Security / Forbidden / Self-Review

Forbidden-list compliance

rule	status
No production Nuxt implementation	OK — plain static HTML/CSS/JS
No business logic	OK — page only renders manifest.json
No PG mutation	OK — never connected to PG this session
No Directus mutation	OK
No Qdrant / vector write	OK
No event / job execution	OK
No workflow / task generation	OK
No secrets	OK — none read or written
No overwrite of existing previews	OK — mow/unified-canvas v1+v2 + _demo untouched (still 200)
No fake approval	OK — all approvals pending_user_review / none
No unversioned preview	OK — deployed under _master/v1/; no mutable pointer created

Security notes

• Page makes no backend calls — only fetch('manifest.json') from its own directory.
• All dynamic values are HTML-escaped before injection (esc()); no innerHTML of raw manifest strings without escaping.
• No inline event handlers from data; links use static target="_blank".
• Inherits the existing server CSP (no per-location add_header), matching the established /ui-preview/ pipeline.

Self-review (acceptance criteria)

criterion	verdict
Master Homepage deployed	PASS — HTTP 200
manifest.json exists	PASS — HTTP 200, 19 surfaces
Master page links to MOW Unified Canvas v1	PASS — backlink present
_master/spec.md and _master/review-log.md exist	PASS (+ manifest-contract.md)
≥19 surface rows	PASS — exactly 19
No unsafe mutation	PASS — zero DB/Directus/Qdrant writes

Honest limitations

• Status classifications are agent judgments from KB evidence; await GPT/User confirmation.
• 13 surfaces are idea (backend exists, no UI spec) — not yet sketched.
• Some surface spec_paths point at report-pack docs rather than dedicated ui/<surface>/spec.md files (which don't exist yet) — correct per current evidence.
• No self-approval performed; the index is a draft pending review.

Overall: PASS