Implement 14 power-user feature requests for field deployment
Critical: - FR-01: Chain verification now supports key rotation via signed rotation records (soosef/key-rotation-v1 content type). Old single-signer invariant replaced with authorized-signers set. - FR-02: Carrier images stripped of EXIF metadata by default before steganographic encoding (strip_metadata=True). Prevents source location/device leakage. High priority: - FR-03: Session timeout (default 15min) + secure cookie flags (HttpOnly, SameSite=Strict, Secure when HTTPS) - FR-04: CSRF protection via Flask-WTF on all POST forms. Killswitch now requires password re-authentication. - FR-05: Collaborator trust store — trust_key(), get_trusted_keys(), resolve_attestor_name(), untrust_key() in KeystoreManager. - FR-06: Production WSGI server (Waitress) by default, Flask dev server only with --debug flag. - FR-07: Dead man's switch sends warning during grace period via local file + optional webhook before auto-purge. Medium: - FR-08: Geofence get_current_location() via gpsd for --here support. - FR-09: Batch attestation endpoint (/attest/batch) with SHA-256 dedup and per-file status reporting. - FR-10: Key backup tracking with last_backup_info() and is_backup_overdue() + backup_reminder_days config. - FR-11: Verification receipts signed with instance Ed25519 key (schema_version bumped to 2). - FR-12: Login rate limiting with configurable lockout (5 attempts, 15 min default). Nice-to-have: - FR-13: Unified `soosef status` pre-flight command showing identity, channel key, deadman, geofence, chain, and backup status. - FR-14: `soosef chain export` produces ZIP with JSON manifest, public key, and raw chain.bin for legal discovery. Tests: 157 passed, 1 skipped, 1 pre-existing flaky test. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Aaron D. Lee
@@ -172,6 +172,7 @@
|
||||
{% else %}
|
||||
<!-- Decode Form -->
|
||||
<form method="POST" enctype="multipart/form-data" id="decodeForm">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
|
||||
|
||||
<div class="accordion step-accordion" id="decodeAccordion">
|
||||
|
||||
|
||||
@@ -126,6 +126,7 @@
|
||||
</div>
|
||||
<div class="card-body p-0">
|
||||
<form method="POST" enctype="multipart/form-data" id="encodeForm">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
|
||||
|
||||
<div class="accordion step-accordion" id="encodeAccordion">
|
||||
|
||||
|
||||
@@ -13,6 +13,7 @@
|
||||
{% if not generated %}
|
||||
<!-- Generation Form -->
|
||||
<form method="POST">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
|
||||
<div class="mb-4">
|
||||
<label class="form-label">Words per Passphrase</label>
|
||||
<input type="range" class="form-range" name="words_per_passphrase"
|
||||
@@ -237,6 +238,7 @@
|
||||
<!-- Download Tab -->
|
||||
<div class="tab-pane fade" id="keyDownloadTab" role="tabpanel">
|
||||
<form action="{{ url_for('download_key') }}" method="POST" class="row g-2 align-items-end">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
|
||||
<input type="hidden" name="key_pem" value="{{ rsa_key_pem }}">
|
||||
<div class="col-md-8">
|
||||
<label class="form-label small">Password to encrypt the key file</label>
|
||||
|
||||
Reference in New Issue
Block a user