secure-xl2hwp-local local-first air-gapped docs-only public surface

Local-only spreadsheet automation with reviewer-proof handoff.

This page is intentionally not a SaaS front door. It is a public explainer for a secure local runtime whose strongest proof is the review path: trust boundary first, template-drift before export claims, then signed audit/export evidence for handoff.

Honest framing: GitHub Pages hosts the story. The regulated processing routes live only inside the local secure deployment.

01 · Trust boundary before features

Start with /ops/service-brief so reviewers see roles, signing posture, and why public runtime is intentionally out of scope.

02 · Template drift before export confidence

/ops/template-drift-preview is the key differentiator: it shows placeholder/spec mismatch risk before anyone treats output as production-ready.

03 · Reviewer bundle, not just a file export

/ops/review-pack, signed summary bundles, and /ops/audit/export/verify turn the handoff into auditable proof.

Fastest proof path for interviewers and reviewers

1
Open the service brief

Use /ops/service-brief to show the operating contract, trust boundary, allowed roles, and the intended review flow.

2
Show template-drift proof before claiming safe export

Use /ops/template-drift-preview to explain how placeholder gaps, spec mismatches, and reviewer hold points are surfaced before document generation is trusted.

3
End on signed reviewer evidence

Walk through /ops/review-pack, then show /ops/audit/export/summary.bundle.zip or /ops/audit/export/recent.bundle.zip and validate them with /ops/audit/export/verify.

Interview script

Use this when you need the clearest story in under two minutes.

"This is not a public SaaS demo. The design goal is local trust. I prove safety by showing the service brief, then template drift, then the signed review pack and export verification route."

Why template drift matters here

  • Spreadsheet contracts and Hancom templates evolve independently.
  • Reviewer confidence should come from mismatch visibility, not optimistic export success.
  • Drift preview creates a concrete approval gate before regulated artifacts move downstream.

Audit/export proof path

  • Audit summaries exist as JSON/CSV plus signed bundle outputs.
  • Review-pack copy points reviewers to the exact endpoints used for handoff.
  • Verification endpoint proves bundle integrity after transfer, not just at creation time.

Honest public framing

  • This public site explains the system; it does not host the processing runtime.
  • The strongest signal is deployment restraint plus evidence surfaces.
  • Local-only is part of the security story, not a missing commercialization step.

Best local review order

  • 1. /ops/service-brief — trust boundary, roles, signing mode, review contract.
  • 2. /ops/template-drift-preview — reviewer hold points for template/spec mismatch.
  • 3. /ops/runtime-scorecard — compact runtime posture before handoff.
  • 4. /ops/review-pack — reviewer sequence, proof assets, approval gate.
  • 5. /ops/audit/export/verify — post-export integrity check.

What to say in the interview

  • This repo is strongest when discussed as a local secure workflow, not a hosted app.
  • The hero proof is template drift plus reviewer-proof export evidence.
  • I start with contract surfaces, then show the drift gate, then the signed handoff route.

Public posture

  • Public site: documentation, proof route, and interview framing
  • Local runtime: actual processing, review-pack, signed export, verify endpoints
  • Recommended reviewer flow: brief -> drift -> runtime scorecard -> review pack -> verify