k_card/PHASE5_RUNBOOK.md

# Phase 5 Runbook (Session Reuse Prototype)

This runbook starts a minimal `k_server` + `k_proxy` prototype for session reuse testing.

## What This Prototype Covers

- `k_proxy` creates short-lived sessions.
- Session creation uses a card-presence check (`fido2_probe.py --json`) as the current auth gate.
- Valid sessions can repeatedly access a protected `k_server` counter endpoint without re-running card auth each request.
- Session status and logout/invalidation paths are implemented.

## Start Services

In `k_server` VM:

```bash
python3 /home/user/chromecard/k_server_app.py --host 127.0.0.1 --port 8780 --proxy-token dev-proxy-token
```

In `k_proxy` VM:

```bash
python3 /home/user/chromecard/k_proxy_app.py \
  --host 127.0.0.1 \
  --port 8770 \
  --session-ttl 300 \
  --server-base-url http://127.0.0.1:8780 \
  --proxy-token dev-proxy-token
```

## Test Flow

Create a session (runs auth gate once):

```bash
curl -sS -X POST http://127.0.0.1:8770/session/login \
  -H 'Content-Type: application/json' \
  -d '{"username":"alice"}'
```

Copy `session_token` from response, then:

```bash
TOKEN='<paste-token>'
```

Check session:

```bash
curl -sS -X POST http://127.0.0.1:8770/session/status \
  -H "Authorization: Bearer $TOKEN"
```

Call protected resource multiple times (should not require new login):

```bash
curl -sS -X POST http://127.0.0.1:8770/resource/counter \
  -H "Authorization: Bearer $TOKEN"
curl -sS -X POST http://127.0.0.1:8770/resource/counter \
  -H "Authorization: Bearer $TOKEN"
```

Logout/invalidate:

```bash
curl -sS -X POST http://127.0.0.1:8770/session/logout \
  -H "Authorization: Bearer $TOKEN"
```

Re-check after logout (should fail with 401):

```bash
curl -i -X POST http://127.0.0.1:8770/resource/counter \
  -H "Authorization: Bearer $TOKEN"
```

## Current Limitation

- This uses card-presence probing, not a full WebAuthn assertion verification path.
- Intended as a Phase 5 starter for session semantics and proxy/server behavior.