Mobile installable web shell
Install XPScerpto as a safe PWA shell.
The mobile shell may cache only public UI assets and safe public shells. Admin, correspondence, evidence, live IMAP status, API responses, cookies, CSRF tokens, message content, raw MIME, and attachments remain network-only/no-store.
XPScerpto Documentation Center
Runbook, evidence, live IMAP truth boundaries, and operator guidance.
This center explains safe deployment, server-side IMAP setup, the admin correspondence control room, evidence handling, privacy boundaries, troubleshooting, and claim limits. It is operational documentation, not marketing copy.
Current System Truth Status
ADMIN_CONTROL_ROOM_UX_CLOSED=YES. The live external mailbox gate remains LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED=NO with blocker PATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDED. PRODUCTION_READY=NO.
Deployment Runbook
Safe deployment starts with source identity, a private server environment file, and clean replay of gates.
- Extract only the accepted final package or accepted source tree archive; reject malformed, stale, or path-unsafe archives.
- Record input archive SHA256, source tree hash before changes, source identity baseline, and source tree hash after verification.
- Use a clean replay directory for gates; do not reuse an old rejected archive or a dirty deployment tree.
- Keep the server-side .env outside static/public and outside Git; reports and evidence bundles must not contain secret values.
- Create the evidence directory outside static/public and keep it private to the service account.
- Run py_compile, inbound mailbox gate, web product gates, brand gate, tests_portal, JS syntax checks, and docs scans from the extracted tree.
Required safe command examples
sudo install -d -m 750 -o xps -g xps /var/lib/xps-portal/evidencesudo chown xps:xps /srv/xpscerpto/.envsudo chmod 600 /srv/xpscerpto/.envsudo systemctl daemon-reloadsudo systemctl restart xps-portal
If the service user, group, or path differs, record the exact actual user, group, and path in the deployment evidence.
Live IMAP Setup
Password or token values are server-side only. The browser must never submit, display, or store mailbox credentials.
XPS_INBOUND_BACKEND=IMAPXPS_IMAP_HOST=<imap-hostname>XPS_IMAP_PORT=993XPS_IMAP_USERNAME=<mailbox-username>XPS_IMAP_PASSWORD=<server-side value only> OR XPS_IMAP_TOKEN=<server-side value only>XPS_IMAP_MAILBOX=XPScerpto-Live-VerifyXPS_IMAP_TLS_REQUIRED=YESXPS_LIVE_IMAP_EVIDENCE_PATH=/var/lib/xps-portal/evidence/live_imap_deployment_verification.json
A dedicated mailbox such as XPScerpto-Live-Verify is recommended because it creates a small auditable scope, avoids unrelated private INBOX traffic, reduces duplicate ambiguity, and makes UID cursor evidence easier to inspect.
Live Message Preparation Guide
Before running the live gate, deliver at least one real message to the target external mailbox.
- Subject: XPScerpto Live IMAP Verification
- Body: short non-secret test text
- The message must be delivered to the real external mailbox, not injected into SQLite.
- Do not include passwords, tokens, keys, private data, mock_messages JSON, or SMTP send-as-receive evidence.
Live IMAP Verification Guide
Run python3 scripts/live_imap_deployment_gate.py from the clean extracted source tree. The gate performs a first sync, then a second sync to prove duplicate protection, UID cursor persistence, UIDVALIDITY recording, TLS-required behavior, and privacy-safe evidence.
REAL_EXTERNAL_MAILBOX_CREDENTIALS_PROVIDED=YESREAL_EXTERNAL_MAILBOX_USED=YESDETERMINISTIC_IMAP_SERVER_USED=NOMOCK_INBOUND_USED_FOR_LIVE_GATE=NOXPS_TEST_MODE_FOR_LIVE_GATE=NOIMAP_TLS_REQUIRED=YESIMAP_PLAINTEXT_REJECTED=YESLIVE_IMAP_FIRST_SYNC_IMPORTED_MESSAGES_GT_ZERO=YESLIVE_IMAP_SECOND_SYNC_IMPORTED_ZERO_DUPLICATES=YESIMAP_UID_CURSOR_PERSISTED=YESIMAP_UIDVALIDITY_RECORDED=YESIMAP_REPLAY_IDEMPOTENT=YESNO_SECRET_EXPOSURE=YESNO_MESSAGE_BODY_LOGGING=YESNO_RAW_MIME_LOGGING=YESPRODUCTION_READY=NO
Admin Control Room Guide
/admin/correspondence separates Live Mode, Mock / Dev Mode, and Blocked Mode. Operators should read Safe Env Status, Verification Wizard, Cursor / UIDVALIDITY state, Idempotence / Duplicate status, Evidence status, Systemd/env preflight, Outbound Reply Boundary, and Mock Replay boundary before taking action.
