Fix 6 security issues from post-FR audit

- Fix 3 missing CSRF tokens on admin user delete/reset and account
  key delete forms (were broken — CSRFProtect rejected submissions)
- Fix trust store path traversal: untrust_key() now validates
  fingerprint format ([0-9a-f]{32}) and checks resolved path
- Fix chain key rotation: old key is now revoked after rotation
  record, preventing compromised old keys from appending records
- Fix SSRF in deadman webhook: block private/internal IP targets
- Fix logout CSRF: /logout is now POST-only with CSRF token,
  preventing cross-site forced logout via img tags

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

frontends/web/app.py

@@ -374,7 +374,7 @@ def _register_stegasoo_routes(app: Flask) -> None:
                     flash("Invalid username or password", "error")
         return render_template("login.html")
 
-    @app.route("/logout")
+    @app.route("/logout", methods=["POST"])
     def logout():
         auth_logout_user()
         flash("Logged out successfully", "success")

frontends/web/templates/account.html

@@ -157,6 +157,7 @@
                             <form method="POST" action="{{ url_for('account_delete_key', key_id=key.id) }}"
                                   style="display:inline;"
                                   onsubmit="return confirm('Delete key &quot;{{ key.name }}&quot;?')">
+                                <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                                 <button type="submit" class="btn btn-outline-danger" title="Delete">
                                     <i class="bi bi-trash"></i>
                                 </button>

frontends/web/templates/admin/users.html

@@ -65,12 +65,14 @@
                                     {% if user.id != current_user.id %}
                                     <form method="POST" action="{{ url_for('admin_reset_password', user_id=user.id) }}"
                                           class="d-inline" onsubmit="return confirm('Reset password for {{ user.username }}?')">
+                                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                                         <button type="submit" class="btn btn-sm btn-outline-warning" title="Reset Password">
                                             <i class="bi bi-key"></i>
                                         </button>
                                     </form>
                                     <form method="POST" action="{{ url_for('admin_delete_user', user_id=user.id) }}"
                                           class="d-inline" onsubmit="return confirm('Delete user {{ user.username }}? This cannot be undone.')">
+                                        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
                                         <button type="submit" class="btn btn-sm btn-outline-danger" title="Delete User">
                                             <i class="bi bi-trash"></i>
                                         </button>

frontends/web/templates/base.html

@@ -102,7 +102,7 @@
                                 {% endif %}
                                 <li><hr class="dropdown-divider"></li>
                                 <li><a class="dropdown-item" href="/keys"><i class="bi bi-key me-2"></i>Keys</a></li>
-                                <li><a class="dropdown-item" href="/logout"><i class="bi bi-box-arrow-left me-2"></i>Logout</a></li>
+                                <li><form method="POST" action="/logout" class="d-inline"><input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/><button type="submit" class="dropdown-item"><i class="bi bi-box-arrow-left me-2"></i>Logout</button></form></li>
                             </ul>
                         </li>
                         {% else %}

src/soosef/federation/chain.py

@@ -499,6 +499,8 @@ class ChainStore:
                         f"Record {record.chain_index}: key rotation missing new_pubkey"
                     )
                 authorized_signers.add(bytes.fromhex(new_pubkey_hex))
+                # Revoke the old key — the rotation record was its last authorized action
+                authorized_signers.discard(record.signer_pubkey)
 
             prev_record = record
             expected_index += 1

src/soosef/fieldkit/deadman.py

@@ -114,6 +114,16 @@ class DeadmanSwitch:
 
         if webhook:
             try:
+                from urllib.parse import urlparse
+
+                parsed = urlparse(webhook)
+                hostname = parsed.hostname or ""
+                # Block private/internal targets to prevent SSRF
+                blocked = hostname in ("localhost", "127.0.0.1", "::1", "0.0.0.0")
+                blocked = blocked or hostname.startswith(("10.", "172.16.", "192.168.", "169.254."))
+                if blocked:
+                    logger.warning("Webhook blocked: internal/private URL %s", hostname)
+                else:
                     import urllib.request
 
                     data = json.dumps({"text": message}).encode()

src/soosef/keystore/manager.py

@@ -380,9 +380,14 @@ class KeystoreManager:
 
     def untrust_key(self, fingerprint: str) -> bool:
         """Remove a key from the trust store. Returns True if found and removed."""
+        import re
         import shutil
 
+        if not re.fullmatch(r"[0-9a-f]{32}", fingerprint):
+            raise KeystoreError(f"Invalid fingerprint format: {fingerprint!r}")
         key_dir = self._trusted_keys_dir / fingerprint
+        if not key_dir.resolve().is_relative_to(self._trusted_keys_dir.resolve()):
+            raise KeystoreError("Path traversal detected")
         if key_dir.exists():
             shutil.rmtree(key_dir)
             return True