Public-Safe Hardening Local Evidence
Date: 2026-06-20
Supersession note: this is historical local hardening evidence for the 0.2.2
step. Current production and staging version is 0.2.3; see
[REDACTED:high-entropy].md.
Scope
Local verification for UAI Explorer 0.2.2 hardening. This evidence does not
redeploy sandbox CT 126 and does not modify production CT 121.
Security Changes Verified
- Public-safe mode refuses
/api/tree,/api/file,/api/raw,/api/upload, and/api/uploadsafter authentication. ALLOW_ADMIN_RAW_READ=truedoes not re-enable raw downloads whilePUBLIC_SAFE_MODE=true.- Context notes are redacted before human and AI delivery.
- Content responses include server-side redaction metadata and no-store cache behavior.
- Readiness includes passing checks for raw downloads disabled, legacy filesystem APIs disabled, and upload APIs disabled.
- Readiness includes a raw survey mount guard; if
DATA_ROOT/raw-survey-zoneexists in public-safe mode,/readyreturnsblocked-raw-survey-mountedand migration readiness failsraw_survey_zone_not_mounted.
Commands
python -m py_compile server.py
python -m py_compile tests\test_public_safe.py
node --check static\js\app.js
& "C:\Program Files\Git\bin\bash.exe" -n deploy-sandbox.sh
python tests\test_public_safe.py
Result
- Pass
- 10 tests run
Browser Smoke
Temporary local server:
- URL:
http://127.0.0.1:8773 - Version:
0.2.2 - Data root: temporary sanitized smoke data
- Raw read env flag intentionally set true while
PUBLIC_SAFE_MODE=true
Observed:
- Dashboard rendered the Mac Devine/Cadence design-standards review item.
- Reader rendered the fake key as a redacted token.
- DOM text did not contain the fake source key.
- Access boundary displayed
Raw content: not sent. - Content response headers included
X-UAI-Redaction-Boundary=server-side,X-UAI-Raw-Content=not-sent, andCache-Control=no-store. - Authenticated browser fetches returned
403for/api/raw,/api/file,/api/tree, and/api/uploads. - Mobile viewport
390x844had no horizontal overflow.
Screenshots:
[REDACTED:high-entropy].png[REDACTED:high-entropy].png[REDACTED:high-entropy].png
Follow-Up Evidence
- Completed in
[REDACTED:high-entropy].md. - Sandbox CT
126now serves UAI Explorer0.2.2. - Sandbox HTTP, authenticated live smoke, in-container tests, served UI bundle checks, and rollback rehearsal passed after the refresh.
- Production CT
121remained unchanged and healthy on UAI Explorer0.1.0.