Epic 6: Trust and audit UX — degraded banner, why-safe page, sidebar trust

UI visibility improvements:
- Degraded-mode banner: red alert bar at top of ALL pages when appliance
  state is not "trusted". Polls /api/observability/appliance-state every 30s.
- Sidebar trust indicator: third status dot showing network/privacy state
  (green "Offline Private" / yellow "Tor Only" / "Filtered" / red "Degraded")
- Profile badge already added in Epic 4

New "Why is this safe?" page:
- /why-safe route with plain-language explanation of security layers
- Sections: data stays local, what's running, what happens if something
  goes wrong, no telemetry, how to verify
- Dynamically shows active profile and network state
- Link from security.html: "Not sure what all this means?"

New documentation:
- docs/why-is-this-safe.md — non-UI version of the same content
- docs/telemetry-policy.md — explicit no-telemetry statement with
  verification commands (Epic 8 partial)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

docs/telemetry-policy.md

@@ -0,0 +1,59 @@
+# Telemetry Policy
+
+**SecAI OS does not collect telemetry.** No data leaves the device unless explicitly enabled by the user.
+
+## What This Means
+
+| Category | Behavior |
+|----------|----------|
+| Usage analytics | Not collected |
+| Crash reports | Not sent externally |
+| Phone-home / heartbeat | None |
+| Update checks | Pulled by the device on a schedule, not pushed from a server |
+| DNS | Blocked by default (nftables). DNS leak detection runs locally. |
+| Model data | Never transmitted. Inference runs entirely on local hardware. |
+| Prompts and responses | Never logged to external services. Local audit logging optional. |
+
+## Network Access Requires Explicit Consent
+
+Network access is controlled by the active [profile](../files/system/etc/secure-ai/config/appliance.yaml):
+
+- **offline_private** (default): All egress blocked. No exceptions.
+- **research**: Tor-routed web search only, through the search mediator with PII stripping and differential privacy (decoy queries).
+- **full_lab**: Filtered outbound through the airlock proxy. All connections logged to the local audit chain.
+
+Switching profiles requires explicit user confirmation. The UI shows the privacy implications before applying.
+
+## Audit Trail
+
+All network-related events are recorded in the tamper-evident audit chain:
+
+- Profile changes (including who changed it and when)
+- Airlock connections (destination, sanitization applied, data size)
+- Search queries (stripped of PII, with decoy query counts)
+- Service state changes (which services started/stopped)
+
+The audit chain is hash-linked — any tampering is detectable via `verify-release.sh` or the Security Dashboard.
+
+## Verification
+
+To confirm no unexpected outbound connections:
+
+```bash
+# Check nftables rules (should show default-deny egress)
+sudo nft list ruleset | grep -A5 "chain output"
+
+# Check for active connections
+ss -tunap | grep -v '127.0.0.1'
+
+# DNS leak check (runs automatically on a timer)
+journalctl -u secure-ai-dns-leak-check --no-pager -n 5
+```
+
+## Policy Scope
+
+This policy covers the SecAI OS image and all bundled services. It does not cover:
+
+- Third-party models (their behavior during inference is constrained by sandboxing, but not guaranteed)
+- User-installed software (if the immutable OS is modified)
+- Network traffic from hypervisors when running in a VM

docs/why-is-this-safe.md

@@ -0,0 +1,60 @@
+# Why is SecAI OS Safe?
+
+This page explains SecAI OS security in plain language. For the full technical model, see [threat-model.md](threat-model.md) and the [Security Dashboard](http://127.0.0.1:8480/security) in the UI.
+
+## Your Data Stays on This Device
+
+SecAI OS runs all AI inference locally — on your hardware, using your GPU. No prompts, responses, or model data are sent to any cloud service. The network firewall blocks all outbound connections by default.
+
+## What's Running
+
+SecAI OS has three operating profiles:
+
+| Profile | Network | What It Means |
+|---------|---------|---------------|
+| **Maximum Privacy** (default) | Blocked | Nothing leaves your device. Not even DNS. |
+| **Web-Assisted Research** | Tor only | Search queries are anonymized through Tor with PII stripping. |
+| **Full Lab** | Filtered | Outbound traffic goes through the airlock proxy with logging. |
+
+You choose your profile at first boot. You can change it later from Settings. The active profile is always visible in the UI header.
+
+## What Happens If Something Goes Wrong
+
+| Scenario | Automatic Response |
+|----------|-------------------|
+| Tampered model detected | Quarantined and removed from the trusted store |
+| Integrity check fails | System degrades to safe mode, alerts you |
+| Suspicious agent activity | Agent frozen, airlock disabled, vault re-locked |
+| Bad OS update | Greenboot auto-rolls back to last known-good state |
+| Worst case | 3-level emergency panic: lock, wipe keys, or full wipe |
+
+## No Telemetry
+
+SecAI OS does **not** collect any telemetry:
+
+- No usage analytics
+- No crash reports sent externally
+- No phone-home or heartbeat
+- No automatic connections to external servers
+
+The only network activity is what you explicitly enable by switching to the "research" or "full lab" profile. See [telemetry-policy.md](telemetry-policy.md) for the full statement.
+
+## How to Verify
+
+You don't have to take our word for it:
+
+- **Security Dashboard** (`http://127.0.0.1:8480/security`) shows real-time verification: Secure Boot status, TPM2 sealing, audit chain integrity, model provenance, SLO compliance.
+- **Audit logs** are hash-chained — any tampering breaks the chain visibly.
+- **OS image** is cosign-signed with SLSA3 provenance attestation. Verify with:
+  ```bash
+  cosign verify --key cosign.pub ghcr.io/secai-hub/secai_os:latest
+  ```
+- **Every model** passes 7 automated stages (source policy, format gate, integrity, provenance, static scan, behavioral test, diffusion scan) before it can be used.
+- **Forensic export** bundles all verification evidence into a signed archive you can review offline.
+
+## Further Reading
+
+- [Threat Model](threat-model.md) — formal threat classes, invariants, residual risks
+- [Security Status](security-status.md) — implementation status of all 54 milestones
+- [Telemetry Policy](telemetry-policy.md) — no-telemetry guarantee
+- [Audit Quick Path](audit-quick-path.md) — step-by-step verification for auditors

services/ui/ui/app.py

@@ -592,6 +592,11 @@ def security_page():
     return render_template("security.html", active_page="security")
 
 
+@app.route("/why-safe")
+def why_safe_page():
+    return render_template("why-safe.html", active_page="security")
+
+
 @app.route("/updates")
 def updates_page():
     return render_template("updates.html", active_page="updates")

services/ui/ui/templates/base.html

@@ -586,6 +586,10 @@
                 <span class="status-dot gray" id="sidebar-system-dot"></span>
                 <span id="sidebar-system-text">System</span>
             </div>
+            <div class="status-indicator" id="sidebar-trust">
+                <span class="status-dot green" id="sidebar-trust-dot"></span>
+                <span id="sidebar-trust-text">Offline</span>
+            </div>
         </div>
     </aside>
 
@@ -603,6 +607,9 @@ <h1>{% block page_title %}{% endblock %}</h1>
                 <span class="topbar-badge" id="system-badge">system</span>
             </div>
         </header>
+        <div id="degraded-banner" style="display:none;background:var(--danger-subtle);border:1px solid var(--danger);border-radius:var(--radius);padding:0.5rem 1rem;margin:0 1rem 0.5rem;font-size:0.85rem;color:var(--danger)">
+            <strong>System integrity check failed.</strong> <a href="/security" style="color:var(--danger);text-decoration:underline">View details</a>
+        </div>
         <div class="content {% block content_class %}{% endblock %}">
             {% block content %}{% endblock %}
         </div>
@@ -775,39 +782,71 @@ <h3 id="modal-title"></h3>
                 var resp = await fetch('/api/profile');
                 var data = await resp.json();
                 var badge = document.getElementById('profile-badge');
+                var trustDot = document.getElementById('sidebar-trust-dot');
+                var trustText = document.getElementById('sidebar-trust-text');
                 var p = data.active || 'unknown';
                 var locked = data.locked || false;
                 if (p === 'offline_private') {
                     badge.textContent = locked ? 'offline (locked)' : 'offline';
                     badge.style.borderColor = 'var(--success)';
                     badge.style.color = 'var(--success)';
                     badge.title = 'Profile: Maximum isolation — no network';
+                    trustDot.className = 'status-dot green';
+                    trustText.textContent = 'Offline Private';
                 } else if (p === 'research') {
                     badge.textContent = locked ? 'research (locked)' : 'tor only';
                     badge.style.borderColor = 'var(--warning)';
                     badge.style.color = 'var(--warning)';
                     badge.title = 'Profile: Privacy-preserving research — Tor-routed';
+                    trustDot.className = 'status-dot yellow';
+                    trustText.textContent = 'Tor Only';
                 } else if (p === 'full_lab') {
                     badge.textContent = locked ? 'full lab (locked)' : 'filtered';
                     badge.style.borderColor = 'var(--accent)';
                     badge.style.color = 'var(--accent)';
                     badge.title = 'Profile: Full capability lab — filtered network';
+                    trustDot.className = 'status-dot yellow';
+                    trustText.textContent = 'Filtered';
                 } else {
                     badge.textContent = 'unknown';
                     badge.style.borderColor = 'var(--text-muted)';
                     badge.style.color = 'var(--text-muted)';
+                    trustDot.className = 'status-dot gray';
+                    trustText.textContent = 'Unknown';
                 }
             } catch(e) {
                 /* Profile API not available — non-critical */
             }
         }
 
+        async function pollApplianceState() {
+            try {
+                var resp = await fetch('/api/observability/appliance-state');
+                var data = await resp.json();
+                var banner = document.getElementById('degraded-banner');
+                var trustDot = document.getElementById('sidebar-trust-dot');
+                var trustText = document.getElementById('sidebar-trust-text');
+                if (data.state && data.state !== 'trusted') {
+                    banner.style.display = 'block';
+                    trustDot.className = 'status-dot red';
+                    trustText.textContent = 'Degraded';
+                } else {
+                    banner.style.display = 'none';
+                }
+            } catch(e) {
+                /* Observability API not available — hide banner */
+                document.getElementById('degraded-banner').style.display = 'none';
+            }
+        }
+
         pollVaultStatus();
         pollSystemStatus();
         pollProfileStatus();
+        pollApplianceState();
         setInterval(pollVaultStatus, 10000);
         setInterval(pollSystemStatus, 15000);
         setInterval(pollProfileStatus, 30000);
+        setInterval(pollApplianceState, 30000);
 
         /* Close sidebar on mobile when clicking main area */
         document.querySelector('.main').addEventListener('click', function() {

services/ui/ui/templates/security.html

@@ -4,6 +4,8 @@
 {% block content_class %}content-wide{% endblock %}
 
 {% block content %}
+<p style="margin-bottom:0.75rem"><a href="/why-safe" style="color:var(--accent);font-size:0.9rem">Not sure what all this means? Read "Why is this safe?"</a></p>
+
 <!-- Appliance Health Banner -->
 <div class="card" id="appliance-banner" style="margin-bottom:1rem;border-left:4px solid var(--text-muted)">
     <div class="card-header">

services/ui/ui/templates/why-safe.html

@@ -0,0 +1,89 @@
+{% extends "base.html" %}
+{% block title %}Why is this safe? — SecAI OS{% endblock %}
+{% block page_title %}Why is this safe?{% endblock %}
+
+{% block content %}
+<div style="max-width:720px">
+
+    <div style="background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);padding:1.25rem;margin-bottom:1rem">
+        <h3 style="margin-bottom:0.5rem;color:var(--success)">Your data stays on this device</h3>
+        <p style="color:var(--text-secondary);line-height:1.6">
+            SecAI OS runs all AI inference locally — on your hardware, using your GPU.
+            No prompts, responses, or model data are sent to any cloud service.
+            The network firewall blocks all outbound connections by default.
+        </p>
+    </div>
+
+    <div style="background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);padding:1.25rem;margin-bottom:1rem">
+        <h3 style="margin-bottom:0.5rem">What's running right now</h3>
+        <p style="color:var(--text-secondary);line-height:1.6;margin-bottom:0.75rem">
+            Your appliance is running in the <strong id="ws-profile">offline_private</strong> profile.
+        </p>
+        <ul style="color:var(--text-secondary);line-height:1.8;padding-left:1.25rem">
+            <li id="ws-network">Network: <strong>blocked</strong> — no data leaves this device</li>
+            <li>Vault: encrypted with AES-256 (LUKS2 + Argon2id)</li>
+            <li>Models: verified through a 7-stage quarantine pipeline before use</li>
+            <li>Services: sandboxed with seccomp-BPF, Landlock, and systemd hardening</li>
+            <li>Audit: tamper-evident hash-chained logs record all security events</li>
+        </ul>
+    </div>
+
+    <div style="background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);padding:1.25rem;margin-bottom:1rem">
+        <h3 style="margin-bottom:0.5rem">What happens if something goes wrong</h3>
+        <ul style="color:var(--text-secondary);line-height:1.8;padding-left:1.25rem">
+            <li><strong>Tampered model detected:</strong> automatically quarantined and removed</li>
+            <li><strong>Integrity check fails:</strong> system degrades to safe mode, alerts you</li>
+            <li><strong>Suspicious activity:</strong> agent frozen, airlock disabled, vault re-locked automatically</li>
+            <li><strong>Bad update:</strong> Greenboot rolls back to the last known-good state</li>
+            <li><strong>Worst case:</strong> 3-level emergency panic — lock, wipe keys, or full wipe</li>
+        </ul>
+    </div>
+
+    <div style="background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);padding:1.25rem;margin-bottom:1rem">
+        <h3 style="margin-bottom:0.5rem">No telemetry</h3>
+        <p style="color:var(--text-secondary);line-height:1.6">
+            SecAI OS does not collect any telemetry. No usage analytics, no crash reports,
+            no phone-home, no heartbeat. The only network activity is what you explicitly
+            enable by switching to the "research" or "full lab" profile — and even then,
+            all traffic is Tor-routed with PII stripping.
+        </p>
+    </div>
+
+    <div style="background:var(--surface);border:1px solid var(--border);border-radius:var(--radius-lg);padding:1.25rem;margin-bottom:1rem">
+        <h3 style="margin-bottom:0.5rem">How to verify</h3>
+        <p style="color:var(--text-secondary);line-height:1.6;margin-bottom:0.5rem">
+            You don't have to take our word for it:
+        </p>
+        <ul style="color:var(--text-secondary);line-height:1.8;padding-left:1.25rem">
+            <li>The <a href="/security" style="color:var(--accent)">Security dashboard</a> shows real-time verification status</li>
+            <li>Audit logs are hash-chained — any tampering breaks the chain visibly</li>
+            <li>The OS image is cosign-signed with SLSA3 provenance attestation</li>
+            <li>Every model passes 7 stages of automated verification before use</li>
+            <li><a href="/security" style="color:var(--accent)">Export a forensic bundle</a> for independent verification</li>
+        </ul>
+    </div>
+
+    <p style="color:var(--text-muted);font-size:0.85rem;text-align:center;margin-top:1rem">
+        For the full technical security model, see the <a href="/security" style="color:var(--accent)">Security dashboard</a>.
+    </p>
+</div>
+
+<script nonce="{{ csp_nonce }}">
+(async function() {
+    try {
+        var resp = await fetch('/api/profile');
+        var data = await resp.json();
+        var p = data.active || 'offline_private';
+        document.getElementById('ws-profile').textContent = p.replace(/_/g, ' ');
+        var netEl = document.getElementById('ws-network');
+        if (p === 'offline_private') {
+            netEl.innerHTML = 'Network: <strong>blocked</strong> — no data leaves this device';
+        } else if (p === 'research') {
+            netEl.innerHTML = 'Network: <strong>Tor only</strong> — queries are anonymized through Tor';
+        } else if (p === 'full_lab') {
+            netEl.innerHTML = 'Network: <strong>filtered</strong> — outbound traffic goes through the airlock';
+        }
+    } catch(e) { /* non-critical */ }
+})();
+</script>
+{% endblock %}