UAI-1 es la norma pública actual de mensajes para comunicación estructurada de IA a IA.
UAIX shield mark Carta pública de interoperabilidad UAIX.org 通用人工智能交换 Publicación pública de normas
Actual UAI-1
  • Versión actual UAI-1
  • Definición en lenguaje claro Formato de mensaje abierto para intercambio IA-a-IA auditable
  • Atribución actual Michael Joseph Kappel, MCP
  • Empiece aquí Inicio, Traspaso de proyecto, UAI-1, validador, hoja de ruta y registro de cambios

Gobernanza

Policy and Security

Trust-policy hub for licensing, security release discipline, and the dedicated privacy, accessibility, and analytics governance pages.

  • Record UAIX-GOVR-0076
  • Path /es-es/governance/policy-and-security/
  • Use Canonical public record

Document status

Public standards page Published on UAIX as part of the current public standards record
Code
UAIX-GOVR-0076
Surface
Gobernanza
Access
Public and linkable

如何使用本页

Use this page for the current public policy, license, security, accessibility, and analytics posture across the launch surface.

Review with

GobernanzaPrivacy and DataAccessibilityAnalytics

Policy Hub

Start here for the dedicated trust pages and cross-cutting release posture

This page now acts as the governance hub for licensing, security-sensitive release discipline, and the dedicated public pages for privacy and data, accessibility, and analytics.

Dedicated pages

Trust posture now has named child pages

Use Privacy and Data, Accessibility, and Analytics for the area-specific public posture instead of inferring it from scattered notes.

Security discipline

Keep hardening attached to public trust claims

HTTPS, security headers, discovery delivery, sitemap delivery, and machine-facing route behavior should stay aligned before support posture is widened.

Future work

Dedicated pages are published, institutions are not

Consent centers, policy offices, certification programs, and security operations desks still remain future work unless they are formally added to the public record.

Review with

GobernanzaAuthority and change-handling posture.Privacy and DataPublic data exposure and discovery posture.AccessibilityReadable launch and manual QA posture.AnalyticsMeasurement limits and telemetry-significant release work.Launch ReadinessGo-live response, package, accessibility, locale, and release-evidence gate.Referencia APIMachine-facing surface that trust questions often touch.Paquete de conformidadReusable evidence packet for release review.Registro de cambiosDated release trail for trust-significant changes.

Policy hub

How the dedicated trust pages fit beside licensing and security release posture

Use this matrix when a launch reviewer needs the whole trust-policy map without inferring broader institutional infrastructure than the site actually publishes.

Operating areaPublished nowVerify hereNot yet public
Licensing and package termsThe active public launch theme declares GPL v2 or later, and other distributed packages should be evaluated against their own shipped headers, notices, and bundled source terms.A broader site-wide trademark, certification, or institutional licensing program is not yet published.
Privacy and public dataPrivacy and Data is now the dedicated public posture page for readable public records, discovery behavior, and public-data-exposure changes.Broader consent centers, DPA workflows, or intake-policy stacks are not yet public.
Accessibility expectationsAccessibility is now the dedicated public posture page for readable text, keyboard reachability, mobile-safe layouts, and release-facing manual QA.A formal accessibility office, certification badge, or broader institutional program is not yet published.
Analytics and telemetryAnalytics is now the dedicated public posture page for measurement limits, telemetry-significant changes, and observable analytics behavior on the site.Published dashboards, disclosure portals, or broader consent-management workflows remain future work.
Security and release hardeningSecurity-significant release work currently means keeping HTTPS, security headers, .well-known delivery, sitemaps, validator behavior, and machine-facing routes aligned before widening support claims.UAIX does not yet publish a security operations center, incident desk, or universal runtime assurance program.

The dedicated trust pages are now published. This hub connects them to the cross-cutting licensing and security release posture.

Trust packet

How hub-level trust work should travel

Use this sequence when a release changes licensing, security-significant delivery, or any of the dedicated trust pages on the public site.

  1. Step 1

    Choose the affected trust page

  2. Step 2

    Check the observable surface

  3. Step 3

    Check machine-facing routes and artifacts

  4. Step 4

    Attach QA and conformance evidence

  5. Step 5

    Record the trust-significant change

If one part of the trust surface changes, publish the same change across the policy hub, any affected dedicated page, observable behavior, machine evidence, and the release trail before treating it as current public posture.

What this page is for

Use this page as the trust-policy hub for the UAIX launch surface. It connects the dedicated public pages for privacy and data, accessibility, and analytics to the current licensing and security release posture so reviewers can audit the whole trust layer from one governance section.

当前 policy map

  • Privacy and Data for the public-reading, discovery, and data-exposure posture.
  • Accessibility for readable-launch expectations, keyboard and mobile QA, and accessibility-significant release handling.
  • Analytics for the current published limits on measurement, telemetry-significant changes, and disclosure posture.
  • Governance, the 变更日志, and News for the authority model, dated release trail, and public narrative around trust-significant changes.

