# Current Baseline Matrix Date: 2026-04-26 Purpose: single operational snapshot of the current project baseline. This file is not a target architecture document. It describes what is currently proven, what is merely implemented, and what remains unproven. ## Environment Canonical test environment: ```text Docker host: 192.168.200.61 SSH alias: docker-test Docker endpoint: ssh://docker-test Docker context: test-ubuntu Backend API: http://192.168.200.61:8080/api/v1 Backend gateway: ws://192.168.200.61:8080/api/v1/gateway/ws ``` Current live/smoke containers: | Container | Image | Role | | --- | --- | --- | | `rap_backend_smoke` | `rap-backend-smoke:stage5-2-download` | backend control plane | | `rap_worker_smoke` | `rap-rdp-worker:stage5-2-download` | accepted RDP Adapter worker baseline plus runtime-proven Stage 5.2 core download path | | `rap_postgres` | `postgres:16` | source-of-truth database | | `rap_redis` | `redis:7` | live coordination/routing | Current Windows client endpoints: ```json { "api_base_url": "http://192.168.200.61:8080/api/v1", "gateway_websocket_url": "ws://192.168.200.61:8080/api/v1/gateway/ws", "prefer_direct_data_plane": true, "direct_data_plane_connect_timeout_ms": 2500, "direct_data_plane_color_mode": "full_color", "direct_data_plane_platform_ca_bundle": "artifacts/p3-5-platform-ca.crt", "environment": "production", "allow_insecure_direct_data_plane_tls_for_smoke": false } ``` ## Build And Probe Snapshot Commands run during P0: ```powershell go test ./... dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-graphics-adapter-probe docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-cursor-adapter-probe docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-service-adapter-protocol-probe docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-dataplane-bind-probe --scenario valid ``` Additional accepted P1 baseline checks: ```powershell go test ./... dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx docker -H ssh://docker-test build --tag rap-rdp-worker:rdp-p1-region-order2 --file workers/rdp-worker/Dockerfile workers/rdp-worker docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-graphics-adapter-probe docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-cursor-adapter-probe docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-service-adapter-protocol-probe docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-dataplane-bind-probe --scenario valid ``` Results: | Check | Result | Notes | | --- | --- | --- | | Backend `go test ./...` | PASS | Most packages still have no test files | | Windows solution build | PASS | 0 warnings, 0 errors | | Worker graphics adapter probe | PASS | `graphics_adapter_probe ok` | | Worker cursor adapter probe | PASS | `cursor_adapter_probe ok` | | Worker service adapter protocol probe | PASS | channel model prints successfully | | Worker direct bind valid probe | PASS | `PASS scenario=valid` | | P1 worker image build | PASS | `rap-rdp-worker:rdp-p1-region-order2` | | P1 worker probes | PASS | graphics, cursor, protocol, direct bind | | P1 smoke-worker deployment | PASS | `rap_worker_smoke` online on test Docker | | P3 backend secret guard tests | PASS | production plaintext metadata rejected; dev/smoke allowed | | P3 data-plane policy test | PASS | allowed channels follow clipboard/file-transfer policy | | P3 worker bind denial probes | PASS | wrong worker/user/org/resource/attachment/channels/state rejected | | P3.3 production secret smoke | PASS | secret-backed RDP resource starts real session on test stand | | P3.3 production fallback smoke | PASS | production backend omits smoke-only direct WSS candidate | | P3.3 dev/smoke direct candidate | PASS | direct candidate is `smoke_only=true`, not production trusted | | P3.4 production WSS trust design | PASS | platform CA, certificate lifecycle, app-local trust, smoke plan documented | | P3.5 app-local platform CA smoke | PASS | direct worker WSS selected without insecure TLS bypass; unknown CA and smoke-only production fallback proved | | P3.6 stale worker event idempotency | PASS | backend restart survives stale Redis worker events; terminal PostgreSQL sessions stay terminal | | Stage 5.2 file download build | PASS | backend/worker/client build | | Stage 5.2 core download runtime | PASS | direct worker WSS and backend gateway text/binary size/hash; policy