1. Source drop box: token-gated anonymous upload with auto-attestation,
EXIF stripping, receipt codes, and self-destructing URLs. New
/dropbox blueprint with admin panel for token management. CSRF
exempted for source-facing upload routes.
2. Investigation namespaces: attestation records tagged with
investigation label via metadata. Log view filters by investigation
with dropdown. Supports long-running multi-story workflows.
3. Scale fixes: replaced O(n) full-scan perceptual hash search with
LMDB find_similar_images() index lookup. Added incremental chain
verification (verify_incremental) with last_verified_index
checkpoint in ChainState.
4. Deep forensic purge: killswitch now scrubs __pycache__, pip
dist-info, pip cache, and shell history entries containing 'soosef'.
Runs before package uninstall for maximum trace removal.
5. Cross-org federation: new federation/exchange.py with
export_attestation_bundle() and import_attestation_bundle().
Bundles are self-authenticating JSON with investigation filter.
Import validates against trust store fingerprints.
6. Wrong-key diagnostics: enhanced decrypt error messages include
current channel key fingerprint hint. New carrier_tracker.py
tracks carrier SHA-256 hashes and warns on reuse (statistical
analysis risk).
7. Selective disclosure: ChainStore.selective_disclosure() produces
proof bundles with full selected records + hash-only redacted
records + complete hash chain for linkage verification. New
`soosef chain disclose -i 0,5,10 -o proof.json` CLI command
for court-ordered evidence production.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1. Transport-aware stego encoding: --transport flag (whatsapp/signal/
telegram/discord/email/direct) auto-selects DCT mode, pre-resizes
carrier to platform max dimension, prevents payload destruction
by messaging app recompression.
2. Standalone verification bundle: chain export ZIP now includes
verify_chain.py (zero-dep verification script) and README.txt
with instructions for courts and fact-checkers.
3. Channel-key-only export/import: export_channel_key() and
import_channel_key() with Argon2id encryption (64MB, lighter
than full bundle). channel_key_to_qr_data() for in-person
QR code exchange between collaborators.
4. Duress/cover mode: configurable SSL cert CN via cover_name
config (defaults to "localhost" instead of "SooSeF Local").
SOOSEF_DATA_DIR already supports directory renaming. Killswitch
PurgeScope.ALL now self-uninstalls the pip package.
5. Identity recovery from chain: find_signer_pubkey() searches chain
by fingerprint prefix. append_key_recovery() creates a recovery
record signed by new key with old fingerprint + cosigner list.
verify_chain() accepts recovery records.
6. Batch verification: /verify/batch web endpoint accepts multiple
files, returns per-file status (verified/unverified/error) with
exact vs perceptual match breakdown.
7. Chain position proof in receipt: verification receipts (now
schema v3) include chain_proof with chain_id, chain_index,
prev_hash, and record_hash for court admissibility.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Critical:
- FR-01: Chain verification now supports key rotation via signed rotation
records (soosef/key-rotation-v1 content type). Old single-signer
invariant replaced with authorized-signers set.
- FR-02: Carrier images stripped of EXIF metadata by default before
steganographic encoding (strip_metadata=True). Prevents source
location/device leakage.
High priority:
- FR-03: Session timeout (default 15min) + secure cookie flags
(HttpOnly, SameSite=Strict, Secure when HTTPS)
- FR-04: CSRF protection via Flask-WTF on all POST forms. Killswitch
now requires password re-authentication.
- FR-05: Collaborator trust store — trust_key(), get_trusted_keys(),
resolve_attestor_name(), untrust_key() in KeystoreManager.
- FR-06: Production WSGI server (Waitress) by default, Flask dev
server only with --debug flag.
- FR-07: Dead man's switch sends warning during grace period via
local file + optional webhook before auto-purge.
Medium:
- FR-08: Geofence get_current_location() via gpsd for --here support.
- FR-09: Batch attestation endpoint (/attest/batch) with SHA-256
dedup and per-file status reporting.
- FR-10: Key backup tracking with last_backup_info() and
is_backup_overdue() + backup_reminder_days config.
- FR-11: Verification receipts signed with instance Ed25519 key
(schema_version bumped to 2).
- FR-12: Login rate limiting with configurable lockout (5 attempts,
15 min default).
Nice-to-have:
- FR-13: Unified `soosef status` pre-flight command showing identity,
channel key, deadman, geofence, chain, and backup status.
- FR-14: `soosef chain export` produces ZIP with JSON manifest,
public key, and raw chain.bin for legal discovery.
Tests: 157 passed, 1 skipped, 1 pre-existing flaky test.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge stegasoo (v4.3.0, steganography) and verisoo (v0.1.0, attestation)
as subpackages under soosef.stegasoo and soosef.verisoo. This eliminates
cross-repo coordination and enables atomic changes across the full stack.
- Copy stegasoo (34 modules) and verisoo (15 modules) into src/soosef/
- Convert all verisoo absolute imports to relative imports
- Rewire ~50 import sites across soosef code (cli, web, keystore, tests)
- Replace stegasoo/verisoo pip deps with inlined code + pip extras
(stego-dct, stego-audio, attest, web, api, cli, fieldkit, all, dev)
- Add _availability.py for runtime feature detection
- Add unified FastAPI mount point at soosef.api
- Copy and adapt tests from both repos (155 pass, 1 skip)
- Drop standalone CLI/web frontends; keep FastAPI as optional modules
- Both source repos tagged pre-monorepo-consolidation on GitHub
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
