Explorer docs
evidenceuai-explorerredacted view

Public-Safe Hardening Local Evidence

Synced UAI Explorer evidence documentation from docs/evidence/public-safe-hardening-local-2026-06-20.md.

Updated 2026-06-21·Freshness: Reference·Sensitive tokens or credentials were hidden before display.

Public-Safe Hardening Local Evidence

Date: 2026-06-20

Supersession note: this is historical local hardening evidence for the 0.2.2 step. Current production and staging version is 0.2.3; see [REDACTED:high-entropy].md.

Scope

Local verification for UAI Explorer 0.2.2 hardening. This evidence does not redeploy sandbox CT 126 and does not modify production CT 121.

Security Changes Verified

  • Public-safe mode refuses /api/tree, /api/file, /api/raw, /api/upload, and /api/uploads after authentication.
  • ALLOW_ADMIN_RAW_READ=true does not re-enable raw downloads while PUBLIC_SAFE_MODE=true.
  • Context notes are redacted before human and AI delivery.
  • Content responses include server-side redaction metadata and no-store cache behavior.
  • Readiness includes passing checks for raw downloads disabled, legacy filesystem APIs disabled, and upload APIs disabled.
  • Readiness includes a raw survey mount guard; if DATA_ROOT/raw-survey-zone exists in public-safe mode, /ready returns blocked-raw-survey-mounted and migration readiness fails raw_survey_zone_not_mounted.

Commands

python -m py_compile server.py
python -m py_compile tests\test_public_safe.py
node --check static\js\app.js
& "C:\Program Files\Git\bin\bash.exe" -n deploy-sandbox.sh
python tests\test_public_safe.py

Result

  • Pass
  • 10 tests run

Browser Smoke

Temporary local server:

  • URL: http://127.0.0.1:8773
  • Version: 0.2.2
  • Data root: temporary sanitized smoke data
  • Raw read env flag intentionally set true while PUBLIC_SAFE_MODE=true

Observed:

  • Dashboard rendered the Mac Devine/Cadence design-standards review item.
  • Reader rendered the fake key as a redacted token.
  • DOM text did not contain the fake source key.
  • Access boundary displayed Raw content: not sent.
  • Content response headers included X-UAI-Redaction-Boundary=server-side, X-UAI-Raw-Content=not-sent, and Cache-Control=no-store.
  • Authenticated browser fetches returned 403 for /api/raw, /api/file, /api/tree, and /api/uploads.
  • Mobile viewport 390x844 had no horizontal overflow.

Screenshots:

  • [REDACTED:high-entropy].png
  • [REDACTED:high-entropy].png
  • [REDACTED:high-entropy].png

Follow-Up Evidence

  • Completed in [REDACTED:high-entropy].md.
  • Sandbox CT 126 now serves UAI Explorer 0.2.2.
  • Sandbox HTTP, authenticated live smoke, in-container tests, served UI bundle checks, and rollback rehearsal passed after the refresh.
  • Production CT 121 remained unchanged and healthy on UAI Explorer 0.1.0.