Refactor RDP proxy handling and update related tests
This commit is contained in:
@@ -62,6 +62,88 @@ route and stream semantics.
|
||||
7. Mobile nodes are first-class nodes with stricter capability scoring.
|
||||
8. HTTP forwarding remains a compatibility and emergency fallback, not the
|
||||
primary high-speed data plane.
|
||||
9. There must be no single management service that can seize the fabric. Control,
|
||||
storage, update distribution, route authority, and certificate authority are
|
||||
fabric roles assigned to eligible nodes and protected by quorum signatures.
|
||||
A web/API endpoint is only an access replica for a signed state log, not the
|
||||
owner of cluster truth.
|
||||
10. IP addresses and DNS names are never authority. Nodes announce signed
|
||||
endpoint candidates for every usable interface, public/reflexive address,
|
||||
local segment address, reverse channel, and relay fallback. Neighbors select
|
||||
the usable candidate locally by policy, reachability, latency, load, and
|
||||
trust.
|
||||
|
||||
## Distributed Control And Trust
|
||||
|
||||
The target fabric behaves like a distributed network, not a client/server
|
||||
management product. The cluster has a replicated signed state log and many
|
||||
service replicas. Any node with the right role can serve API, storage, update,
|
||||
or route-coordinator duties, but no single replica can mutate cluster authority
|
||||
alone.
|
||||
|
||||
Required trust model:
|
||||
|
||||
- Every node has a long-lived node identity key and short-lived role
|
||||
certificates. The node identity is cryptographic; the current IP, hostname,
|
||||
NAT address, or container name is only an endpoint candidate.
|
||||
- Cluster authority is threshold-based. Root or high-risk changes require M-of-N
|
||||
signatures from authorized control-authority nodes or hardware/offline
|
||||
operator keys.
|
||||
- Role certificates are scoped by action, organization/tenant, service,
|
||||
partition, validity window, and allowed delegation depth.
|
||||
- Update releases, route leases, peer-directory epochs, storage shard placement,
|
||||
node approvals, role changes, and authority rotations are signed records in
|
||||
the state log.
|
||||
- A node accepts control data only when it can verify signatures, epoch/fencing,
|
||||
expiry, target cluster, target node or role scope, and monotonic generation.
|
||||
- A compromised API replica can withhold or delay data, but cannot forge updates,
|
||||
route authority, new certificates, node roles, or cluster ownership.
|
||||
- Bootstrap may use a temporary centralized signer for development, but
|
||||
production mode must mark that signer as non-authoritative unless quorum
|
||||
signatures are present.
|
||||
|
||||
Authority levels:
|
||||
|
||||
- `root-authority`: rotates cluster root and quorum membership. Offline or
|
||||
hardware-backed where possible. Rarely online.
|
||||
- `control-authority`: approves node join, role changes, policy epochs, and
|
||||
route-authority membership through quorum.
|
||||
- `route-authority`: signs short-lived route leases and relay/rendezvous
|
||||
assignments for a shard or partition.
|
||||
- `update-authority`: signs release metadata, compatibility, artifact hashes,
|
||||
rollback windows, and staged rollout policy.
|
||||
- `storage-authority`: signs storage shard manifests, replication factors,
|
||||
retention policy, and recovery epochs.
|
||||
- `observer-authority`: can sign telemetry observations only; it cannot mutate
|
||||
routing, roles, updates, or secrets.
|
||||
|
||||
Required anti-takeover controls:
|
||||
|
||||
- No bearer admin token may grant fabric-wide mutation without a signed authority
|
||||
envelope.
|
||||
- No node may accept unsigned update metadata or an artifact whose hash is not
|
||||
signed by update-authority quorum.
|
||||
- No node may accept unsigned route changes for production channels.
|
||||
- No node may promote itself into control, storage, update, relay, or route
|
||||
authority roles without a quorum-signed role certificate.
|
||||
- Authority and role certificates must have short validity, explicit scopes, and
|
||||
revocation/fencing epochs.
|
||||
- Nodes must pin the cluster root/quorum descriptor and reject unexpected root
|
||||
changes unless the old quorum signs the transition or an offline recovery
|
||||
policy is invoked.
|
||||
|
||||
Endpoint state is also distributed:
|
||||
|
||||
- Nodes publish signed endpoint-candidate sets containing local interfaces,
|
||||
public/reflexive STUN/ICE candidates, NAT group/local segment identifiers,
|
||||
relay fallback, and passive reverse-channel availability.
|
||||
- Endpoint candidates expire quickly. When a node changes IP, it reconnects
|
||||
passively to any reachable fabric peer or API replica and publishes a new
|
||||
signed candidate epoch.
|
||||
- Peers keep using cached valid candidates and route leases while refreshing
|
||||
from any reachable replica or neighbor gossip path.
|
||||
- Neighbor selection is local and latency/load-aware; the state log announces
|
||||
facts and policy, not a forced single next hop.
|
||||
|
||||
## Node Roles
|
||||
|
||||
|
||||
Reference in New Issue
Block a user