Gate fabric session endpoint through node config

agents/rap-node-agent/internal/agent/payload.go

@@ -7,7 +7,7 @@ import (
 	"github.com/example/remote-access-platform/agents/rap-node-agent/internal/state"
 )
 
-const Version = "0.2.279-vpnperf"
+const Version = "0.2.280-fabricsession"
 
 func EnrollmentPayload(clusterID, joinToken string, identity state.Identity) client.EnrollRequest {
 	return client.EnrollRequest{
@@ -37,6 +37,8 @@ func EnrollmentPayload(clusterID, joinToken string, identity state.Identity) cli
 			"vpn_fabric_packet_transport":     true,
 			"vpn_local_gateway_shortcut":      false,
 			"vpn_farm_owned_dataplane":        true,
+			"fabric_data_session_v1":          true,
+			"fabric_session_websocket_smoke":  true,
 			"vpn_backend_relay_fallback":      false,
 			"fabric_service_channel_required": true,
 			"external_backend_entry_proxy":    true,
@@ -64,6 +66,8 @@ func HeartbeatPayload() client.HeartbeatRequest {
 			"vpn_fabric_packet_transport":     true,
 			"vpn_local_gateway_shortcut":      false,
 			"vpn_farm_owned_dataplane":        true,
+			"fabric_data_session_v1":          true,
+			"fabric_session_websocket_smoke":  true,
 			"vpn_backend_relay_fallback":      false,
 			"fabric_service_channel_required": true,
 			"external_backend_entry_proxy":    true,

agents/rap-node-agent/internal/config/config.go

@@ -26,6 +26,7 @@ type Config struct {
 	EnrollmentPollTimeout                 time.Duration
 	MeshSyntheticRuntimeEnabled           bool
 	MeshProductionForwardingEnabled       bool
+	MeshFabricSessionEnabled              bool
 	MeshProductionObservationSinkCapacity int
 	MeshListenAddr                        string
 	MeshListenPortMode                    string
@@ -63,6 +64,7 @@ func Load(args []string, env map[string]string) (Config, error) {
 	fs.BoolVar(&cfg.WorkloadSupervisionEnabled, "workload-supervision-enabled", getEnvBool(env, "RAP_WORKLOAD_SUPERVISION_ENABLED", false), "Enable desired workload polling and status reporting. Disabled by default while service runtime is not implemented.")
 	fs.BoolVar(&cfg.MeshSyntheticRuntimeEnabled, "mesh-synthetic-runtime-enabled", getEnvBool(env, "RAP_MESH_SYNTHETIC_RUNTIME_ENABLED", false), "Enable C17A synthetic fabric probe runtime. Disabled by default.")
 	fs.BoolVar(&cfg.MeshProductionForwardingEnabled, "mesh-production-forwarding-enabled", getEnvBool(env, "RAP_MESH_PRODUCTION_FORWARDING_ENABLED", false), "Enable production fabric-control direct next-hop forwarding gate. Disabled by default.")
+	fs.BoolVar(&cfg.MeshFabricSessionEnabled, "mesh-fabric-session-enabled", getEnvBool(env, "RAP_MESH_FABRIC_SESSION_ENABLED", false), "Enable authenticated fabric session WebSocket endpoint. Disabled by default.")
 	fs.IntVar(&cfg.MeshProductionObservationSinkCapacity, "mesh-production-observation-sink-capacity", getEnvSignedInt(env, "RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY", 0), "Bounded local metadata-only production envelope observation sink capacity. Disabled when 0.")
 	fs.StringVar(&cfg.MeshListenAddr, "mesh-listen-addr", getEnv(env, "RAP_MESH_LISTEN_ADDR", ""), "Listen address for disabled-by-default C17E synthetic mesh HTTP endpoint.")
 	fs.StringVar(&cfg.MeshListenPortMode, "mesh-listen-port-mode", getEnv(env, "RAP_MESH_LISTEN_PORT_MODE", "manual"), "Mesh listen port behavior: manual, auto, or disabled.")

