Complete project rebrand for better positioning in the press freedom
and digital security space. FieldWitness communicates both field
deployment and evidence testimony — appropriate for the target audience
of journalists, NGOs, and human rights organizations.
Rename mapping:
- soosef → fieldwitness (package, CLI, all imports)
- soosef.stegasoo → fieldwitness.stego
- soosef.verisoo → fieldwitness.attest
- ~/.soosef/ → ~/.fwmetadata/ (innocuous data dir name)
- SOOSEF_DATA_DIR → FIELDWITNESS_DATA_DIR
- SoosefConfig → FieldWitnessConfig
- SoosefError → FieldWitnessError
Also includes:
- License switch from MIT to GPL-3.0
- C2PA bridge module (Phase 0-2 MVP): cert.py, export.py, vendor_assertions.py
- README repositioned to lead with provenance/federation, stego backgrounded
- Threat model skeleton at docs/security/threat-model.md
- Planning docs: docs/planning/c2pa-integration.md, docs/planning/gtm-feasibility.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CRITICAL:
- #1+#2: Consistency proof verification no longer a stub — implements
actual hash chain reconstruction from proof hashes, rejects proofs
that don't reconstruct to the expected root. GossipNode._verify_consistency
now calls verify_consistency_proof() instead of just checking sizes.
- #3: Remove passphrase.lower() from KDF — was silently discarding
case entropy from mixed-case passphrases. Passphrases are now
case-sensitive as users would expect.
- #4: Federation gossip now applies record_filter (trust store check)
on every received record before appending to the log. Untrusted
attestor fingerprints are rejected with a warning.
- #5: Killswitch disables all logging BEFORE activation to prevent
audit log from recording killswitch activity that could survive an
interrupted purge. Audit log destruction moved to position 4 (right
after keys + flask secret, before other data).
HIGH:
- #6: CSRF exemption narrowed from entire dropbox blueprint to only
the upload view function. Admin routes retain CSRF protection.
- #7: /health endpoint returns only {"status":"ok"} to anonymous
callers. Full operational report requires authentication.
- #8: Metadata stripping now reconstructs image from pixel data only
(Image.new + putdata), stripping XMP, IPTC, and ICC profiles — not
just EXIF.
- #9: Same as #6 (CSRF scope fix).
MEDIUM:
- #11: Receipt HMAC key changed from public upload token to server-side
secret key, making valid receipts unforgeable by the source or anyone
who captured the upload URL.
- #12: Docker CMD no longer defaults to --no-https. HTTPS with
self-signed cert is the default; --no-https requires explicit opt-in.
- #14: shred return code now checked — non-zero exit falls through to
the zero-overwrite fallback instead of silently succeeding.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Platform pivot from Raspberry Pi to three-tier model:
- Tier 1: Bootable Debian Live USB for field reporters
- Tier 2: Docker/K8s org server for newsrooms
- Tier 3: Docker/K8s federation relay for VPS
Tier 1 — Live USB (deploy/live-usb/):
- build.sh: live-build based image builder for amd64
- Package list: Python + system deps + minimal GUI (openbox + Firefox)
- Install hook: creates venv, pip installs soosef[web,cli,attest,...]
- Hardening hook: disable swap/coredumps, UFW, auto-login to web UI
- systemd service with security hardening (NoNewPrivileges, ProtectSystem)
- Auto-opens Firefox kiosk to http://127.0.0.1:5000 on boot
Tier 2+3 — Docker (deploy/docker/):
- Multi-stage Dockerfile with two targets:
- server: full web UI + stego + attestation + federation (Tier 2)
- relay: lightweight FastAPI attestation API only (Tier 3)
- docker-compose.yml with both services and persistent volumes
- .dockerignore for clean builds
Kubernetes (deploy/kubernetes/):
- namespace.yaml, server-deployment.yaml, relay-deployment.yaml
- PVCs, services, health checks, resource limits
- Single-writer strategy (Recreate, not RollingUpdate) for SQLite safety
- README with architecture diagram and deployment instructions
Config presets (deploy/config-presets/):
- low-threat.json: press freedom country (no killswitch, 30min sessions)
- medium-threat.json: restricted press (48h deadman, USB monitoring)
- high-threat.json: conflict zone (12h deadman, tamper monitoring, 5min sessions)
- critical-threat.json: targeted surveillance (127.0.0.1 only, 6h deadman, 3min sessions)
Deployment guide rewritten for three-tier model with RPi as legacy appendix.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
