Evidence-gated status

Claims remain locked until runtime evidence proves them.

Native runtime and qualifying production evidence are not both proven.

Production claimLocked
Native runtimeDetached
BackendReal
Last verified2026-07-13T09:00:43Z
Open Evidence Center
Public SurfaceEvidence-first read planeNo hidden production claim
User RouteScoped capsule workspaceGlobal authority blocked
Admin ControlEditorial + runtime governanceRoot powers excluded
Root-ControlLocal/hardware gatedOffline release authority

Mobile installable web shell

Install XPScerpto as a safe PWA shell.

The mobile shell may cache only public UI assets and safe public shells. Admin, correspondence, evidence, live IMAP status, API responses, cookies, CSRF tokens, message content, raw MIME, and attachments remain network-only/no-store.

Browser install prompt appears only when the browser exposes it.
PWA_INSTALLABLEYES
HOME_SCREEN_INSTALL_OBSERVEDYES_FROM_USER_SCREENSHOT
STANDALONE_MODEYES_FROM_USER_SCREENSHOT_OR_BROWSER_SIGNAL
OFFLINE_PUBLIC_SHELLYES
NATIVE_ANDROID_APKNO
NATIVE_IOS_APPNO
APP_STORE_READYNO
PLAY_STORE_READYNO
PRODUCTION_READYNO

XPScerpto Documentation Center

Runbook, evidence, live IMAP truth boundaries, and operator guidance.

This center explains safe deployment, server-side IMAP setup, the admin correspondence control room, evidence handling, privacy boundaries, troubleshooting, and claim limits. It is operational documentation, not marketing copy.

ADMIN_CONTROL_ROOM_UX_CLOSEDYES
ADMIN_UX_CLOSEDYES
LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIEDNO
LIVE_EXTERNAL_IMAP_BLOCKERPATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDED
PRODUCTION_READYNO

Current System Truth Status

ADMIN_CONTROL_ROOM_UX_CLOSED=YES. The live external mailbox gate remains LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED=NO with blocker PATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDED. PRODUCTION_READY=NO.

Deployment Runbook

Safe deployment starts with source identity, a private server environment file, and clean replay of gates.

Required safe command examples

If the service user, group, or path differs, record the exact actual user, group, and path in the deployment evidence.

Live IMAP Setup

Password or token values are server-side only. The browser must never submit, display, or store mailbox credentials.

A dedicated mailbox such as XPScerpto-Live-Verify is recommended because it creates a small auditable scope, avoids unrelated private INBOX traffic, reduces duplicate ambiguity, and makes UID cursor evidence easier to inspect.

Live Message Preparation Guide

Before running the live gate, deliver at least one real message to the target external mailbox.

Live IMAP Verification Guide

Run python3 scripts/live_imap_deployment_gate.py from the clean extracted source tree. The gate performs a first sync, then a second sync to prove duplicate protection, UID cursor persistence, UIDVALIDITY recording, TLS-required behavior, and privacy-safe evidence.

Admin Control Room Guide

/admin/correspondence separates Live Mode, Mock / Dev Mode, and Blocked Mode. Operators should read Safe Env Status, Verification Wizard, Cursor / UIDVALIDITY state, Idempotence / Duplicate status, Evidence status, Systemd/env preflight, Outbound Reply Boundary, and Mock Replay boundary before taking action.

Evidence Center Guide

/evidence and the admin evidence panel expose sanitized operator artifacts only.

Allowed evidence content

  • hashes, timestamps, result codes, phase results, and safe metadata
  • UID cursor status, UIDVALIDITY status, duplicate count, and sanitized flags
  • message ID hashes and mailbox hash or masked mailbox labels

Forbidden evidence content

  • passwords, tokens, private keys, full .env files, or provider login responses containing credentials
  • raw MIME, full message bodies, raw SQLite dumps containing sensitive data, public attachment payloads, or public attachment links

Sanitized evidence downloads may include hashes, status flags, and counts; they must never include credential material, private payloads, or public attachment links.

Security and Privacy Boundaries

API Reference

These endpoints are admin-only and return sanitized data. No endpoint accepts IMAP password or token from the browser.

EndpointMethodPurposeBoundary
/api/admin/correspondence/live-statusGETReturns sanitized mode, env presence booleans, cursor, UIDVALIDITY, idempotence and evidence state.Admin auth required; no secret values returned.
/api/admin/correspondence/live-syncPOSTRuns server-side live IMAP sync only when backend, TLS, and credentials are present.Admin auth and CSRF required; browser never supplies password or token.
/api/admin/correspondence/live-verification-gatePOSTExecutes the same live truth criteria as the deployment gate and writes sanitized evidence only.Admin auth and CSRF required; mock cannot satisfy this gate.

Troubleshooting and Fail-Closed Blockers

Every blocker must be remediated with server-side configuration, code repair, or clean evidence replay. Unsafe shortcuts invalidate the phase.

