# Local run — SolidPrivacy Scrub Status: minimal local Streamlit launcher for WP46, local privacy validation for WP47 and Windows portable proof-of-concept launcher for WP48. This local run path starts the existing Streamlit app on your own machine. It is intended for local confidential-processing validation after setup, not as a finished installer or desktop package. ## Python version assumption Use Python 3.10. This matches the current Docker base image and the `pyproject.toml` Python requirement. ## Install dependencies Recommended setup with Poetry: ```bash python -m pip install "poetry==1.8.5" poetry install --no-root poetry run python -m pip install --upgrade "packaging>=24.2,<27" poetry run python -m pip install python-docx pymupdf reportlab pypdf ``` The final install line mirrors the extra document/PDF packages installed by the current container startup environment. ## Run Scrub locally From the repository root: ```bash poetry run python scripts/run_local_streamlit.py ``` The launcher executes: ```bash python fix_streamlit_nested_expanders.py python fix_streamlit_pdf_text_reinsert.py python -m streamlit run presidio_streamlit.py --server.address 127.0.0.1 --server.port 8501 --server.headless true --browser.gatherUsageStats false ``` Open: ```text http://127.0.0.1:8501 ``` To use another local port: ```bash poetry run python scripts/run_local_streamlit.py --port 8502 ``` ## WP48 Windows portable proof of concept WP48 adds a Windows portable proof of concept wrapper: ```text scripts\run_windows_portable_poc.ps1 ``` From the repository root on Windows PowerShell: ```powershell powershell -ExecutionPolicy Bypass -File .\scripts\run_windows_portable_poc.ps1 ``` The wrapper delegates to the existing Python launcher: ```text scripts/run_local_streamlit.py ``` The wrapper defaults to `127.0.0.1` and port `8501`. It does not add a separate packaging system and does not change Streamlit UI behavior, upload/download/export/reinsert semantics, telemetry settings, cloud processing or dependency setup. WP48 is not a production installer, not an MSI, not PyInstaller packaging and not a full offline guarantee. It is only a portable Windows/Python proof of concept for a local repository folder. See also: ```text WINDOWS_PORTABLE_POC.md ``` ## Local-only warning This launcher binds Streamlit to `127.0.0.1` by default. That means the app is intended to be reachable only from the same machine. Do not change the address to `0.0.0.0` for confidential documents unless a later security review explicitly approves that deployment mode. ## Hugging Face demo boundary The Hugging Face Space remains a demo and development environment for synthetic or non-confidential examples. Do not process confidential real documents, real Scrub Keys, real audit reports or real client/care/legal material in the Hugging Face demo. Use the local runtime for confidential-processing validation after setup, and still treat the local runtime as an MVP validation path rather than a complete production security claim. ## Runtime privacy expectations The local launcher should pass only runtime options to Streamlit. It should not pass source document content, file names, Scrub Key values, restored output or audit content as command-line arguments. The launcher itself should not create application-managed temporary files, write document-content logs, configure telemetry or add network/cloud endpoints. Streamlit and the browser may still use normal local runtime memory, upload handling and local caches; WP47 validates these launcher and documentation boundaries but does not prove a full offline or network-traffic guarantee. Any temporary/runtime files introduced by future helpers must stay local, avoid original document snippets in logs, and be removed or documented explicitly. No installer, PyInstaller, Tauri, Electron, MSI or packaging behavior is introduced by the base local run path. WP48 adds only a Windows PowerShell proof-of-concept wrapper around the same local launcher. ## No telemetry / no cloud processing claim The command disables Streamlit usage stats with `--browser.gatherUsageStats false`. The current local launcher does not add AI processing, cloud document processing or telemetry endpoints. This is a local MVP boundary check, not a complete production security certification. ## No real data in the repo Do not commit real documents, real Scrub Keys, real audit reports, real names, real case files or real care data to this repository. Use synthetic examples for tests, screenshots and support diagnostics. ## What files are processed locally With this launcher, the existing Streamlit app processes uploaded documents in the local Python process: - source TXT, DOCX and supported PDF input selected in the browser; - scrubbed output generated by the app; - Scrub Key JSON selected or downloaded by the user; - restored TXT or DOCX output generated by reinsert flows; - audit/report downloads generated by the app. The current app should not upload document content for core scrub/review/reinsert flows. WP47 added local-runtime privacy tests for launcher/documentation boundaries, while later work is still needed before production security claims. ## What is not guaranteed yet This is not yet: - a Windows installer; - an MSI; - a PyInstaller package; - a Tauri or Electron desktop app; - a signed or managed enterprise deployment; - a full offline guarantee; - a network-traffic validation result; - a temp-file privacy validation result; - a guarantee that every optional model or dependency is already available offline; - a change to Streamlit UI behavior; - a change to export or reinsert semantics. ## Next validation step Next recommended workpackage: ```text WP49 — Desktop packaging decision ``` WP49 should decide the longer-term packaging direction across Streamlit/Python folder, PyInstaller, Tauri, Electron or managed enterprise deployment before any production installer claim.