All procedures
qauai-explorerOperator truth

UAI Explorer QA QC QoL Gates

Synced UAI Explorer qa documentation from docs/qa/qa-qc-qol-gates.md.

Updated 2026-06-21·Freshness: Current·Sensitive tokens or credentials were hidden before display.

UAI Explorer QA QC QoL Gates

Created: 2026-06-20

Purpose

Define the loops that must pass before UAI Explorer can be considered public-safe for internal production, and before any future external exposure.

This file is the QA/QC/QoL contract. Current evidence lives under docs/evidence/.

QA Loop: Functional Correctness

Required checks:

  • Health and readiness endpoints return expected status.
  • First admin bootstrap works once and does not overwrite existing users.
  • Login succeeds with valid credentials and fails with invalid credentials.
  • Disabled users cannot authenticate.
  • Session cookies are HttpOnly and SameSite.
  • Secure cookie mode is enabled when public mode is enabled.
  • Catalog returns only authorized items.
  • Content endpoint enforces tags.
  • Code access requires both project tag and code.
  • AI users can use only /api/ai/*.
  • Human users cannot use AI-only endpoints unless explicitly assigned AI role.
  • Admin endpoints reject non-admin users.
  • Upload endpoints are disabled in public-safe mode.
  • Raw download is disabled in public-safe mode, including for admins.
  • Legacy /api/tree and /api/file filesystem APIs are disabled in public-safe mode.

QC Loop: Security And Data Control

Required checks:

  • Path traversal tests fail closed.
  • Hidden files and secret-bearing paths are non-browsable.
  • .env, .ssh, auth stores, session databases, caches, and logs are blocked.
  • Redaction catches private key blocks.
  • Redaction catches bearer tokens.
  • Redaction catches API-key-shaped strings.
  • Redaction catches webhook URLs.
  • Redaction catches credential-bearing database URLs.
  • Redaction catches secret-like env var values.
  • Redaction state is present in content and AI responses.
  • Context notes are redacted before human and AI responses.
  • Audit logs are written for login, logout, read, deny, AI context, admin create/update, and redaction refusal.
  • Audit logs do not contain raw secrets.
  • Denied responses do not reveal hidden filesystem paths.
  • Browser-rendered markdown cannot execute unsafe HTML or script content.
  • External CDN dependencies are vendored or covered by a content security policy decision before public exposure.

QoL Loop: Human Experience

Required checks:

  • Login screen is clear and professional on desktop and mobile.
  • Catalog supports search and useful filters.
  • Reader shows title, project, tags, summary, freshness, and redaction state.
  • Context notes are visible without crowding the document.
  • Denied state explains access limits without leaking hidden names.
  • Redacted code/content remains readable enough to be useful.
  • Admin user management is understandable without editing JSON by hand.
  • Admin catalog management is understandable without editing JSON by hand.
  • Long file names, titles, and tags do not break layout.
  • Mobile navigation does not overlap reader content.
  • Empty states and loading states are polished.

Migration Readiness Loop

This loop was the pre-cutover readiness gate. It remains useful for future staging work and release checks.

Required checks:

  • Sandbox CT 126 is healthy.
  • Production CT 121 remains healthy.
  • Sandbox deploy script targets only 126.
  • No production sync cron is installed in sandbox by default.
  • Sandbox data is curated or redacted.
  • Public Explorer readiness fails if a raw survey zone is mounted in the served data path.
  • Backup command for production has been documented.
  • Restore/rollback command has been documented.
  • Production cutover requires a separate operator action.
  • No DNS, TLS, firewall, or public route changes happen as part of migration readiness.

Evidence Format

Each completed check should record:

  • Date and timezone.
  • Command or browser flow used.
  • Expected result.
  • Actual result.
  • Evidence path or screenshot path if applicable.
  • Pass/fail status.
  • Follow-up issue if failed.

Evidence should be placed under a future docs/evidence/ folder or recorded in the migration readiness panel once implemented.

Current Loop Status

  • Planning loop: pass.
  • Local implementation QA: pass, see [REDACTED:high-entropy].md.
  • Local security QC: pass, see [REDACTED:high-entropy].md.
  • Local human QoL: pass, see [REDACTED:high-entropy].md.
  • Sandbox QA/QC/QoL: pass, see [REDACTED:high-entropy].md.
  • Migration readiness: pass, see [REDACTED:high-entropy].md.
  • Internal production cutover: pass, see [REDACTED:high-entropy].md.
  • External exposure: not authorized and not executed.

Do not claim external public exposure readiness until a separate operator-approved exposure packet exists and has been executed.