BlockerMeaningSafe operator actionForbidden workaround
PATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDEDServer-side mailbox auth/configuration is absent or incomplete.Add credentials only to the protected server .env and restart the service.Do not paste secrets into the browser, docs, Git, reports, or evidence.
PATH_B_FAIL_CLOSED_WITH_EXACT_IMAP_CONNECTION_OR_AUTH_BLOCKERThe external server could not be reached or authenticated over the required path.Check host, port 993, account status, app password/token policy, and network egress.Do not disable TLS or switch to mock evidence.
PATH_B_FAIL_CLOSED_WITH_EXACT_NO_LIVE_INBOUND_MESSAGE_IMPORTEDThe first live sync did not import a real message from the target mailbox.Deliver the non-secret verification message to the dedicated mailbox and rerun the gate.Do not inject rows into SQLite or use mock_messages JSON.
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_UID_CURSOR_BLOCKERThe UID cursor was not persisted after live sync.Check data directory permissions and service user ownership.Do not manually edit cursor state to fake a pass.
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_IDEMPOTENCE_BLOCKERThe second sync imported duplicates.Inspect UID cursor and message identity hashing, then rerun from a clean controlled mailbox.Do not delete duplicate evidence or change counts manually.
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_UIDVALIDITY_BLOCKERUIDVALIDITY is missing or inconsistent.Record the provider UIDVALIDITY and reset only through a documented mailbox migration path.Do not ignore UIDVALIDITY rollover.
PATH_B_FAIL_CLOSED_WITH_EXACT_LIVE_IMAP_PRIVACY_AUDIT_BLOCKERA privacy scan or sanitized evidence check failed.Remove sensitive material from evidence/logs and rerun privacy scans.Do not publish raw provider payloads.
PATH_B_FAIL_CLOSED_WITH_EXACT_GATE_FAILUREA mandatory product, security, syntax, or test gate failed.Fix the failing gate and replay from a clean tree.Do not delete tests or weaken gates.
PATH_B_FAIL_CLOSED_WITH_EXACT_FRONTEND_SECRET_EXPOSUREFrontend code references mailbox secrets as exposed values.Remove all browser-side secret material and rerun scans.Do not obfuscate secrets in JavaScript.
PATH_B_FAIL_CLOSED_WITH_EXACT_PRIVACY_UI_EVIDENCE_EXPOSUREUI or evidence exposed raw provider data or sensitive content.Replace with hashes, previews, or sanitized flags.Do not show raw MIME or complete bodies in admin/audit UI.
PATH_B_FAIL_CLOSED_WITH_EXACT_MOCK_LIVE_CONFUSION_BLOCKERMock replay could be confused with live verification.Separate dev controls visually and technically from live gates.Do not allow mock to set live verified.
PATH_B_FAIL_CLOSED_WITH_EXACT_OUTBOUND_DELIVERY_FALSE_CLAIMOutbound UI claimed external delivery without proof.Label replies as recorded locally unless live SMTP is separately proven.Do not use sent/delivered labels as marketing shortcuts.

Claim Boundaries

Allowed current claims

  • CORRESPONDENCE_ADMIN_LIVE_IMAP_OPERATIONS_UX_CLOSED=YES
  • INBOUND_MAILBOX_INTEGRATION_IMPLEMENTED=YES
  • SERVER_SIDE_IMAP_ADAPTER_IMPLEMENTED=YES
  • LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED=NO
  • PRODUCTION_READY=NO

Forbidden claim tokens

  • PRODUCTION_READY=YES
  • GDPR_COMPLETE=YES
  • SECURITY_COMPLETE=YES
  • PGP_IMPLEMENTED=YES
  • E2E_ENCRYPTION_IMPLEMENTED=YES
  • ENCRYPTED_AT_REST=YES unless separately proven
  • GMAIL_API_IMPLEMENTED=YES
  • MICROSOFT_GRAPH_IMPLEMENTED=YES
  • WEBHOOK_RECEIVE_IMPLEMENTED=YES
  • LIVE_SMTP_DELIVERY_IMPLEMENTED=YES unless separately proven
  • LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIED=YES unless the real external mailbox gate passed

Operator Checklist

  1. Deploy the latest final package and record the exact package SHA256.
  2. Place .env outside public/static, chmod 600 it, and chown it to the service user.
  3. Create /var/lib/xps-portal/evidence with chmod 750, or record the exact actual evidence path.
  4. Use a dedicated mailbox such as XPScerpto-Live-Verify rather than a busy INBOX.
  5. Deliver a non-secret verification message with subject XPScerpto Live IMAP Verification.
  6. Restart the service and run mandatory gates before the live verification gate.
  7. Check first sync import count, second sync duplicate count, cursor persisted, UIDVALIDITY recorded, and privacy scans.
  8. Confirm PRODUCTION_READY=NO even if live mailbox verification later passes.

Current Phase Status

ADMIN_UX_CLOSEDYES
LIVE_EXTERNAL_IMAP_MAILBOX_VERIFIEDNO
LIVE_EXTERNAL_IMAP_BLOCKERPATH_B_FAIL_CLOSED_WITH_EXACT_REAL_EXTERNAL_MAILBOX_CREDENTIALS_NOT_PROVIDED
PRODUCTION_READYNO
DOCS_ARABIC_FULL_I18NNO_NOT_IMPLEMENTED

If no live evidence is available, status remains NOT_AVAILABLE or blocked; the documentation center does not synthesize PASS.

XPScerpto Portal-3

Dokumente

XPScerpto zeigt ein souveränitätsorientiertes Kryptografie-Portal mit klaren Autoritätsgrenzen, evidenzbasierter Statusanzeige und separater redaktioneller Steuerung.

PlatformHWDomains

Dokumente

Dieses Portal trennt den realen Python-Backendbetrieb vom nativen C++-Runtime. Aussagen bleiben durch Nachweise und den Runtime-Truth-Contract begrenzt.

Truth contract

No unproven production claim

production_ready is computed from native runtime attachment plus qualifying evidence; it is not an editorial toggle.