当前 licensing posture

  • Active public launch theme: the current UAIX Authority theme declares GPL v2 or later in its public package header.
  • Other packaged artifacts: evaluate each distributed package against its own shipped header, notice, or bundled source terms rather than assuming one broader site-wide code license where none has yet been published.
  • Public standards pages: treat the canonical page paths as the public reading, citation, and review surface for UAI-1 and related records. Do not infer a broader trademark, certification, or endorsement right from public availability alone.

Security and release discipline

  • The public site is a standards and publication surface, not a live security gateway or managed trust service.
  • 上线检查 should keep HTTPS, security headers, .well-known delivery, sitemap delivery, validator behavior, and machine-facing route inventory aligned before public support claims are widened.
  • Use API 参考, 一致性包, the 验证器, and Implementations when a release needs reviewable machine evidence instead of prose-only assurance.

Observable response hardening

Use the section below when a launch reviewer needs the concrete response-header layer that now backs the public trust posture on WordPress-rendered routes, plus the boundary between app-level hardening and host-level deployment work.

Security posture

Public response hardening that now backs the launch trust surface

Use this section when a launch reviewer needs the exact response-header layer that now ships with the public WordPress surface, plus the boundary between app-level hardening and edge-level deployment work.

X-Content-Type-Options

nosniff

防止公开标准页面和机器可读路由发生内容类型嗅探。

Applied to: 公开 HTML、JSON、XML 以及类似的 WordPress 渲染响应。

Referrer-Policy

strict-origin-when-cross-origin

Keeps cross-origin referrer leakage narrower while preserving same-origin debugging context.

Applied to: 可能产生外部请求的公开文档和 API 响应。

Permissions-Policy

accelerometer=(), browsing-topics=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()

明确声明启动表面不依赖特权浏览器能力,也不依赖基于 Topics 的广告功能。

Applied to: Public WordPress-rendered pages and machine-facing routes.

X-Frame-Options

SAMEORIGIN

Blocks third-party framing while preserving same-origin editorial and preview flows.

Applied to: Public WordPress-rendered pages and JSON responses.

Content-Security-Policy

frame-ancestors 'self'

Makes the framing boundary explicit in modern browsers without claiming a broader full-site CSP yet.

Applied to: Public WordPress-rendered pages and machine-facing routes.

Strict-传输-Security

max-age=31536000; includeSubDomains

把浏览器后续访问固定到规范上线主机的 HTTPS,而不只依赖政策文案。

Applied to: 请求通过 HTTPS 提供时的公开 WordPress 渲染 HTML 和 REST 响应。

Live now

Observable on WordPress responses now

  • 已从公开响应中移除回链响应头。
  • Host- or proxy-level version headers still need server-side suppression if the launch environment adds them after WordPress runs.
  • These headers now travel with public WordPress-rendered HTML and REST responses instead of remaining only in roadmap prose.

Deployment gap

Still belongs to the host or edge layer

  • HTTP 到 HTTPS 重定向以及直接提供的静态文件的 HSTS 覆盖仍属于上线主机或 CDN 边缘层,因为本地 Studio 环境使用普通 HTTP。
  • 任何直接提供的静态根文件都应在服务器或边缘层检查,以确保其响应头与 WordPress 渲染的信任姿态保持一致。
  • 凡是部署栈在 WordPress 之外附加的主机级版本暴露,例如代理或 PHP 签名头,都应在相应层面被抑制。
  • 更广泛的 CSP 指令应在面向生产的资源与嵌入行为相对于启动主机验证通过之后再添加。

Scope boundary: 当前响应头层适用于公开的 WordPress 前端和 REST 响应,包括验证器和面向机器的评审路由;HSTS 只在 HTTPS 请求上发送。

政策与安全 Referencia API Validador Paquete de conformidad

How these policy pages fit together

  • Use this page as the hub: start here when the question is “which published policy surface should I read next?”
  • Use the dedicated pages for the actual posture: Privacy and Data, Accessibility, and Analytics each publish the current launch-stage boundary for that area.
  • Use 引用 and Contributors and /.well-known/uaix.json when a reviewer needs the current public discovery and handoff packet without relying on screenshots or private instructions.

Principles-based policy review

  • Cognitive-agency review: changes that affect lawful inquiry, viewpoint handling, behavioral conditioning, ranking, profiling, consent, telemetry, or automated authority require principles impact assessment.
  • Memory promotion review: external source material, generated summaries, old chats, and dropped files stay quarantined until source, checksum, review state, redaction decision, promotion target, and rollback path are recorded.
  • Support-claim review: certification, endorsement, legal-standing, SDK, CLI, runtime-control, hosted-import, automatic-sync, security-operations, consent-center, and policy-office language must remain future or research-track unless explicit public evidence exists.
  • Public-record review: when trust posture changes, update the canonical page, machine artifact, tests, release trail, roadmap state, and local .uai memory together.

What is still future work

  • A broader consent center, account-intake policy stack, or institutional legal program beyond what the site explicitly publishes today.
  • A published certification authority, public security operations center, or claims of universal runtime assurance beyond the named 实施轨道 and release evidence.
  • A broader multi-stakeholder governance body, contact center, or policy office unless and until those are formally published on canonical UAIX pages.

下一步 step

Continue to Privacy and Data, Accessibility, or Analytics for the detailed public posture in each area, then use 变更日志 and News when a trust-significant change needs dated release context.