- Mock replay does not prove live external mailbox verification.
- Deterministic IMAP server evidence does not prove live external mailbox verification.
- Reply recorded locally does not mean live SMTP delivery.
- Do not label outbound messages as sent or delivered unless live SMTP delivery is separately implemented and proven.
Evidence Center Guide
/evidence and the admin evidence panel expose sanitized operator artifacts only.
Allowed evidence content
- hashes, timestamps, result codes, phase results, and safe metadata
- UID cursor status, UIDVALIDITY status, duplicate count, and sanitized flags
- message ID hashes and mailbox hash or masked mailbox labels
Forbidden evidence content
- passwords, tokens, private keys, full .env files, or provider login responses containing credentials
- raw MIME, full message bodies, raw SQLite dumps containing sensitive data, public attachment payloads, or public attachment links
Sanitized evidence downloads may include hashes, status flags, and counts; they must never include credential material, private payloads, or public attachment links.
Security and Privacy Boundaries
- Secrets stay server-side only; no frontend mailbox credentials.
- No raw MIME exposure and no complete body audit logging.
- Attachments remain reject/private only and are not served from public routes.
- Admin authentication and CSRF must remain active for live actions.
- Mock replay and deterministic servers cannot satisfy live external verification.
- Production-ready status remains NO unless separately proven by the required gates.
API Reference
These endpoints are admin-only and return sanitized data. No endpoint accepts IMAP password or token from the browser.
| Endpoint | Method | Purpose | Boundary |
|---|---|---|---|
/api/admin/correspondence/live-status | GET | Returns sanitized mode, env presence booleans, cursor, UIDVALIDITY, idempotence and evidence state. | Admin auth required; no secret values returned. |
/api/admin/correspondence/live-sync | POST | Runs server-side live IMAP sync only when backend, TLS, and credentials are present. | Admin auth and CSRF required; browser never supplies password or token. |
/api/admin/correspondence/live-verification-gate | POST | Executes the same live truth criteria as the deployment gate and writes sanitized evidence only. | Admin auth and CSRF required; mock cannot satisfy this gate. |
Troubleshooting and Fail-Closed Blockers
Every blocker must be remediated with server-side configuration, code repair, or clean evidence replay. Unsafe shortcuts invalidate the phase.
| Blocker | Meaning | Safe operator action | Forbidden workaround |
|---|---|---|---|
PATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDED | Server-side mailbox auth/configuration is absent or incomplete. | Add credentials only to the protected server .env and restart the service. | Do not paste secrets into the browser, docs, Git, reports, or evidence. |
PATH_B_FAIL_CLOSED_WITH_EXACT_IMAP_CONNECTION_OR_AUTH_BLOCKER | The external server could not be reached or authenticated over the required path. | Check host, port 993, account status, app password/token policy, and network egress. | Do not disable TLS or switch to mock evidence. |
PATH_B_FAIL_CLOSED_WITH_EXACT_NO_LIVE_INBOUND_MESSAGE_IMPORTED | The first live sync did not import a real message from the target mailbox. | Deliver the non-secret verification message to the dedicated mailbox and rerun the gate. | Do not inject rows into SQLite or use mock_messages JSON. |
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_UID_CURSOR_BLOCKER | The UID cursor was not persisted after live sync. | Check data directory permissions and service user ownership. | Do not manually edit cursor state to fake a pass. |
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_IDEMPOTENCE_BLOCKER | The second sync imported duplicates. | Inspect UID cursor and message identity hashing, then rerun from a clean controlled mailbox. | Do not delete duplicate evidence or change counts manually. |
