Zion Boggan
repos/Oversight/commits/9f26b3d
zionboggan.com ↗
Code Commits Tags

Add Outlook pilot landing page

Publish a hosted Outlook add-in pilot page and update the add-in docs, roadmap, changelog, and README to point testers at the manifest and remaining tenant load-test gate.

Co-authored-by: Codex (GPT-5.4) <noreply@openai.com>
9f26b3d   Zion Boggan committed on May 26, 2026 (3 weeks ago)
CHANGELOG.md +4 -0
@@ -64,6 +64,10 @@
Image watermarking writes the DCT mark and then preserves blind LSB recovery,
with tests for the Python-compatible mark sequence, DCT verification, and
adapter round trip.
+- **Outlook add-in hosted pilot page.** `integrations/outlook/index.html`
+ documents the hosted manifest URL, task pane URL, requested `ReadItem`
+ permission, same-origin viewer reuse, sideload steps, and remaining tenant
+ load-test gates for the Outlook read-mode inspector.
## v0.4.11 - 2026-05-08 Hardware-keys completion: Python parity, browser support, end-to-end seal
README.md +1 -0
@@ -10,6 +10,7 @@ No cloud vendor lock-in. No paid service required. No custom cryptography. Apach
**Website:** [https://oversight-protocol.github.io/oversight/](https://oversightprotocol.dev/)
**Mobile companion (verifier):** [oversight-protocol/oversight-mobile](https://github.com/oversight-protocol/oversight-mobile) - Flutter UI on top of the same Rust crates that power this CLI, currently in internal TestFlight beta.
+**Outlook add-in pilot:** [oversightprotocol.dev/integrations/outlook/](https://oversightprotocol.dev/integrations/outlook/), read-mode task pane that verifies and decrypts sealed attachments with the same browser inspector modules.
---
docs/OUTLOOK.md +6 -0
@@ -57,18 +57,24 @@ also coordinating an AppSource update if the add-in ever ships there.
The task pane HTML, JS, and the existing viewer modules all live on
`gh-pages`, served at `oversightprotocol.dev`. The path layout is:
+- `oversightprotocol.dev/integrations/outlook/`
- `oversightprotocol.dev/integrations/outlook/taskpane.html`
- `oversightprotocol.dev/integrations/outlook/taskpane.js`
+- `oversightprotocol.dev/integrations/outlook/manifest.xml`
- `oversightprotocol.dev/viewer/viewer.js` (already deployed)
- `oversightprotocol.dev/viewer/vendor/...` (already deployed)
Same-origin imports keep the security model simple: the task pane is treated
as one site by the browser, and Office's add-in sandbox enforces the rest.
+As of 2026-05-26, the hosted pilot page and manifest URL are live. The next
+gate is a real Outlook tenant load-test, not more static hosting work.
## Distribution
For a pilot the manifest is sideloaded:
+- **Hosted pilot page**:
+ `https://oversightprotocol.dev/integrations/outlook/`
- **Outlook on the web**: `Get Add-ins > My add-ins > Add a custom add-in
from URL/file`, point at the hosted manifest.
- **Outlook desktop**: same dialog from the ribbon.
docs/ROADMAP.md +8 -6
@@ -47,7 +47,8 @@ threat-model honesty, not on a calendar date.
inspector, classic-suite decrypt, and hybrid (post-quantum) decrypt
are all live.
3. Outlook add-in. **Scaffold landed 2026-05-07** (`integrations/outlook/`,
- `docs/OUTLOOK.md`); pilot in an Outlook tenant pending.
+ `docs/OUTLOOK.md`); hosted pilot page landed 2026-05-26, Outlook tenant
+ load-test pending.
4. One regulated-industry design-partner deployment.
5. SOC 2 Type 1 scoping in parallel with the design partner.
6. Broad public launch (HN, Reddit, conferences). Not before the inspector,
@@ -201,10 +202,11 @@ verify / decrypt directly from `oversightprotocol.dev/viewer/`. No
second crypto stack. Both classic and hybrid suites decrypt. Decision
record at `docs/OUTLOOK.md`.
-Remaining for a real pilot: 64 px / 128 px icons in
-`integrations/outlook/assets/`, an Outlook tenant load-test, and the
-manifest hosting deploy under `oversightprotocol.dev/integrations/outlook/`.
-Sealing-from-Outlook (compose mode) is intentionally deferred to v2.
+As of 2026-05-26, the hosted pilot page and manifest URL are live under
+`oversightprotocol.dev/integrations/outlook/`. Remaining for a real pilot:
+an Outlook tenant load-test against classic and hybrid sealed attachments,
+plus a final icon design pass before AppSource review. Sealing-from-Outlook
+(compose mode) is intentionally deferred to v2.
