alee/fieldwitness
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix all power-user review issues (FR-01 through FR-12)
Some checks failed
CI / lint (push) Failing after 12s
Details
CI / typecheck (push) Failing after 12s
Details

Browse Source 
FR-01: Fix data directory default from ~/.fieldwitness to ~/.fwmetadata
FR-02/05/07: Accept all file types for attestation (not just images)
  - Web UI, CLI, and batch now accept PDFs, CSVs, audio, video, etc.
  - Perceptual hashing for images, SHA-256-only for everything else
FR-03: Implement C2PA import path + CLI commands (export/verify/import/show)
FR-04: Fix GPS downsampling bias (math.floor → round)
FR-06: Add HTML/PDF evidence summaries for lawyers
  - Always generates summary.html, optional summary.pdf via xhtml2pdf
FR-08: Fix CLI help text ("FieldWitness -- FieldWitness" artifact)
FR-09: Centralize stray paths (trusted_keys, carrier_history, last_backup)
FR-10: Add 67 C2PA bridge tests (vendor assertions, cert, GPS, export)
FR-12: Add Tor onion service support for source drop box
  - fieldwitness serve --tor flag, persistent/transient modes
  - Killswitch covers hidden service keys

Also: bonus fix for attest/api.py hardcoded path bypassing paths.py

224 tests passing (67 new).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
2026-04-02 20:10:37 -04:00
parent 3a9cb17a5a
commit 5b0d90eeaf
27 changed files with 3140 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/security/threat-model.md
View File

@@ -461,11 +461,19 @@ A malicious or compromised relay could suppress specific records. The design mit
to use the relay only for transport, never as an authoritative source -- but no
verification mechanism is implemented.
**L7: Drop box source anonymity is limited.** The drop box does not log source IP addresses
in attestation records or require accounts, but it does not anonymize the source's network
connection. A source's IP is visible to the Tier 2 server operator in web server access
logs. Organizations providing source protection should use Tor for source access and may
wish to configure the web server to not log IP addresses.
**L7: Drop box source anonymity is limited -- Tor support available.** The drop box does
not log source IP addresses in attestation records or require accounts. FieldWitness now
includes built-in Tor hidden service support: starting the server with `--tor` exposes the
drop box as a `.onion` address so that source IPs are never visible to the server operator.
Without `--tor`, a source's IP address is visible in web server access logs.
Organizations with source-protection requirements should use the `--tor` flag and instruct
sources to access the drop box only via Tor Browser. Operators should also configure any
reverse proxy to suppress access logging for `/dropbox/upload/` paths.
Even with Tor, timing analysis and traffic correlation attacks are possible at the network
level. Tor eliminates IP exposure at the server; it does not protect against a global
adversary correlating traffic timing. See `docs/source-dropbox.md` for setup instructions.
**L8: Steganalysis resistance is not guaranteed.** The steganography backend includes a
steganalysis module (`stego/steganalysis.py`) for estimating detection resistance, but