mortenVChristiansen
/
k_card
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update Setup.md and Workplan.md for 2026-04-27 session 

- fido2-direct confirmed as deployed default after full browser flow with real card
- Document enroll-clears-session bug fix
- Document k_proxy unit test suite (100 tests)
- Record current deployed service state and port map

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Morten V. Christiansen 2026-04-27 11:29:26 +02:00
parent 2cf44e97df
commit 855b4175bc
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Setup.md
View File

@ -1,6 +1,6 @@
# Setup # Setup
Last updated: 2026-04-26 Last updated: 2026-04-27
This is a living setup/status file for the local ChromeCard workspace at `/home/user/chromecard`. This is a living setup/status file for the local ChromeCard workspace at `/home/user/chromecard`.
Update this file whenever environment status or verified behavior changes. Update this file whenever environment status or verified behavior changes.
@ -611,6 +611,23 @@ Session note (2026-04-25, direct FIDO2 auth attempt):
- the deployed `k_proxy` service was restored to default `probe` mode - the deployed `k_proxy` service was restored to default `probe` mode
- verified `alice` login still works afterward, so the validated Phase 5 baseline remains intact - verified `alice` login still works afterward, so the validated Phase 5 baseline remains intact
Session note (2026-04-27, fido2-direct end-to-end browser validation):
- Deployed all three services (k_server, k_proxy, k_client_portal) in split-VM chain via SSH/SCP.
- k_proxy restarted with --auth-mode fido2-direct.
- Full browser flow verified from k_client at http://127.0.0.1:8766 with real card:
- Register: makeCredential triggered on card, button press confirmed.
- Login: getAssertion triggered on card, button press confirmed.
- Counter: k_server returned incremented value.
- Logout: session correctly invalidated.
- Confirmed: probe mode showed stale directtest enrollment (no credential_data_b64) from earlier session; that is expected.
- Bug found and fixed: clicking Register after Login cleared the client-side session token but left the server-side session alive; fix adds a best-effort /session/logout call to k_proxy before re-enrolling.
- Current deployed service state:
- k_server: https://127.0.0.1:8780, TLS, proxy-token dev-proxy-token
- k_proxy: https://127.0.0.1:8771, TLS, --auth-mode fido2-direct, upstream https://127.0.0.1:9780
- k_client: http://127.0.0.1:8766, proxy-base-url https://127.0.0.1:9771
- Forwards: k_proxy 9780->k_server:8780, k_client 9771->k_proxy:8771
- Unit test suite added: tests/test_k_proxy.py (100 tests, all passing, run locally with python3 -m unittest tests/test_k_proxy.py).
Session note (2026-04-26, markdown maintenance re-scan): Session note (2026-04-26, markdown maintenance re-scan):
- Re-read the maintained workspace markdown set: - Re-read the maintained workspace markdown set:
- `/home/user/chromecard/Setup.md` - `/home/user/chromecard/Setup.md`

12
Workplan.md
View File

@ -1,6 +1,6 @@
# Workplan # Workplan
Last updated: 2026-04-26 Last updated: 2026-04-27
This is the execution plan for making ChromeCard FIDO2 development and validation reproducible on this machine. This is the execution plan for making ChromeCard FIDO2 development and validation reproducible on this machine.
@ -549,13 +549,19 @@ Exit criteria:
## Current Next Step ## Current Next Step
- Treat the default HTTPS split-VM chain as the stable baseline and keep validating it with `/home/user/chromecard/phase5_chain_regression.sh`. - fido2-direct is now the deployed default; keep it as the baseline for regression runs.
- Push the next engineering cycle toward Phase 6.5 limits: - Push the next engineering cycle toward Phase 6.5 limits:
- reproduce and narrow the `~10` in-flight request ceiling on the browser-facing `k_client -> k_proxy` Qubes forward - reproduce and narrow the `~10` in-flight request ceiling on the browser-facing `k_client -> k_proxy` Qubes forward
- separate Qubes forwarding churn from app-level issues with targeted concurrency probes and log capture - separate Qubes forwarding churn from app-level issues with targeted concurrency probes and log capture
- In parallel, decide whether `--auth-mode fido2-direct` is ready to become the default deployed path or should remain an optional/operator mode.
- Keep the regression helpers as the fast check that transport, auth, session reuse, and counter semantics still hold after each change. - Keep the regression helpers as the fast check that transport, auth, session reuse, and counter semantics still hold after each change.
Status (2026-04-27):
- fido2-direct mode confirmed working end-to-end with real card via browser on k_client.
- Full register → login → counter → logout flow verified with physical card button presses.
- Bug fixed: ClientState.enroll() now calls /session/logout on k_proxy before re-enrolling.
- 100-test unit suite added for k_proxy (tests/test_k_proxy.py); runs locally without card or VMs.
- All three service files refactored and re-deployed.
Status (2026-04-26, markdown maintenance): Status (2026-04-26, markdown maintenance):
- Re-scanned `Setup.md`, `Workplan.md`, and `PHASE5_RUNBOOK.md` against the current workspace files. - Re-scanned `Setup.md`, `Workplan.md`, and `PHASE5_RUNBOOK.md` against the current workspace files.
- Updated the plan to match the verified state: - Updated the plan to match the verified state: