0d8c94bf82
- Fix 3 missing CSRF tokens on admin user delete/reset and account
key delete forms (were broken — CSRFProtect rejected submissions)
- Fix trust store path traversal: untrust_key() now validates
fingerprint format ([0-9a-f]{32}) and checks resolved path
- Fix chain key rotation: old key is now revoked after rotation
record, preventing compromised old keys from appending records
- Fix SSRF in deadman webhook: block private/internal IP targets
- Fix logout CSRF: /logout is now POST-only with CSRF token,
preventing cross-site forced logout via img tags
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
SooSeF — Soo Security Fieldkit
Offline-first security toolkit for journalists, NGOs, and at-risk organizations.
Part of the Soo Suite:
- Stegasoo — hide encrypted messages in media (steganography)
- Verisoo — prove image provenance and authenticity (attestation)
- SooSeF — unified fieldkit with killswitch, dead man's switch, and key management
Status
Pre-alpha. Phase 1 scaffolding complete.
Install (development)
pip install -e /path/to/stegasoo[web,dct,audio,cli]
pip install -e /path/to/verisoo[cli]
pip install -e ".[web,cli]"
Quick Start
soosef init # Generate identity + channel key, create ~/.soosef/
soosef serve # Start the web UI