### Hardware `KeyProvider` in Rust
@@ -323,7 +325,7 @@ via VM and retype, hardware-key pull mid-open.
| 7 | Registry v1 spec + conformance harness + CORS | Shipped (v0.4.7) |
| 8 | Browser inspector, classic-suite decrypt, opsec scanner + CI | Shipped |
| 9 | Hybrid PQ decrypt in browser | Shipped (2026-05-03) |
-| 10 | Outlook add-in | Next |
+| 10 | Outlook add-in | Hosted pilot page live; tenant load-test next |
| 11 | Hardware KeyProvider in Rust | Suite shipped (v0.4.11); PIV provider next |
| 12 | Rust Axum registry, migration tooling | Migration validation shipped; deployment burn-in next |
| 13 | arXiv preprint, threat-model repo document | Mid-term |
integrations/outlook/README.md +16 -10
@@ -5,14 +5,17 @@ using the same parse/verify/decrypt pipeline as the public web inspector at
<https://oversightprotocol.dev/viewer/>. No second crypto stack, no second
container parser, no telemetry.
-Status: **scaffold**. The manifest, task pane HTML, and JS are wired up but
-nothing has been load-tested inside an Outlook tenant yet. The architecture
-decisions are recorded in [`docs/OUTLOOK.md`](../../docs/OUTLOOK.md).
+Status: **hosted pilot scaffold**. The manifest, task pane HTML, JS, icons,
+and pilot landing page are live under
+<https://oversightprotocol.dev/integrations/outlook/>. The remaining gate is
+an Outlook tenant load-test against classic and hybrid sealed attachments. The
+architecture decisions are recorded in [`docs/OUTLOOK.md`](../../docs/OUTLOOK.md).
## Files
| File | Purpose |
|---|---|
+| `index.html` | Hosted pilot page with sideload links, scope, and next checks |
| `manifest.xml` | Office add-in 1.1 manifest, `MailApp` type, read-mode task pane |
| `taskpane.html` | UI shell: status badge, attachment picker, manifest summary, decrypt panel |
| `taskpane.js` | Office.js + viewer-module integration; reuses `parseSealed`, `verifyManifestSignature`, `decryptSealed` |
@@ -20,8 +23,8 @@ decisions are recorded in [`docs/OUTLOOK.md`](../../docs/OUTLOOK.md).
## Hosting
-The task pane and its imports must be served over HTTPS from the URL declared
-in `manifest.xml` (`SourceLocation`). Production target is
+The task pane and its imports are served over HTTPS from the URL declared in
+`manifest.xml` (`SourceLocation`). Production target is
`https://oversightprotocol.dev/integrations/outlook/`, which lives under
`gh-pages` next to `viewer/`.
@@ -32,15 +35,17 @@ automatically once both paths are on the same host.
## Sideload (developer)
-1. Build a local manifest with `SourceLocation` pointing at your dev URL
+1. For the hosted pilot, use
+ `https://oversightprotocol.dev/integrations/outlook/manifest.xml` directly.
+2. For local development, build a local manifest with `SourceLocation` pointing at your dev URL
(e.g., `https://localhost:3000/integrations/outlook/taskpane.html` if you
are serving locally). Outlook requires HTTPS even for localhost; use
`office-addin-dev-certs` or your own self-signed pair.
-2. **Outlook on the web**: open any message > the More (`...`) menu >
+3. **Outlook on the web**: open any message > the More (`...`) menu >
`Get Add-ins` > `My add-ins` > `Add a custom add-in` > `Add from file...`
and pick your local `manifest.xml`.
-3. **Outlook desktop**: Home tab > `Get Add-ins` > same path.
-4. Open a message that has a `.sealed` or `.oversight` attachment. The task
+4. **Outlook desktop**: Home tab > `Get Add-ins` > same path.
+5. Open a message that has a `.sealed` or `.oversight` attachment. The task
pane will offer to load and verify it.
## Tenant install
@@ -61,7 +66,8 @@ message view.
## What's missing for a real pilot
-- [ ] Icons in `assets/` (64 px and 128 px PNG, transparent background).
+- [x] Hosted pilot page and manifest URL under `oversightprotocol.dev`.
+- [ ] Replace placeholder icons in `assets/` before AppSource review.
- [ ] A short demo video or screenshots for the AppSource listing once we
decide AppSource is in scope.
