1. Client-side SHA-256 in drop box: browser computes and displays
file fingerprints via SubtleCrypto before upload. Receipt codes
are HMAC-derived from file hash so source can verify
correspondence. Source sees hash before submitting.
2. Drop box token persistence: replaced in-memory dict with SQLite
(dropbox.db). Tokens and receipts survive server restarts.
Receipt verification now returns filename, SHA-256, and timestamp.
3. RFC 3161 trusted timestamps + manual anchors: new
federation/anchors.py with get_chain_head_anchor(),
submit_rfc3161(), save_anchor(), and manual export format.
CLI: `soosef chain anchor [--tsa URL]`. A single anchor
implicitly timestamps every preceding chain record.
4. Derived work lineage: attestation metadata supports
derived_from (parent record ID) and derivation_type
(crop, redact, brightness, etc.) for tracking edits
through the chain of custody.
5. Self-contained evidence package: new soosef.evidence module
with export_evidence_package() producing a ZIP with images,
attestation records, chain data, public key, standalone
verify.py script, and README.
6. Cold archive export: new soosef.archive module with
export_cold_archive() bundling chain.bin, verisoo log,
LMDB index, keys, anchors, trusted keys, ALGORITHMS.txt
documenting all crypto, and verification instructions.
Designed for OAIS (ISO 14721) alignment.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
f557cac45a