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_UIDVALIDITY_BLOCKER | UIDVALIDITY is missing or inconsistent. | Record the provider UIDVALIDITY and reset only through a documented mailbox migration path. | Do not ignore UIDVALIDITY rollover. |
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_PRIVACY_AUDIT_BLOCKER | A privacy scan or sanitized evidence check failed. | Remove sensitive material from evidence/logs and rerun privacy scans. | Do not publish raw provider payloads. |
PATH_B_FAIL_CLOSED_WITH_EXACT_GATE_FAILURE | A mandatory product, security, syntax, or test gate failed. | Fix the failing gate and replay from a clean tree. | Do not delete tests or weaken gates. |
PATH_B_FAIL_CLOSED_WITH_EXACT_FRONTEND_SECRET_EXPOSURE | Frontend code references mailbox secrets as exposed values. | Remove all browser-side secret material and rerun scans. | Do not obfuscate secrets in JavaScript. |
PATH_B_FAIL_CLOSED_WITH_EXACT_PRIVACY_UI_EVIDENCE_EXPOSURE | UI or evidence exposed raw provider data or sensitive content. | Replace with hashes, previews, or sanitized flags. | Do not show raw MIME or complete bodies in admin/audit UI. |
PATH_B_FAIL_CLOSED_WITH_EXACT_MOCK_LIVE_CONFUSION_BLOCKER | Mock replay could be confused with live verification. | Separate dev controls visually and technically from live gates. | Do not allow mock to set live verified. |
PATH_B_FAIL_CLOSED_WITH_EXACT_OUTBOUND_DELIVERY_FALSE_CLAIM | Outbound UI claimed external delivery without proof. | Label replies as recorded locally unless live SMTP is separately proven. | Do not use sent/delivered labels as marketing shortcuts. |
Claim Boundaries
Allowed current claims
CORRESPONDENCE_ADMIN_LIVE_IMAP_OPERATIONS_UX_CLOSED=YESINBOUND_MAILBOX_INTEGRATION_IMPLEMENTED=YESSERVER_SIDE_IMAP_ADAPTER_IMPLEMENTED=YESLIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED=NOPRODUCTION_READY=NO
Forbidden claim tokens
PRODUCTION_READY=YESGDPR_COMPLETE=YESSECURITY_COMPLETE=YESPGP_IMPLEMENTED=YESE2E_ENCRYPTION_IMPLEMENTED=YESENCRYPTED_AT_REST=YES unless separately provenGMAIL_API_IMPLEMENTED=YESMICROSOFT_GRAPH_IMPLEMENTED=YESWEBHOOK_RECEIVE_IMPLEMENTED=YESLIVE_SMTP_DELIVERY_IMPLEMENTED=YES unless separately provenLIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED=YES unless the real external mailbox gate passed
Operator Checklist
- Deploy the latest final package and record the exact package SHA256.
- Place .env outside public/static, chmod 600 it, and chown it to the service user.
- Create /var/lib/xps-portal/evidence with chmod 750, or record the exact actual evidence path.
- Use a dedicated mailbox such as XPScerpto-Live-Verify rather than a busy INBOX.
- Deliver a non-secret verification message with subject XPScerpto Live IMAP Verification.
- Restart the service and run mandatory gates before the live verification gate.
- Check first sync import count, second sync duplicate count, cursor persisted, UIDVALIDITY recorded, and privacy scans.
- Confirm PRODUCTION_READY=NO even if live mailbox verification later passes.
Current Phase Status
| ADMIN_UX_CLOSED | YES |
|---|---|
| LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED | NO |
| LIVE_EXTERNAL_IMAP_BLOCKER | PATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDED |
| PRODUCTION_READY | NO |
| DOCS_ARABIC_FULL_I18N | NO_NOT_IMPLEMENTED |
If no live evidence is available, status remains NOT_AVAILABLE or blocked; the documentation center does not synthesize PASS.
XPScerpto Portal-3
الوثائق
تعرض XPScerpto بوابة لمنصة تشفير سيادية تركّز على حدود السلطة الصريحة، وتقارير الحالة المبنية على الأدلة، ولوحة تحرير منفصلة.
الوثائق
هذه البوابة تميّز بوضوح بين backend Python الحقيقي وبين runtime C++ الأصلي. أي ادعاء يبقى مقيدًا بالأدلة وبعقد الحقيقة التشغيلي.
Truth contract
No unproven production claim
production_ready is computed from native runtime attachment plus qualifying evidence; it is not an editorial toggle.