agents/rap-node-agent/internal/config/config_test.go

@@ -20,6 +20,7 @@ func TestLoadConfigFromEnvAndArgs(t *testing.T) {
 		"RAP_ENROLLMENT_POLL_TIMEOUT_SECONDS":           "30",
 		"RAP_MESH_SYNTHETIC_RUNTIME_ENABLED":            "true",
 		"RAP_MESH_PRODUCTION_FORWARDING_ENABLED":        "true",
+		"RAP_MESH_FABRIC_SESSION_ENABLED":               "true",
 		"RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY": "5",
 		"RAP_MESH_LISTEN_ADDR":                          "127.0.0.1:19001",
 		"RAP_MESH_LISTEN_PORT_MODE":                     "auto",
@@ -66,6 +67,9 @@ func TestLoadConfigFromEnvAndArgs(t *testing.T) {
 	if !cfg.MeshProductionForwardingEnabled {
 		t.Fatal("MeshProductionForwardingEnabled = false, want true")
 	}
+	if !cfg.MeshFabricSessionEnabled {
+		t.Fatal("MeshFabricSessionEnabled = false, want true")
+	}
 	if cfg.MeshProductionObservationSinkCapacity != 5 {
 		t.Fatalf("MeshProductionObservationSinkCapacity = %d, want 5", cfg.MeshProductionObservationSinkCapacity)
 	}

agents/rap-node-agent/internal/hostagent/config.go

@@ -29,6 +29,7 @@ type RuntimeConfig struct {
 	WorkloadSupervisionEnabled      bool
 	MeshSyntheticRuntimeEnabled     bool
 	MeshProductionForwardingEnabled bool
+	MeshFabricSessionEnabled        bool
 	MeshListenAddr                  string
 	MeshListenPortMode              string
 	MeshListenAutoPortStart         int

agents/rap-node-agent/internal/hostagent/docker.go

@@ -264,6 +264,7 @@ func NodeAgentEnvWithStateDir(cfg RuntimeConfig, stateDir string) []string {
 		"RAP_WORKLOAD_SUPERVISION_ENABLED=" + boolString(cfg.WorkloadSupervisionEnabled),
 		"RAP_MESH_SYNTHETIC_RUNTIME_ENABLED=" + boolString(cfg.MeshSyntheticRuntimeEnabled),
 		"RAP_MESH_PRODUCTION_FORWARDING_ENABLED=" + boolString(cfg.MeshProductionForwardingEnabled),
+		"RAP_MESH_FABRIC_SESSION_ENABLED=" + boolString(cfg.MeshFabricSessionEnabled),
 	}
 	if cfg.JoinToken != "" {
 		env = append(env, "RAP_JOIN_TOKEN="+cfg.JoinToken)

agents/rap-node-agent/internal/hostagent/linux.go

@@ -72,6 +72,7 @@ func LinuxInstallConfigFromProfile(profile LinuxInstallProfile) LinuxInstallConf
 			WorkloadSupervisionEnabled:      profile.WorkloadSupervisionEnabled,
 			MeshSyntheticRuntimeEnabled:     profile.MeshSyntheticRuntimeEnabled,
 			MeshProductionForwardingEnabled: profile.MeshProductionForwardingEnabled,
+			MeshFabricSessionEnabled:        profile.MeshFabricSessionEnabled,
 			MeshListenAddr:                  profile.MeshListenAddr,
 			MeshListenPortMode:              profile.MeshListenPortMode,
 			MeshListenAutoPortStart:         profile.MeshListenAutoPortStart,

agents/rap-node-agent/internal/hostagent/profile.go

@@ -30,6 +30,7 @@ type DockerInstallProfile struct {
 	WorkloadSupervisionEnabled        bool            `json:"workload_supervision_enabled"`
 	MeshSyntheticRuntimeEnabled       bool            `json:"mesh_synthetic_runtime_enabled"`
 	MeshProductionForwardingEnabled   bool            `json:"mesh_production_forwarding_enabled"`
+	MeshFabricSessionEnabled          bool            `json:"mesh_fabric_session_enabled"`
 	MeshListenAddr                    string          `json:"mesh_listen_addr"`
 	MeshListenPortMode                string          `json:"mesh_listen_port_mode"`
 	MeshListenAutoPortStart           int             `json:"mesh_listen_auto_port_start"`
@@ -72,6 +73,7 @@ type WindowsInstallProfile struct {
 	WorkloadSupervisionEnabled        bool            `json:"workload_supervision_enabled"`
 	MeshSyntheticRuntimeEnabled       bool            `json:"mesh_synthetic_runtime_enabled"`
 	MeshProductionForwardingEnabled   bool            `json:"mesh_production_forwarding_enabled"`
+	MeshFabricSessionEnabled          bool            `json:"mesh_fabric_session_enabled"`
 	MeshListenAddr                    string          `json:"mesh_listen_addr"`
 	MeshListenPortMode                string          `json:"mesh_listen_port_mode"`
 	MeshListenAutoPortStart           int             `json:"mesh_listen_auto_port_start"`
@@ -104,6 +106,7 @@ type LinuxInstallProfile struct {
 	WorkloadSupervisionEnabled        bool            `json:"workload_supervision_enabled"`
 	MeshSyntheticRuntimeEnabled       bool            `json:"mesh_synthetic_runtime_enabled"`
 	MeshProductionForwardingEnabled   bool            `json:"mesh_production_forwarding_enabled"`
+	MeshFabricSessionEnabled          bool            `json:"mesh_fabric_session_enabled"`
 	MeshListenAddr                    string          `json:"mesh_listen_addr"`
 	MeshListenPortMode                string          `json:"mesh_listen_port_mode"`
 	MeshListenAutoPortStart           int             `json:"mesh_listen_auto_port_start"`
@@ -281,6 +284,7 @@ func RuntimeConfigFromProfile(profile DockerInstallProfile) RuntimeConfig {
 		WorkloadSupervisionEnabled:      profile.WorkloadSupervisionEnabled,
 		MeshSyntheticRuntimeEnabled:     profile.MeshSyntheticRuntimeEnabled,
 		MeshProductionForwardingEnabled: profile.MeshProductionForwardingEnabled,
+		MeshFabricSessionEnabled:        profile.MeshFabricSessionEnabled,
 		MeshListenAddr:                  profile.MeshListenAddr,
 		MeshListenPortMode:              profile.MeshListenPortMode,
 		MeshListenAutoPortStart:         profile.MeshListenAutoPortStart,

agents/rap-node-agent/internal/hostagent/update.go

@@ -594,6 +594,7 @@ func (m DockerManager) runtimeConfigFromContainer(ctx context.Context, runner Co
 		WorkloadSupervisionEnabled:      parseBool(env["RAP_WORKLOAD_SUPERVISION_ENABLED"]),
 		MeshSyntheticRuntimeEnabled:     true,
 		MeshProductionForwardingEnabled: parseBool(env["RAP_MESH_PRODUCTION_FORWARDING_ENABLED"]),
+		MeshFabricSessionEnabled:        parseBool(env["RAP_MESH_FABRIC_SESSION_ENABLED"]),
 		MeshListenAddr:                  env["RAP_MESH_LISTEN_ADDR"],
 		MeshListenPortMode:              env["RAP_MESH_LISTEN_PORT_MODE"],
 		MeshListenAutoPortStart:         parseInt(env["RAP_MESH_LISTEN_AUTO_PORT_START"]),

agents/rap-node-agent/internal/hostagent/windows.go

@@ -66,6 +66,7 @@ func WindowsInstallConfigFromProfile(profile WindowsInstallProfile) WindowsInsta
 			WorkloadSupervisionEnabled:      profile.WorkloadSupervisionEnabled,
 			MeshSyntheticRuntimeEnabled:     profile.MeshSyntheticRuntimeEnabled,
 			MeshProductionForwardingEnabled: profile.MeshProductionForwardingEnabled,
+			MeshFabricSessionEnabled:        profile.MeshFabricSessionEnabled,
 			MeshListenAddr:                  profile.MeshListenAddr,
 			MeshListenPortMode:              profile.MeshListenPortMode,
 			MeshListenAutoPortStart:         profile.MeshListenAutoPortStart,