3
This commit is contained in:
@@ -1,20 +1,28 @@
|
||||
# Security And Secrets Readiness
|
||||
|
||||
Status: P3.3 test-stand smoke complete for encrypted resource secrets,
|
||||
assignment-time resolution, and production fallback behavior with smoke-only
|
||||
direct worker WSS trust.
|
||||
Archived scope note: this document records an earlier RDP/direct-worker trust
|
||||
and secret-handling stage. It is not the current source of truth for fabric
|
||||
transport architecture. The active inter-node transport model is QUIC-only; see
|
||||
`docs/architecture/DISTRIBUTED_FABRIC_NODE_PROTOCOL_PLAN.md`,
|
||||
`docs/architecture/FABRIC_FIRST_TRANSPORT_AND_STRESS_PLAN.md`, and
|
||||
`docs/architecture/SECURE_ACCESS_FABRIC_TARGET.md`.
|
||||
|
||||
Status: P3.3 historical test-stand smoke complete for encrypted resource
|
||||
secrets, assignment-time resolution, and legacy RDP baseline behavior with
|
||||
smoke-only direct-worker trust.
|
||||
|
||||
This document defines the next security hardening layer around the accepted RDP
|
||||
MVP baseline. It does not implement mesh, VPN, server-to-client download, new
|
||||
protocol adapters, or another RDP rendering mode.
|
||||
|
||||
## Current Accepted Baseline
|
||||
## Current Accepted Historical RDP Baseline
|
||||
|
||||
- RDP worker baseline: `rap-rdp-worker:rdp-p1-region-order2`
|
||||
- Backend control plane remains source of truth.
|
||||
- Redis remains live coordination/routing only.
|
||||
- Direct worker WSS is preferred for realtime RDP.
|
||||
- Backend gateway remains fallback/debug.
|
||||
- Historical direct-worker WSS was the preferred realtime RDP path in this
|
||||
stage.
|
||||
- Historical backend gateway remained a fallback/debug path for this stage.
|
||||
- Text clipboard is policy-gated and accepted.
|
||||
- Client-to-server file upload and restricted `RAP_Transfers` visibility are
|
||||
accepted.
|
||||
@@ -124,22 +132,24 @@ Already accepted:
|
||||
- worker rejects wrong worker, wrong attachment, wrong organization, wrong
|
||||
resource, over-broad channels, failed/terminated sessions, and jti replay
|
||||
|
||||
Production still needs:
|
||||
Production still needed for that stage:
|
||||
|
||||
- deployed certificate chain for direct worker WSS on production nodes
|
||||
- pinned or platform-issued worker certificates in live production config
|
||||
- deployed certificate chain for the historical direct-worker WSS path on
|
||||
production nodes
|
||||
- pinned or platform-issued worker certificates in live production config for
|
||||
that historical path
|
||||
- no smoke-only TLS bypass in production clients
|
||||
- rotation process for data-plane signing keys
|
||||
- audit for failed token validation/bind attempts
|
||||
|
||||
P3.2 guard exists:
|
||||
P3.2 historical guard exists:
|
||||
|
||||
- backend distinguishes `smoke_insecure`, `public_ca`, and `platform_ca`
|
||||
direct worker WSS trust modes
|
||||
- production backend omits smoke-only direct candidates
|
||||
- Windows production client skips untrusted or smoke-only direct candidates
|
||||
- backend distinguished `smoke_insecure`, `public_ca`, and `platform_ca`
|
||||
direct-worker trust modes for the historical RDP path
|
||||
- production backend omitted smoke-only direct candidates on that path
|
||||
- Windows production client skipped untrusted or smoke-only direct candidates
|
||||
|
||||
P3.3 test-stand smoke exists:
|
||||
P3.3 historical test-stand smoke exists:
|
||||
|
||||
- `resource_secrets` migration is applied on `docker-test`
|
||||
- backend runs as `APP_ENV=production` with a test-only
|
||||
@@ -149,9 +159,9 @@ P3.3 test-stand smoke exists:
|
||||
- `resources.metadata`, `remote_sessions.metadata`, and `audit_events` were
|
||||
checked for plaintext username/password leakage
|
||||
- production backend with `DATA_PLANE_DIRECT_WORKER_TLS_TRUST_MODE=smoke_insecure`
|
||||
returns backend gateway fallback only
|
||||
returned the historical backend gateway debug path only
|
||||
- development/smoke backend with the same trust mode advertises the explicit
|
||||
smoke-only direct worker WSS candidate
|
||||
smoke-only historical direct-worker candidate
|
||||
- `RAP_Transfers` smoke passed on the secret-backed resource
|
||||
|
||||
## Required Regression Tests
|
||||
@@ -202,8 +212,8 @@ P3.1 implemented audit events for:
|
||||
assignment payload; a future resolver pull/token flow should reduce exposure
|
||||
in Redis control queues.
|
||||
- Worker still depends on plaintext assignment metadata for development smoke.
|
||||
- Production direct worker WSS certificate issuance/rotation and platform CA
|
||||
distribution are not complete.
|
||||
- Production certificate issuance/rotation and platform CA distribution for the
|
||||
historical direct-worker path are not complete.
|
||||
- The test-stand secret key is a host-local test file, not a production KMS or
|
||||
HSM-backed key.
|
||||
- Automated end-to-end policy denial coverage is still thin.
|
||||
|
||||
Reference in New Issue
Block a user