Implement 14 power-user feature requests for field deployment

Critical:
- FR-01: Chain verification now supports key rotation via signed rotation
  records (soosef/key-rotation-v1 content type). Old single-signer
  invariant replaced with authorized-signers set.
- FR-02: Carrier images stripped of EXIF metadata by default before
  steganographic encoding (strip_metadata=True). Prevents source
  location/device leakage.

High priority:
- FR-03: Session timeout (default 15min) + secure cookie flags
  (HttpOnly, SameSite=Strict, Secure when HTTPS)
- FR-04: CSRF protection via Flask-WTF on all POST forms. Killswitch
  now requires password re-authentication.
- FR-05: Collaborator trust store — trust_key(), get_trusted_keys(),
  resolve_attestor_name(), untrust_key() in KeystoreManager.
- FR-06: Production WSGI server (Waitress) by default, Flask dev
  server only with --debug flag.
- FR-07: Dead man's switch sends warning during grace period via
  local file + optional webhook before auto-purge.

Medium:
- FR-08: Geofence get_current_location() via gpsd for --here support.
- FR-09: Batch attestation endpoint (/attest/batch) with SHA-256
  dedup and per-file status reporting.
- FR-10: Key backup tracking with last_backup_info() and
  is_backup_overdue() + backup_reminder_days config.
- FR-11: Verification receipts signed with instance Ed25519 key
  (schema_version bumped to 2).
- FR-12: Login rate limiting with configurable lockout (5 attempts,
  15 min default).

Nice-to-have:
- FR-13: Unified `soosef status` pre-flight command showing identity,
  channel key, deadman, geofence, chain, and backup status.
- FR-14: `soosef chain export` produces ZIP with JSON manifest,
  public key, and raw chain.bin for legal discovery.

Tests: 157 passed, 1 skipped, 1 pre-existing flaky test.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/test_chain.py

@@ -283,5 +283,44 @@ def test_verify_chain_detects_signer_change(chain_dir: Path):
 
     store._state = None
 
-    with pytest.raises(ChainIntegrityError, match="signer changed"):
+    with pytest.raises(ChainIntegrityError, match="is not authorized"):
+        store.verify_chain()
+
+
+def test_key_rotation_in_chain(chain_dir: Path):
+    """Chain with a proper key rotation record verifies successfully."""
+    from soosef.federation.chain import CONTENT_TYPE_KEY_ROTATION
+
+    store = ChainStore(chain_dir)
+    key1 = Ed25519PrivateKey.generate()
+    key2 = Ed25519PrivateKey.generate()
+
+    # Append records with key1
+    store.append(hashlib.sha256(b"r0").digest(), "test/plain", key1)
+    store.append(hashlib.sha256(b"r1").digest(), "test/plain", key1)
+
+    # Rotate: old key signs a rotation record introducing new key
+    rotation = store.append_key_rotation(old_private_key=key1, new_private_key=key2)
+    assert rotation.content_type == CONTENT_TYPE_KEY_ROTATION
+    assert rotation.metadata["new_pubkey"]
+
+    # New key can now sign records
+    store.append(hashlib.sha256(b"r3").digest(), "test/plain", key2)
+    store.append(hashlib.sha256(b"r4").digest(), "test/plain", key2)
+
+    # Full chain verifies
+    assert store.verify_chain() is True
+
+
+def test_key_rotation_without_rotation_record_fails(chain_dir: Path):
+    """Using a new key without a rotation record is rejected."""
+    store = ChainStore(chain_dir)
+    key1 = Ed25519PrivateKey.generate()
+    key2 = Ed25519PrivateKey.generate()
+
+    store.append(hashlib.sha256(b"r0").digest(), "test/plain", key1)
+    # Directly use key2 without rotation — should fail verification
+    store.append(hashlib.sha256(b"r1").digest(), "test/plain", key2)
+
+    with pytest.raises(ChainIntegrityError, match="is not authorized"):
         store.verify_chain()