alee/fieldwitness
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement 14 power-user feature requests for field deployment

Browse Source 
Critical:
- FR-01: Chain verification now supports key rotation via signed rotation
  records (soosef/key-rotation-v1 content type). Old single-signer
  invariant replaced with authorized-signers set.
- FR-02: Carrier images stripped of EXIF metadata by default before
  steganographic encoding (strip_metadata=True). Prevents source
  location/device leakage.

High priority:
- FR-03: Session timeout (default 15min) + secure cookie flags
  (HttpOnly, SameSite=Strict, Secure when HTTPS)
- FR-04: CSRF protection via Flask-WTF on all POST forms. Killswitch
  now requires password re-authentication.
- FR-05: Collaborator trust store — trust_key(), get_trusted_keys(),
  resolve_attestor_name(), untrust_key() in KeystoreManager.
- FR-06: Production WSGI server (Waitress) by default, Flask dev
  server only with --debug flag.
- FR-07: Dead man's switch sends warning during grace period via
  local file + optional webhook before auto-purge.

Medium:
- FR-08: Geofence get_current_location() via gpsd for --here support.
- FR-09: Batch attestation endpoint (/attest/batch) with SHA-256
  dedup and per-file status reporting.
- FR-10: Key backup tracking with last_backup_info() and
  is_backup_overdue() + backup_reminder_days config.
- FR-11: Verification receipts signed with instance Ed25519 key
  (schema_version bumped to 2).
- FR-12: Login rate limiting with configurable lockout (5 attempts,
  15 min default).

Nice-to-have:
- FR-13: Unified `soosef status` pre-flight command showing identity,
  channel key, deadman, geofence, chain, and backup status.
- FR-14: `soosef chain export` produces ZIP with JSON manifest,
  public key, and raw chain.bin for legal discovery.

Tests: 157 passed, 1 skipped, 1 pre-existing flaky test.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
2026-04-01 19:35:36 -04:00
parent e3bc1cce1f
commit fb0cc3e39d
28 changed files with 656 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
frontends/web/templates/account.html
View File

@@ -47,6 +47,7 @@
</a>
{% if has_recovery %}
<form method="POST" action="{{ url_for('disable_recovery') }}" style="display:inline;">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button type="submit" class="btn btn-outline-danger"
onclick="return confirm('Disable recovery? If you forget your password, you will NOT be able to recover your account.')">
<i class="bi bi-x-lg"></i>
@@ -69,6 +70,7 @@
<h6 class="text-muted mb-3">Change Password</h6>
<form method="POST" action="{{ url_for('account') }}" id="accountForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label class="form-label">
<i class="bi bi-key me-1"></i> Current Password
@@ -171,6 +173,7 @@
<hr>
<h6 class="text-muted mb-3">Add New Key</h6>
<form method="POST" action="{{ url_for('account_save_key') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="row g-2 mb-2">
<div class="col-5">
<input type="text" name="key_name" class="form-control form-control-sm"
@@ -216,6 +219,7 @@
<div class="modal-dialog modal-sm">
<div class="modal-content">
<form method="POST" id="renameForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="modal-header">
<h6 class="modal-title">Rename Key</h6>
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>

1
frontends/web/templates/admin/user_new.html
View File

@@ -12,6 +12,7 @@
</div>
<div class="card-body">
<form id="createUserForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label class="form-label">
<i class="bi bi-person me-1"></i> Username

1
frontends/web/templates/attest/attest.html
View File

@@ -23,6 +23,7 @@
{% endif %}
<form method="POST" enctype="multipart/form-data">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-4">
<label for="image" class="form-label"><i class="bi bi-image me-1"></i>Image to Attest</label>
<input type="file" class="form-control" name="image" id="image"

1
frontends/web/templates/attest/verify.html
View File

@@ -15,6 +15,7 @@
</p>
<form method="POST" enctype="multipart/form-data">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-4">
<label for="image" class="form-label"><i class="bi bi-image me-1"></i>Image to Verify</label>
<input type="file" class="form-control" name="image" id="image"

1
frontends/web/templates/attest/verify_result.html
View File

@@ -106,6 +106,7 @@
Re-upload the same image to produce the downloadable file.
</p>
<form action="/verify/receipt" method="post" enctype="multipart/form-data">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<input class="form-control form-control-sm bg-dark text-light border-secondary"
type="file" name="image" accept="image/*" required>

