1. Client-side SHA-256 in drop box: browser computes and displays
file fingerprints via SubtleCrypto before upload. Receipt codes
are HMAC-derived from file hash so source can verify
correspondence. Source sees hash before submitting.
2. Drop box token persistence: replaced in-memory dict with SQLite
(dropbox.db). Tokens and receipts survive server restarts.
Receipt verification now returns filename, SHA-256, and timestamp.
3. RFC 3161 trusted timestamps + manual anchors: new
federation/anchors.py with get_chain_head_anchor(),
submit_rfc3161(), save_anchor(), and manual export format.
CLI: `soosef chain anchor [--tsa URL]`. A single anchor
implicitly timestamps every preceding chain record.
4. Derived work lineage: attestation metadata supports
derived_from (parent record ID) and derivation_type
(crop, redact, brightness, etc.) for tracking edits
through the chain of custody.
5. Self-contained evidence package: new soosef.evidence module
with export_evidence_package() producing a ZIP with images,
attestation records, chain data, public key, standalone
verify.py script, and README.
6. Cold archive export: new soosef.archive module with
export_cold_archive() bundling chain.bin, verisoo log,
LMDB index, keys, anchors, trusted keys, ALGORITHMS.txt
documenting all crypto, and verification instructions.
Designed for OAIS (ISO 14721) alignment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Resolves the tension between steganography (strip everything to
protect sources) and attestation (preserve evidence of provenance):
- New soosef.metadata module with extract_and_classify() and
extract_strip_pipeline() — classifies EXIF fields as evidentiary
(GPS, timestamp — valuable for proving provenance) vs dangerous
(device serial, firmware — could identify the source)
- Drop box now uses extract-then-strip: attests ORIGINAL bytes (hash
matches what source submitted), extracts evidentiary EXIF into
attestation metadata, strips dangerous fields, stores clean copy
- Attest route gains strip_device option: when enabled, includes
GPS/timestamp in attestation but excludes device serial/firmware
- Stego encode unchanged: still strips all metadata from carriers
(correct for steganography threat model)
The key insight: for stego, the carrier is a vessel (strip everything).
For attestation, EXIF is the evidence (extract, classify, preserve
selectively). Both hashes (original + stripped) are recorded so the
relationship between raw submission and stored copy is provable.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Source drop box: token-gated anonymous upload with auto-attestation,
EXIF stripping, receipt codes, and self-destructing URLs. New
/dropbox blueprint with admin panel for token management. CSRF
exempted for source-facing upload routes.
2. Investigation namespaces: attestation records tagged with
investigation label via metadata. Log view filters by investigation
with dropdown. Supports long-running multi-story workflows.
3. Scale fixes: replaced O(n) full-scan perceptual hash search with
LMDB find_similar_images() index lookup. Added incremental chain
verification (verify_incremental) with last_verified_index
checkpoint in ChainState.
4. Deep forensic purge: killswitch now scrubs __pycache__, pip
dist-info, pip cache, and shell history entries containing 'soosef'.
Runs before package uninstall for maximum trace removal.
5. Cross-org federation: new federation/exchange.py with
export_attestation_bundle() and import_attestation_bundle().
Bundles are self-authenticating JSON with investigation filter.
Import validates against trust store fingerprints.
6. Wrong-key diagnostics: enhanced decrypt error messages include
current channel key fingerprint hint. New carrier_tracker.py
tracks carrier SHA-256 hashes and warns on reuse (statistical
analysis risk).
7. Selective disclosure: ChainStore.selective_disclosure() produces
proof bundles with full selected records + hash-only redacted
records + complete hash chain for linkage verification. New
`soosef chain disclose -i 0,5,10 -o proof.json` CLI command
for court-ordered evidence production.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
