -->
    <script src="/static/js/tkuser-tabs.js?v=2026032301"></script>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Hyungi Ahn	bbffa47a9d	fix: HEIC 프리뷰 placeholder + 모바일 사진함 접근 허용 1. issue-report.js updatePhotoSlot: 브라우저가 <img> 로 렌더링 못하는 포맷(HEIC 등) 감지해서 녹색 placeholder("📷 HEIC 첨부됨") 로 대체. photos[index] 데이터는 유지해서 업로드는 정상 동작 (서버 ImageMagick fallback 이 HEIC→JPEG 변환). 데스크톱 Chrome 에서 깨진 이미지 아이콘 보이던 문제 해결. 2. m/management.html editPhotoInput: capture="environment" 제거. 이 속성이 있으면 모바일에서 카메라 직접 호출만 되고 사진함 선택 UI 가 나오지 않음. 관리함 사진 보충 시 기존 사진에서 고를 수 있어야 함. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-09 14:01:29 +09:00
Hyungi Ahn	bf0d7fd87a	fix(tkqc): iPhone HEIC 업로드 실패 → ImageMagick fallback 추가 증상: 사용자가 iPhone HEIC 사진을 관리함에서 업로드하면 400 Bad Request. 로그: ⚠️ pillow_heif 직접 처리 실패: Metadata not correctly assigned to image ❌ HEIF 처리도 실패: cannot identify image file 원인: pillow_heif 가 특정 iPhone 이 생성한 HEIC 의 메타데이터를 처리 못함. libheif 를 직접 사용하는 ImageMagick 이 더 범용적이라 system2-report/imageUploadService.js 와 동일한 패턴으로 fallback 추가. 변경: - Dockerfile: imagemagick + libheif1 apt-get 추가 + HEIC policy.xml 해제 - file_service.py: pillow_heif/PIL 실패 시 subprocess 로 magick/convert 호출해서 임시 파일로 JPEG 변환 후 다시 PIL 로 open Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-09 13:51:24 +09:00
Hyungi Ahn	56f626911a	fix(tkqc): 관리함 데스크톱 인라인 카드에도 사진 보충 UI 추가 첫 커밋(`178155d`)에서는 createModalContent(완료된 이슈 상세 모달)에만 사진 보충 input을 추가했는데, 데스크톱 관리함은 상세 모달이 아니라 createInProgressRow 로 렌더링되는 인라인 카드(저장/삭제/완료처리 버튼이 카드에 직접 있는 형태) 이었음. 사용자 스크린샷으로 확인. - createInProgressRow: "업로드 사진" 섹션 아래 file input 추가 - saveIssueChanges: 저장 시 빈 슬롯에만 photo/photo2~5 base64 업로드 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-09 13:46:46 +09:00
Hyungi Ahn	178155df6b	fix(tkqc): 사진 silent data loss 차단 + 관리함 사진 보충 기능 근본 원인: 2026-04-01 보안 패치(`f09c86e`)에서 system3-api Dockerfile에 USER appuser 추가했으나, named volume(tkqc-package_uploads)이 root 소유로 남아있어 appuser(999)가 /app/uploads 에 쓰기 실패. 하지만 file_service.py 가 except → return None 으로 silent failure 처리해서 system2는 200 OK 로 인식. 결과: 4/1 이후 qc_issues.id=185~191 사진이 전부 photo_path=NULL. 조치: 1. system3 Dockerfile: entrypoint.sh 추가 → 시작 시 chown 후 gosu appuser 강등 (named volume 이 restart 후에도 root로 돌아가는 문제 영구 해결) 2. file_service.py: save_base64_image 실패 시 RuntimeError raise (silent 금지) 3. system2 workIssueController: sendToMProject 실패/예외 시 system 알림 발송 4. 관리함 (desktop + mobile): 이슈 상세/편집 모달에 원본 사진 보충 UI 추가 - 빈 슬롯(photo_path{N}=NULL)에만 자동 채움, 기존 사진 유지 - ManagementUpdateRequest 스키마에 photo/photo2~5 필드 추가 - update_issue_management 엔드포인트에 사진 저장 루프 추가 런타임 chown 으로 immediate data loss 는 이미 차단됨 (09:28 KST). 이 커밋은 재발 방지 + 데이터 복구 UI 제공. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-09 13:28:24 +09:00
Hyungi Ahn	d49aa01bd5	fix: gateway 공장관리 카드 → dashboard-new.html로 변경 구 대시보드(dashboard.html)로 보내고 있었음. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 15:50:00 +09:00
Hyungi Ahn	f28922a3ae	fix(sw): /dashboard, /login 경로 SW fetch에서 제외 — 리다이렉트 루프 방지 SW가 /dashboard fetch → nginx proxy → gateway → 응답 → SW가 다시 fetch → 무한 루프. 프록시 경로는 SW 캐싱에서 제외. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 15:47:32 +09:00
Hyungi Ahn	7db072ed14	fix: /login, /dashboard 301 무한루프 해소 — gateway 내부 프록시로 전환 tkfb.technicalkorea.net이 system1-web을 직접 가리키므로 자기 자신으로 301 리다이렉트 → 무한 루프 발생. 외부 리다이렉트 대신 gateway 컨테이너로 내부 프록시. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 15:44:08 +09:00
Hyungi Ahn	0de9d5bb48	feat(sso): 인앱 브라우저 SSO 토큰 릴레이 — 카톡 WebView 쿠키 미공유 해결 카카오톡 인앱 WebView는 서브도메인 간 쿠키를 공유하지 않아 tkds에서 로그인 후 tkfb로 리다이렉트 시 인증이 풀리는 문제. - sso-relay.js: URL hash의 _sso= 토큰을 로컬 쿠키+localStorage로 설정 - gateway dashboard: 로그인 후 redirect URL에 #_sso=<token> 추가 - 전 서비스 HTML: core JS 직전에 sso-relay.js 로드 (81개 파일) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 15:44:02 +09:00