2
frontends/web/templates/fieldkit/keys.html
View File

@@ -18,6 +18,7 @@
{% else %}
<p class="text-muted small">No channel key configured.</p>
<form method="POST" action="{{ url_for('keys.generate_channel') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button type="submit" class="btn btn-outline-warning btn-sm">
<i class="bi bi-plus-circle me-1"></i>Generate Channel Key
</button>
@@ -40,6 +41,7 @@
{% else %}
<p class="text-muted small">No identity configured.</p>
<form method="POST" action="{{ url_for('keys.generate_identity') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button type="submit" class="btn btn-outline-info btn-sm">
<i class="bi bi-plus-circle me-1"></i>Generate Identity
</button>

6
frontends/web/templates/fieldkit/killswitch.html
View File

@@ -21,12 +21,18 @@
<hr class="border-danger">
<form method="POST" action="{{ url_for('fieldkit.killswitch') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="action" value="fire">
<div class="mb-3">
<label class="form-label text-danger fw-bold">Type CONFIRM-PURGE to proceed:</label>
<input type="text" name="confirm" class="form-control bg-dark border-danger text-danger"
placeholder="CONFIRM-PURGE" autocomplete="off">
</div>
<div class="mb-3">
<label class="form-label text-danger fw-bold">Re-enter your password:</label>
<input type="password" name="password" class="form-control bg-dark border-danger text-danger"
autocomplete="current-password" required>
</div>
<button type="submit" class="btn btn-danger">
<i class="bi bi-exclamation-octagon me-1"></i>Execute Purge
</button>

1
frontends/web/templates/fieldkit/status.html
View File

@@ -31,6 +31,7 @@
{% endif %}
</p>
<form method="POST" action="{{ url_for('fieldkit.deadman_checkin') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<button type="submit" class="btn btn-success btn-sm">
<i class="bi bi-check-circle me-1"></i>Check In Now
</button>

1
frontends/web/templates/login.html
View File

@@ -12,6 +12,7 @@
</div>
<div class="card-body">
<form method="POST" action="{{ url_for('login') }}">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label class="form-label">
<i class="bi bi-person me-1"></i> Username

1
frontends/web/templates/recover.html
View File

@@ -52,6 +52,7 @@
</div>
<form method="POST" action="{{ url_for('recover') }}" id="recoverForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<!-- Recovery Key Input -->
<div class="mb-3">
<label class="form-label">

1
frontends/web/templates/regenerate_recovery.html
View File

@@ -95,6 +95,7 @@
<!-- Confirmation Form -->
<form method="POST" id="recoveryForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="recovery_key" value="{{ recovery_key }}">
<!-- Confirm checkbox -->

1
frontends/web/templates/setup.html
View File

@@ -16,6 +16,7 @@
</p>
<form method="POST" action="{{ url_for('setup') }}" id="setupForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-3">
<label class="form-label">
<i class="bi bi-person me-1"></i> Username

1
frontends/web/templates/setup_recovery.html
View File

@@ -72,6 +72,7 @@
<!-- Confirmation Form -->
<form method="POST" id="recoveryForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="recovery_key" value="{{ recovery_key }}">
<!-- Confirm checkbox -->

1
frontends/web/templates/stego/decode.html
View File

@@ -172,6 +172,7 @@
{% else %}
<!-- Decode Form -->
<form method="POST" enctype="multipart/form-data" id="decodeForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="accordion step-accordion" id="decodeAccordion">

1
frontends/web/templates/stego/encode.html
View File

@@ -126,6 +126,7 @@
</div>
<div class="card-body p-0">
<form method="POST" enctype="multipart/form-data" id="encodeForm">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="accordion step-accordion" id="encodeAccordion">

2
frontends/web/templates/stego/generate.html
View File

@@ -13,6 +13,7 @@
{% if not generated %}
<!-- Generation Form -->
<form method="POST">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<div class="mb-4">
<label class="form-label">Words per Passphrase</label>
<input type="range" class="form-range" name="words_per_passphrase"
@@ -237,6 +238,7 @@
<!-- Download Tab -->
<div class="tab-pane fade" id="keyDownloadTab" role="tabpanel">
<form action="{{ url_for('download_key') }}" method="POST" class="row g-2 align-items-end">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
<input type="hidden" name="key_pem" value="{{ rsa_key_pem }}">
<div class="col-md-8">
<label class="form-label small">Password to encrypt the key file</label>