fieldwitness

alee/fieldwitness

Fork 0

Commit Graph

Author	SHA1	Message	Date
Aaron D. Lee	0d8c94bf82	Fix 6 security issues from post-FR audit - Fix 3 missing CSRF tokens on admin user delete/reset and account key delete forms (were broken — CSRFProtect rejected submissions) - Fix trust store path traversal: untrust_key() now validates fingerprint format ([0-9a-f]{32}) and checks resolved path - Fix chain key rotation: old key is now revoked after rotation record, preventing compromised old keys from appending records - Fix SSRF in deadman webhook: block private/internal IP targets - Fix logout CSRF: /logout is now POST-only with CSRF token, preventing cross-site forced logout via img tags Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-01 19:44:15 -04:00
Aaron D. Lee	10838ce828	Replace stub templates with real stegasoo UI for generate, tools, admin Generate page: - Full form with passphrase word count slider, PIN/RSA toggles - Credential display with copy buttons, QR code, entropy breakdown - Channel key generation accordion - Added QR code routes (generate_qr, generate_qr_download) - Added RSA key download route (download_key) - Fixed route name: encode_page → encode Tools page: - Image capacity checker, EXIF viewer/editor, rotation, compression - Format conversion, image comparison - (API routes for tools pending — UI renders but actions need backend) Admin users page: - User table with role badges, creation dates - Add/delete/reset password actions - Fixed route names to match soosef conventions - Added user_count and current_user to template context Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-31 16:42:42 -04:00
Aaron D. Lee	b8d4eb5933	Add core modules, web frontend, CLI, keystore, and fieldkit Core: - paths.py: centralized ~/.soosef/ path constants - config.py: JSON config loader with dataclass defaults - exceptions.py: SoosefError hierarchy - cli.py: unified Click CLI wrapping stegasoo + verisoo + native commands Keystore: - manager.py: unified key management (Ed25519 identity + channel keys) - models.py: IdentityInfo, KeystoreStatus dataclasses - export.py: encrypted key bundle export/import for USB transfer Fieldkit: - killswitch.py: ordered emergency data destruction (keys first) - deadman.py: dead man's switch with check-in timer - tamper.py: SHA-256 file integrity baseline + checking - usb_monitor.py: pyudev USB whitelist enforcement - geofence.py: haversine-based GPS boundary checking Web frontend (Flask app factory + blueprints): - app.py: create_app() factory with context processor - blueprints: stego, attest, fieldkit, keys, admin - templates: base.html (dark theme, unified nav), dashboard, all section pages - static: CSS, favicon Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-31 14:30:13 -04:00

Author

SHA1

Message

Date

Aaron D. Lee

0d8c94bf82

Fix 6 security issues from post-FR audit

- Fix 3 missing CSRF tokens on admin user delete/reset and account
  key delete forms (were broken — CSRFProtect rejected submissions)
- Fix trust store path traversal: untrust_key() now validates
  fingerprint format ([0-9a-f]{32}) and checks resolved path
- Fix chain key rotation: old key is now revoked after rotation
  record, preventing compromised old keys from appending records
- Fix SSRF in deadman webhook: block private/internal IP targets
- Fix logout CSRF: /logout is now POST-only with CSRF token,
  preventing cross-site forced logout via img tags

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-01 19:44:15 -04:00

Aaron D. Lee

10838ce828

Replace stub templates with real stegasoo UI for generate, tools, admin

Generate page:
- Full form with passphrase word count slider, PIN/RSA toggles
- Credential display with copy buttons, QR code, entropy breakdown
- Channel key generation accordion
- Added QR code routes (generate_qr, generate_qr_download)
- Added RSA key download route (download_key)
- Fixed route name: encode_page → encode

Tools page:
- Image capacity checker, EXIF viewer/editor, rotation, compression
- Format conversion, image comparison
- (API routes for tools pending — UI renders but actions need backend)

Admin users page:
- User table with role badges, creation dates
- Add/delete/reset password actions
- Fixed route names to match soosef conventions
- Added user_count and current_user to template context

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-31 16:42:42 -04:00

Aaron D. Lee

b8d4eb5933

Add core modules, web frontend, CLI, keystore, and fieldkit

Core:
- paths.py: centralized ~/.soosef/ path constants
- config.py: JSON config loader with dataclass defaults
- exceptions.py: SoosefError hierarchy
- cli.py: unified Click CLI wrapping stegasoo + verisoo + native commands

Keystore:
- manager.py: unified key management (Ed25519 identity + channel keys)
- models.py: IdentityInfo, KeystoreStatus dataclasses
- export.py: encrypted key bundle export/import for USB transfer

Fieldkit:
- killswitch.py: ordered emergency data destruction (keys first)
- deadman.py: dead man's switch with check-in timer
- tamper.py: SHA-256 file integrity baseline + checking
- usb_monitor.py: pyudev USB whitelist enforcement
- geofence.py: haversine-based GPS boundary checking

Web frontend (Flask app factory + blueprints):
- app.py: create_app() factory with context processor
- blueprints: stego, attest, fieldkit, keys, admin
- templates: base.html (dark theme, unified nav), dashboard, all section pages
- static: CSS, favicon

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-31 14:30:13 -04:00

3 Commits