Security and privacy posture
uwwoe is deliberately small. Its privacy posture is anonymous-only: no account, no email, no password, no student number. This page is the public summary; the locked decisions live in the ADRs cited inline.
What the service stores
| Stored | Where | Why |
|---|---|---|
| HMAC verifier of your state token | State SQLite | Authenticate subsequent requests. We cannot recover the token from the verifier. |
| Your plan (terms, courses, statuses, grades, notes) | State SQLite | Persistence. |
catalog_version_id your plan was created against | State SQLite | Migration. |
expected_state_version counter | State SQLite | Optimistic concurrency. |
What the service does not store
- Your name, email, address, student number, or any other identifier.
- The raw bearer token (only the HMAC verifier survives).
- An audit log of academic state contents — by explicit policy (ADR 0019).
- Analytics events tied to identifiers.
- IP addresses in long-term storage. Access logs rotate; rate-limit state is in-process and short-lived.
Threat model summary
The deployed posture mitigates:
- Token theft via URL leakage — tokens never appear in URLs;
?token=is explicitly rejected with403. - Token theft via logs — access logs and metrics never carry the raw token. Gate 4 of every phase verifies this.
- Token theft via worker payloads — the Rust/WASM atlas worker receives only graph nodes and edges, never state or tokens. (ADR 0023)
- Mass enumeration of valid tokens — per-IP rate limit on state
endpoints; 429 with
Retry-After. (Rate limits) - Data exfiltration through the index — the published index is public catalog data only; it contains no PII.
- Cross-tenant overwrites — optimistic concurrency via
expected_state_version; mismatches return409 Conflict.
The deployed posture does not currently mitigate:
- Token theft via shoulder-surfing or device compromise — uwwoe is anonymous; if your device is compromised, your plan is too. There is no second factor.
- Coordinated abuse from a shared egress IP — rate limits collapse many real users to one bucket behind CGNAT / public Wi-Fi. Users affected by this can rate-limit unfairly. Mitigation is future work.
Hard delete
DELETE /api/v1/state/current with explicit confirmation is a hard
delete. After it succeeds:
- The state row is removed.
- The HMAC verifier is removed.
- A minimal tombstone is recorded with no academic state contents.
- The same token returns
401 unauthorizedthereafter, indistinguishable from any other unknown token.
There is no soft delete, no 30-day grace period, no admin restore path. (ADR 0019)
Transport security
- All public endpoints serve over HTTPS. Fly’s edge enforces
force_https = true. HSTS is enabled. - CORS is restricted to the allowed origins:
https://uwwoe.fyi,https://www.uwwoe.fyi,https://uwscrape.fly.dev. - The
Authorizationheader is the only accepted token transport.
Reporting a vulnerability
If you find a security issue:
- Do not open a public GitHub issue.
- Email the maintainer (contact is in the repository’s project metadata) with a clear reproduction and the affected commit hash.
- Allow a reasonable window before public disclosure.
uwwoe is a small, anonymous-only system — there is no bug bounty, but responsible reports are welcome and credited.
Audit surface
For auditors and operators:
- Architecture: state and privacy.
- Production deploy (P10) — full deploy posture.
- Decisions — every privacy-relevant ADR is locked.