From 855b4175bce188033cc55546e4cb99efd65d5488 Mon Sep 17 00:00:00 2001 From: "Morten V. Christiansen" Date: Mon, 27 Apr 2026 11:29:26 +0200 Subject: [PATCH] Update Setup.md and Workplan.md for 2026-04-27 session - fido2-direct confirmed as deployed default after full browser flow with real card - Document enroll-clears-session bug fix - Document k_proxy unit test suite (100 tests) - Record current deployed service state and port map Co-Authored-By: Claude Sonnet 4.6 --- Setup.md | 19 ++++++++++++++++++- Workplan.md | 12 +++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/Setup.md b/Setup.md index b8eae2e..bd60b21 100644 --- a/Setup.md +++ b/Setup.md @@ -1,6 +1,6 @@ # Setup -Last updated: 2026-04-26 +Last updated: 2026-04-27 This is a living setup/status file for the local ChromeCard workspace at `/home/user/chromecard`. Update this file whenever environment status or verified behavior changes. @@ -611,6 +611,23 @@ Session note (2026-04-25, direct FIDO2 auth attempt): - the deployed `k_proxy` service was restored to default `probe` mode - verified `alice` login still works afterward, so the validated Phase 5 baseline remains intact +Session note (2026-04-27, fido2-direct end-to-end browser validation): +- Deployed all three services (k_server, k_proxy, k_client_portal) in split-VM chain via SSH/SCP. +- k_proxy restarted with --auth-mode fido2-direct. +- Full browser flow verified from k_client at http://127.0.0.1:8766 with real card: + - Register: makeCredential triggered on card, button press confirmed. + - Login: getAssertion triggered on card, button press confirmed. + - Counter: k_server returned incremented value. + - Logout: session correctly invalidated. +- Confirmed: probe mode showed stale directtest enrollment (no credential_data_b64) from earlier session; that is expected. +- Bug found and fixed: clicking Register after Login cleared the client-side session token but left the server-side session alive; fix adds a best-effort /session/logout call to k_proxy before re-enrolling. +- Current deployed service state: + - k_server: https://127.0.0.1:8780, TLS, proxy-token dev-proxy-token + - k_proxy: https://127.0.0.1:8771, TLS, --auth-mode fido2-direct, upstream https://127.0.0.1:9780 + - k_client: http://127.0.0.1:8766, proxy-base-url https://127.0.0.1:9771 + - Forwards: k_proxy 9780->k_server:8780, k_client 9771->k_proxy:8771 +- Unit test suite added: tests/test_k_proxy.py (100 tests, all passing, run locally with python3 -m unittest tests/test_k_proxy.py). + Session note (2026-04-26, markdown maintenance re-scan): - Re-read the maintained workspace markdown set: - `/home/user/chromecard/Setup.md` diff --git a/Workplan.md b/Workplan.md index 9c99a22..0e39763 100644 --- a/Workplan.md +++ b/Workplan.md @@ -1,6 +1,6 @@ # Workplan -Last updated: 2026-04-26 +Last updated: 2026-04-27 This is the execution plan for making ChromeCard FIDO2 development and validation reproducible on this machine. @@ -549,13 +549,19 @@ Exit criteria: ## Current Next Step -- Treat the default HTTPS split-VM chain as the stable baseline and keep validating it with `/home/user/chromecard/phase5_chain_regression.sh`. +- fido2-direct is now the deployed default; keep it as the baseline for regression runs. - Push the next engineering cycle toward Phase 6.5 limits: - reproduce and narrow the `~10` in-flight request ceiling on the browser-facing `k_client -> k_proxy` Qubes forward - separate Qubes forwarding churn from app-level issues with targeted concurrency probes and log capture -- In parallel, decide whether `--auth-mode fido2-direct` is ready to become the default deployed path or should remain an optional/operator mode. - Keep the regression helpers as the fast check that transport, auth, session reuse, and counter semantics still hold after each change. +Status (2026-04-27): +- fido2-direct mode confirmed working end-to-end with real card via browser on k_client. +- Full register → login → counter → logout flow verified with physical card button presses. +- Bug fixed: ClientState.enroll() now calls /session/logout on k_proxy before re-enrolling. +- 100-test unit suite added for k_proxy (tests/test_k_proxy.py); runs locally without card or VMs. +- All three service files refactored and re-deployed. + Status (2026-04-26, markdown maintenance): - Re-scanned `Setup.md`, `Workplan.md`, and `PHASE5_RUNBOOK.md` against the current workspace files. - Updated the plan to match the verified state: