Complete project rebrand for better positioning in the press freedom
and digital security space. FieldWitness communicates both field
deployment and evidence testimony — appropriate for the target audience
of journalists, NGOs, and human rights organizations.
Rename mapping:
- soosef → fieldwitness (package, CLI, all imports)
- soosef.stegasoo → fieldwitness.stego
- soosef.verisoo → fieldwitness.attest
- ~/.soosef/ → ~/.fwmetadata/ (innocuous data dir name)
- SOOSEF_DATA_DIR → FIELDWITNESS_DATA_DIR
- SoosefConfig → FieldWitnessConfig
- SoosefError → FieldWitnessError
Also includes:
- License switch from MIT to GPL-3.0
- C2PA bridge module (Phase 0-2 MVP): cert.py, export.py, vendor_assertions.py
- README repositioned to lead with provenance/federation, stego backgrounded
- Threat model skeleton at docs/security/threat-model.md
- Planning docs: docs/planning/c2pa-integration.md, docs/planning/gtm-feasibility.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Critical:
- FR-01: Chain verification now supports key rotation via signed rotation
records (soosef/key-rotation-v1 content type). Old single-signer
invariant replaced with authorized-signers set.
- FR-02: Carrier images stripped of EXIF metadata by default before
steganographic encoding (strip_metadata=True). Prevents source
location/device leakage.
High priority:
- FR-03: Session timeout (default 15min) + secure cookie flags
(HttpOnly, SameSite=Strict, Secure when HTTPS)
- FR-04: CSRF protection via Flask-WTF on all POST forms. Killswitch
now requires password re-authentication.
- FR-05: Collaborator trust store — trust_key(), get_trusted_keys(),
resolve_attestor_name(), untrust_key() in KeystoreManager.
- FR-06: Production WSGI server (Waitress) by default, Flask dev
server only with --debug flag.
- FR-07: Dead man's switch sends warning during grace period via
local file + optional webhook before auto-purge.
Medium:
- FR-08: Geofence get_current_location() via gpsd for --here support.
- FR-09: Batch attestation endpoint (/attest/batch) with SHA-256
dedup and per-file status reporting.
- FR-10: Key backup tracking with last_backup_info() and
is_backup_overdue() + backup_reminder_days config.
- FR-11: Verification receipts signed with instance Ed25519 key
(schema_version bumped to 2).
- FR-12: Login rate limiting with configurable lockout (5 attempts,
15 min default).
Nice-to-have:
- FR-13: Unified `soosef status` pre-flight command showing identity,
channel key, deadman, geofence, chain, and backup status.
- FR-14: `soosef chain export` produces ZIP with JSON manifest,
public key, and raw chain.bin for legal discovery.
Tests: 157 passed, 1 skipped, 1 pre-existing flaky test.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Templates referenced 'admin_user_new' (stegasoo convention) but the
soosef route is named 'admin_new_user'. Caused 500 error when clicking
"Add User" from admin panel.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
