Oversight Inspector for Outlook
Read-mode Outlook task pane for verifying and decrypting sealed attachments.
The Outlook add-in is a thin wrapper around the same browser inspector
code that powers the public Sealed File Inspector.
It reads a .sealed or .oversight attachment from the
currently open message, verifies the issuer signature, shows the signed
manifest, and can decrypt the payload when the recipient supplies their
identity JSON. There is no second crypto stack and no telemetry.
Status
Hosted pilot scaffold. The manifest, task pane, JavaScript, and icons
are live under oversightprotocol.dev. The remaining gate is
a real Outlook tenant load-test against classic and hybrid sealed
attachments.
Permission
The add-in requests ReadItem only. It can read the open
message and its attachments, but it does not modify mail, send mail,
read folders, or persist private keys in Office storage.
Crypto boundary
Parse, signature verification, and decrypt are imported from the public viewer modules on the same origin. Office.js is used only to fetch the selected attachment from Outlook.
Pilot URLs
| Artifact | URL |
|---|---|
| Manifest | https://oversightprotocol.dev/integrations/outlook/manifest.xml |
| Task pane | https://oversightprotocol.dev/integrations/outlook/taskpane.html |
| Implementation notes | integrations/outlook/README.md |
Sideload for a pilot
Use the hosted manifest URL above for the first Outlook pilot. Outlook on the web and Outlook desktop both expose custom add-in installation under the Get Add-ins flow. A Microsoft 365 admin can also deploy the same manifest from the admin center under Integrated apps.
- Open Outlook on the web or desktop with a test mailbox.
- Open Get Add-ins, then choose My add-ins and Add a custom add-in.
- Use the hosted manifest URL or upload
manifest.xml. - Open a message that has a
.sealedor.oversightattachment. - Launch Oversight Inspector from the message surface and load the attachment.
What is intentionally out of scope
The v1 add-in is verify/decrypt only. Sealing from Outlook requires an issuer key flow and a stronger key-management story, so compose-mode sealing stays deferred to v2. The task pane also does not perform attribution searches against the registry; attribution remains a server and operator workflow.
Next pilot checks
- Load the hosted manifest in an Outlook dev tenant.
- Verify a classic sealed attachment end to end.
- Verify a hybrid post-quantum sealed attachment end to end.
- Confirm the task pane keeps recipient identity material in memory only.
- Replace placeholder icons before any AppSource review.