- [ ] End-to-end test inside an Outlook dev tenant against a hybrid `.sealed`
integrations/outlook/index.html +141 -0
@@ -0,0 +1,142 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1">
+ <title>Outlook Add-in | Oversight Protocol</title>
+ <meta name="description" content="Hosted pilot page for the Oversight Outlook add-in, a read-mode task pane for verifying and decrypting sealed attachments.">
+ <meta name="author" content="Zion Boggan">
+ <link rel="preconnect" href="https://fonts.googleapis.com">
+ <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+ <link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&display=swap" rel="stylesheet">
+ <link rel="stylesheet" href="../../css/style.css">
+</head>
+<body>
+
+<nav class="site-nav">
+ <div class="nav-inner">
+ <a href="../../" class="nav-brand"><span>Oversight</span> Protocol</a>
+ <ul class="nav-links">
+ <li><a href="../../">Home</a></li>
+ <li><a href="../../demo/">Demo</a></li>
+ <li><a href="../../viewer/">Inspect</a></li>
+ <li><a href="../../docs/">Docs</a></li>
+ <li><a href="../../research/">Research</a></li>
+ <li><a href="../../blog/">Blog</a></li>
+ <li><a href="../../about.html">About</a></li>
+ </ul>
+ </div>
+</nav>
+
+<main>
+ <div class="container">
+ <div class="page-header">
+ <h1>Oversight Inspector for Outlook</h1>
+ <p class="subtitle">Read-mode Outlook task pane for verifying and decrypting sealed attachments.</p>
+ </div>
+
+ <p>
+ The Outlook add-in is a thin wrapper around the same browser inspector
+ code that powers <a href="../../viewer/">the public Sealed File Inspector</a>.
+ It reads a <code>.sealed</code> or <code>.oversight</code> attachment from the
+ currently open message, verifies the issuer signature, shows the signed
+ manifest, and can decrypt the payload when the recipient supplies their
+ identity JSON. There is no second crypto stack and no telemetry.
+ </p>
+
+ <div class="card-grid">
+ <div class="card">
+ <h3>Status</h3>
+ <p>
+ Hosted pilot scaffold. The manifest, task pane, JavaScript, and icons
+ are live under <code>oversightprotocol.dev</code>. The remaining gate is
+ a real Outlook tenant load-test against classic and hybrid sealed
+ attachments.
+ </p>
+ </div>
+ <div class="card">
+ <h3>Permission</h3>
+ <p>
+ The add-in requests <code>ReadItem</code> only. It can read the open
+ message and its attachments, but it does not modify mail, send mail,
+ read folders, or persist private keys in Office storage.
+ </p>
+ </div>
+ <div class="card">
+ <h3>Crypto boundary</h3>
+ <p>
+ Parse, signature verification, and decrypt are imported from the
+ public viewer modules on the same origin. Office.js is used only to
+ fetch the selected attachment from Outlook.
+ </p>
+ </div>
+ </div>
+
+ <h2>Pilot URLs</h2>
+ <table>
+ <thead>
+ <tr><th>Artifact</th><th>URL</th></tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td>Manifest</td>
+ <td><a href="manifest.xml"><code>https://oversightprotocol.dev/integrations/outlook/manifest.xml</code></a></td>
+ </tr>
+ <tr>
+ <td>Task pane</td>
+ <td><a href="taskpane.html"><code>https://oversightprotocol.dev/integrations/outlook/taskpane.html</code></a></td>
+ </tr>
+ <tr>
+ <td>Implementation notes</td>
+ <td><a href="README.md"><code>integrations/outlook/README.md</code></a></td>
+ </tr>
+ </tbody>
+ </table>
+
+ <h2>Sideload for a pilot</h2>
+ <p>
+ Use the hosted manifest URL above for the first Outlook pilot. Outlook on
+ the web and Outlook desktop both expose custom add-in installation under
+ the Get Add-ins flow. A Microsoft 365 admin can also deploy the same
+ manifest from the admin center under Integrated apps.
+ </p>
+
+ <ol>
+ <li>Open Outlook on the web or desktop with a test mailbox.</li>
+ <li>Open Get Add-ins, then choose My add-ins and Add a custom add-in.</li>
+ <li>Use the hosted manifest URL or upload <code>manifest.xml</code>.</li>
+ <li>Open a message that has a <code>.sealed</code> or <code>.oversight</code> attachment.</li>
+ <li>Launch Oversight Inspector from the message surface and load the attachment.</li>
+ </ol>
+
+ <h2>What is intentionally out of scope</h2>
+ <p>
+ The v1 add-in is verify/decrypt only. Sealing from Outlook requires an
+ issuer key flow and a stronger key-management story, so compose-mode
+ sealing stays deferred to v2. The task pane also does not perform
+ attribution searches against the registry; attribution remains a server
+ and operator workflow.
+ </p>
+
+ <h2>Next pilot checks</h2>
+ <ul>
+ <li>Load the hosted manifest in an Outlook dev tenant.</li>
+ <li>Verify a classic sealed attachment end to end.</li>
+ <li>Verify a hybrid post-quantum sealed attachment end to end.</li>
+ <li>Confirm the task pane keeps recipient identity material in memory only.</li>
+ <li>Replace placeholder icons before any AppSource review.</li>
+ </ul>
+ </div>
+</main>
+
+<footer class="site-footer">
+ <div class="container">
+ <p>Oversight Protocol &copy; 2026 Zion Boggan. Apache 2.0 License.</p>
+ <p><a href="https://github.com/oversight-protocol/oversight">GitHub</a></p>
+ </div>
+</footer>
+
+<script src="../../js/nav.js" defer></script>
+</body>
+</html>