Critical:
- FR-01: Chain verification now supports key rotation via signed rotation
records (soosef/key-rotation-v1 content type). Old single-signer
invariant replaced with authorized-signers set.
- FR-02: Carrier images stripped of EXIF metadata by default before
steganographic encoding (strip_metadata=True). Prevents source
location/device leakage.
High priority:
- FR-03: Session timeout (default 15min) + secure cookie flags
(HttpOnly, SameSite=Strict, Secure when HTTPS)
- FR-04: CSRF protection via Flask-WTF on all POST forms. Killswitch
now requires password re-authentication.
- FR-05: Collaborator trust store — trust_key(), get_trusted_keys(),
resolve_attestor_name(), untrust_key() in KeystoreManager.
- FR-06: Production WSGI server (Waitress) by default, Flask dev
server only with --debug flag.
- FR-07: Dead man's switch sends warning during grace period via
local file + optional webhook before auto-purge.
Medium:
- FR-08: Geofence get_current_location() via gpsd for --here support.
- FR-09: Batch attestation endpoint (/attest/batch) with SHA-256
dedup and per-file status reporting.
- FR-10: Key backup tracking with last_backup_info() and
is_backup_overdue() + backup_reminder_days config.
- FR-11: Verification receipts signed with instance Ed25519 key
(schema_version bumped to 2).
- FR-12: Login rate limiting with configurable lockout (5 attempts,
15 min default).
Nice-to-have:
- FR-13: Unified `soosef status` pre-flight command showing identity,
channel key, deadman, geofence, chain, and backup status.
- FR-14: `soosef chain export` produces ZIP with JSON manifest,
public key, and raw chain.bin for legal discovery.
Tests: 157 passed, 1 skipped, 1 pre-existing flaky test.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Templates referenced 'admin_user_new' (stegasoo convention) but the
soosef route is named 'admin_new_user'. Caused 500 error when clicking
"Add User" from admin panel.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
