Evidence pack for the open research surface: implemented controls, operator-side checks and explicit non-claims. It is designed for security review without exposing secrets, tokens, hashes, IPs, user agents or request bodies.
read_only_open_buildauth:not registered in open mode
public endpoints are GET-oriented; Pro writes live only behind the separate Pro service
token_in_url:falsestorage:sessionStorage
separate /api/pro/v1 service with scoped API keys
MCP server enforces Host/Origin validation and a bounded request body
Private tools fail closed without a valid operator-issued key
mode:automated_fail_closedhuman_review:false
only trusted funds are eligible for scores, consensus and watchlist signals
This endpoint does not read systemd, Apache configs, journal logs, backup files or secrets. Those remain operator-side checks.
| Check | Status | Command |
|---|---|---|
| public_smoke | external_required | sudo EXPECTED_SHA=$SHA /opt/13flow/deploy/smoke-public.sh |
| pro_workspace_smoke | external_required | sudo EXPECTED_SHA=$SHA PRO_TOKEN="$PRO_TOKEN" /opt/13flow/deploy/smoke-pro-workspace.sh |
| encrypted_backup_restore | external_required | /opt/13flow/deploy/prepare-pro-backup-restore-check.sh and deploy/verify-pro-db-backup.sh on restore host |
| snapshot_timer | external_required | systemctl list-timers | grep 13flow-pro-workspace-snapshot |
tokens_echoed:falsesecrets_in_payloads:false
security posture exposes controls and evidence links, never keys, hashes, IPs, user agents or request bodies