Evidence-gated status

Claims remain locked until runtime evidence proves them.

Native runtime and qualifying production evidence are not both proven.

Production claimLocked
Native runtimeDetached
BackendReal
Last verified2026-07-13T09:00:34Z
Open Evidence Center
Public SurfaceEvidence-first read planeNo hidden production claim
User RouteScoped capsule workspaceGlobal authority blocked
Admin ControlEditorial + runtime governanceRoot powers excluded
Root-ControlLocal/hardware gatedOffline release authority

Mobile installable web shell

Install XPScerpto as a safe PWA shell.

The mobile shell may cache only public UI assets and safe public shells. Admin, correspondence, evidence, live IMAP status, API responses, cookies, CSRF tokens, message content, raw MIME, and attachments remain network-only/no-store.

Browser install prompt appears only when the browser exposes it.
PWA_INSTALLABLEYES
HOME_SCREEN_INSTALL_OBSERVEDYES_FROM_USER_SCREENSHOT
STANDALONE_MODEYES_FROM_USER_SCREENSHOT_OR_BROWSER_SIGNAL
OFFLINE_PUBLIC_SHELLYES
NATIVE_ANDROID_APKNO
NATIVE_IOS_APPNO
APP_STORE_READYNO
PLAY_STORE_READYNO
PRODUCTION_READYNO

HSMD / HSM Evidence Gate

HSMD — Hardware Trust Admission Gate

HSMD treats the presence of an HSM or PKCS#11 provider as a claim to verify, not as trust by default. It turns hardware trust into evidence-bound, authority-scoped claims before any XPScerpto domain may consume them.

PlatformHWDomains

HSMD / Evidence-bound Hardware Trust

HSMD admission path

A provider being configured is not enough; admission starts only when evidence can be bound, verified and replayed.

The purpose is not easy connector marketing. The purpose is preventing hardware trust from entering the platform as an unverifiable assertion.

01Provider discovery

Identify providers and slots without granting ambient trust.

02Device fingerprint

Bind slot, provider and policy identity beyond a file path.

03Challenge-sign

Verify a live cryptographic response from the expected hardware path.

04Receipt binding

Record an auditable admission receipt.

05Drift monitor

Provider, slot or identity drift returns the claim to fail-closed.

06Scoped admission

Domains consume only the admitted claim within explicit authority boundaries.

What HSMD refuses

PKCS#11 config alone

Configuration is not evidence.

Software fallback

It is not real HSM proof.

Mock provider

Testing only; never a live trust claim.

Stale evidence

Old receipts or unresolved drift fail closed.

Authority escalation

HSMD does not replace Platform authority.

Production overclaim

The page itself does not upgrade platform readiness.

Relationship to the platform

PlatformSets the base authority and external-world boundary.
HWReports hardware facts and capabilities without absolute trust.
HSMDAdmits HSM/PKCS#11 as bounded trust evidence.
DomainsConsume admitted claims only inside auditable boundaries.

Evidence-first UI

Truthful status boundary

This section explains HSMD scope; it does not declare real HSM proof or unlock production readiness.

HSM_PRESENTNOT_SUFFICIENT
PKCS11_CONFIGNOT_EVIDENCE
MOCK_PROVIDERTEST_ONLY
SOFTWARE_FALLBACKNOT_HSM_PROOF
ADMISSIONEVIDENCE_BOUND
FAIL_CLOSEDON_UNVERIFIABLE_OR_STALE_EVIDENCE