Update Setup.md and Workplan.md for 2026-04-27 session

- fido2-direct confirmed as deployed default after full browser flow with real card
- Document enroll-clears-session bug fix
- Document k_proxy unit test suite (100 tests)
- Record current deployed service state and port map

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Setup.md

@@ -1,6 +1,6 @@
 # Setup
 
-Last updated: 2026-04-26
+Last updated: 2026-04-27
 
 This is a living setup/status file for the local ChromeCard workspace at `/home/user/chromecard`.
 Update this file whenever environment status or verified behavior changes.
@@ -611,6 +611,23 @@ Session note (2026-04-25, direct FIDO2 auth attempt):
   - the deployed `k_proxy` service was restored to default `probe` mode
   - verified `alice` login still works afterward, so the validated Phase 5 baseline remains intact
 
+Session note (2026-04-27, fido2-direct end-to-end browser validation):
+- Deployed all three services (k_server, k_proxy, k_client_portal) in split-VM chain via SSH/SCP.
+- k_proxy restarted with --auth-mode fido2-direct.
+- Full browser flow verified from k_client at http://127.0.0.1:8766 with real card:
+  - Register: makeCredential triggered on card, button press confirmed.
+  - Login: getAssertion triggered on card, button press confirmed.
+  - Counter: k_server returned incremented value.
+  - Logout: session correctly invalidated.
+- Confirmed: probe mode showed stale directtest enrollment (no credential_data_b64) from earlier session; that is expected.
+- Bug found and fixed: clicking Register after Login cleared the client-side session token but left the server-side session alive; fix adds a best-effort /session/logout call to k_proxy before re-enrolling.
+- Current deployed service state:
+  - k_server: https://127.0.0.1:8780, TLS, proxy-token dev-proxy-token
+  - k_proxy: https://127.0.0.1:8771, TLS, --auth-mode fido2-direct, upstream https://127.0.0.1:9780
+  - k_client: http://127.0.0.1:8766, proxy-base-url https://127.0.0.1:9771
+  - Forwards: k_proxy 9780->k_server:8780, k_client 9771->k_proxy:8771
+- Unit test suite added: tests/test_k_proxy.py (100 tests, all passing, run locally with python3 -m unittest tests/test_k_proxy.py).
+
 Session note (2026-04-26, markdown maintenance re-scan):
 - Re-read the maintained workspace markdown set:
   - `/home/user/chromecard/Setup.md`

Workplan.md

@@ -1,6 +1,6 @@
 # Workplan
 
-Last updated: 2026-04-26
+Last updated: 2026-04-27
 
 This is the execution plan for making ChromeCard FIDO2 development and validation reproducible on this machine.
 
@@ -549,13 +549,19 @@ Exit criteria:
 
 ## Current Next Step
 
-- Treat the default HTTPS split-VM chain as the stable baseline and keep validating it with `/home/user/chromecard/phase5_chain_regression.sh`.
+- fido2-direct is now the deployed default; keep it as the baseline for regression runs.
 - Push the next engineering cycle toward Phase 6.5 limits:
   - reproduce and narrow the `~10` in-flight request ceiling on the browser-facing `k_client -> k_proxy` Qubes forward
   - separate Qubes forwarding churn from app-level issues with targeted concurrency probes and log capture
-- In parallel, decide whether `--auth-mode fido2-direct` is ready to become the default deployed path or should remain an optional/operator mode.
 - Keep the regression helpers as the fast check that transport, auth, session reuse, and counter semantics still hold after each change.
 
+Status (2026-04-27):
+- fido2-direct mode confirmed working end-to-end with real card via browser on k_client.
+- Full register → login → counter → logout flow verified with physical card button presses.
+- Bug fixed: ClientState.enroll() now calls /session/logout on k_proxy before re-enrolling.
+- 100-test unit suite added for k_proxy (tests/test_k_proxy.py); runs locally without card or VMs.
+- All three service files refactored and re-deployed.
+
 Status (2026-04-26, markdown maintenance):
 - Re-scanned `Setup.md`, `Workplan.md`, and `PHASE5_RUNBOOK.md` against the current workspace files.
 - Updated the plan to match the verified state: