UAI Explorer QA QC QoL Gates
Created: 2026-06-20
Purpose
Define the loops that must pass before UAI Explorer can be considered public-safe for internal production, and before any future external exposure.
This file is the QA/QC/QoL contract. Current evidence lives under
docs/evidence/.
QA Loop: Functional Correctness
Required checks:
- Health and readiness endpoints return expected status.
- First admin bootstrap works once and does not overwrite existing users.
- Login succeeds with valid credentials and fails with invalid credentials.
- Disabled users cannot authenticate.
- Session cookies are HttpOnly and SameSite.
- Secure cookie mode is enabled when public mode is enabled.
- Catalog returns only authorized items.
- Content endpoint enforces tags.
- Code access requires both project tag and
code. - AI users can use only
/api/ai/*. - Human users cannot use AI-only endpoints unless explicitly assigned AI role.
- Admin endpoints reject non-admin users.
- Upload endpoints are disabled in public-safe mode.
- Raw download is disabled in public-safe mode, including for admins.
- Legacy
/api/treeand/api/filefilesystem APIs are disabled in public-safe mode.
QC Loop: Security And Data Control
Required checks:
- Path traversal tests fail closed.
- Hidden files and secret-bearing paths are non-browsable.
.env,.ssh, auth stores, session databases, caches, and logs are blocked.- Redaction catches private key blocks.
- Redaction catches bearer tokens.
- Redaction catches API-key-shaped strings.
- Redaction catches webhook URLs.
- Redaction catches credential-bearing database URLs.
- Redaction catches secret-like env var values.
- Redaction state is present in content and AI responses.
- Context notes are redacted before human and AI responses.
- Audit logs are written for login, logout, read, deny, AI context, admin create/update, and redaction refusal.
- Audit logs do not contain raw secrets.
- Denied responses do not reveal hidden filesystem paths.
- Browser-rendered markdown cannot execute unsafe HTML or script content.
- External CDN dependencies are vendored or covered by a content security policy decision before public exposure.
QoL Loop: Human Experience
Required checks:
- Login screen is clear and professional on desktop and mobile.
- Catalog supports search and useful filters.
- Reader shows title, project, tags, summary, freshness, and redaction state.
- Context notes are visible without crowding the document.
- Denied state explains access limits without leaking hidden names.
- Redacted code/content remains readable enough to be useful.
- Admin user management is understandable without editing JSON by hand.
- Admin catalog management is understandable without editing JSON by hand.
- Long file names, titles, and tags do not break layout.
- Mobile navigation does not overlap reader content.
- Empty states and loading states are polished.
Migration Readiness Loop
This loop was the pre-cutover readiness gate. It remains useful for future staging work and release checks.
Required checks:
- Sandbox CT
126is healthy. - Production CT
121remains healthy. - Sandbox deploy script targets only
126. - No production sync cron is installed in sandbox by default.
- Sandbox data is curated or redacted.
- Public Explorer readiness fails if a raw survey zone is mounted in the served data path.
- Backup command for production has been documented.
- Restore/rollback command has been documented.
- Production cutover requires a separate operator action.
- No DNS, TLS, firewall, or public route changes happen as part of migration readiness.
Evidence Format
Each completed check should record:
- Date and timezone.
- Command or browser flow used.
- Expected result.
- Actual result.
- Evidence path or screenshot path if applicable.
- Pass/fail status.
- Follow-up issue if failed.
Evidence should be placed under a future docs/evidence/ folder or recorded in
the migration readiness panel once implemented.
Current Loop Status
- Planning loop: pass.
- Local implementation QA: pass, see
[REDACTED:high-entropy].md. - Local security QC: pass, see
[REDACTED:high-entropy].md. - Local human QoL: pass, see
[REDACTED:high-entropy].md. - Sandbox QA/QC/QoL: pass, see
[REDACTED:high-entropy].md. - Migration readiness: pass, see
[REDACTED:high-entropy].md. - Internal production cutover: pass, see
[REDACTED:high-entropy].md. - External exposure: not authorized and not executed.
Do not claim external public exposure readiness until a separate operator-approved exposure packet exists and has been executed.