block for disabled/client_to_server | | Stage 5.2 download lifecycle blocking | PASS | detach blocks, old-controller takeover returns `session.taken_over`, worker failure marks session `failed` and closes direct WS | Important limitation: - this snapshot does not replace a live manual RDP smoke pass - the repository directory used for this audit is not currently a Git checkout, so commit-level provenance is unavailable here ## Feature Matrix | Area | Status | Current proof level | Next action | | --- | --- | --- | --- | | Backend foundation | Implemented | build/test PASS | expand automated tests | | Auth/refresh/devices | Implemented | previous runtime proof | add regression tests | | Organization scope | Implemented | previous hardening pass | add cross-org tests | | Session lifecycle | Implemented | live-proven | protect from regression | | Worker registration/leases | Implemented | live-proven | protect from regression | | Worker-death recovery | Implemented | live-proven | add automated smoke | | Structured messaging/localization | Implemented | runtime-proven | protect from regression | | Direct worker WSS | Implemented | live-proven | preserve | | Backend gateway fallback | Implemented | smoke-proven | preserve | | Binary direct render | Implemented | smoke-proven | preserve | | RDP region-first render | Implemented | live/manual usable | harden artifacts | | Direct attach baseline | Implemented | current baseline | preserve | | Region-loss repair | Implemented | current baseline | diagnose remaining artifacts | | Ordered region delivery | Implemented | manual visual smoke accepted | protect | | RDPGFX | Gated only | default path smoke-proven | keep disabled | | Keyboard/mouse input | Implemented | manually usable | protect | | Cursor updates | Implemented | probe/smoke-proven | protect | | Text clipboard | Implemented | accepted | protect | | File upload | Implemented | accepted to worker storage | protect | | Restricted drive visibility | Implemented | runtime-proven via `RAP_Transfers` | protect | | File download | Implemented | core data path and lifecycle blocking runtime-proven; desktop UI proof pending | prove remaining UI next | | Resource secret readiness | Guard implemented | backend tests PASS | protect | | Encrypted secret resolver | MVP implemented | live smoke PASS on test stand | harden KMS/rotation later | | Direct worker WSS TLS/PKI guard | Guard implemented | production platform CA smoke PASS | preserve | | Stale worker event restart safety | Implemented | runtime smoke PASS | protect | | Node-agent runtime | Not implemented | control-plane foundation only | future | | Mesh/VPN/runtime | Not implemented | target architecture only | future | | SSH/VNC adapters | Not implemented | none | future after RDP | ## RDP Baseline Current accepted RDP worker image: ```text rap-rdp-worker:rdp-p1-region-order2 ``` Previous accepted baseline image: ```text rap-rdp-worker:rdp-region-repair ``` Current RDP render model: - classic FreeRDP/GDI region-first BGRA path - direct worker WSS binary `RAP2` frames - backend gateway JSON/base64 fallback - full frame on connect/attach/baseline/recovery/fallback repair - dirty region updates as normal display path - cursor as independent latest-only channel - input highest priority - clipboard and file upload reliable/policy-gated Current RDP known limitation: - window drag uses old-client/slow-link style frame-only movement; repaint after releasing a moved window is usable but not yet polished Current accepted P1 behavior: - dirty-region updates are preserved in-order through `SessionRuntime`, worker direct WSS, Windows transport, and WPF presenter queues - full frames still supersede pending region queues - worker direct region queue overflow requests throttled full-frame repair - client logs region sequence gaps and regions received before a baseline - manual visual smoke accepted idle repaint, Start menu/hover, drag usability, keyboard, mouse, and session close Current RDP non-goals: - no DP-3B adaptive quality yet - no compression/codecs/tiles yet - no RDPGFX default enable - no full Stage 5.2 desktop UI acceptance yet - no UI redesign - no backend/session lifecycle rewrite ## Documentation Truth Status Updated during P0: - `README.md` - `README_START_HERE.md` - `docs/codex/CURRENT_STATUS.md` - `docs/codex/NEXT_STEP_PROMPT.md` - `clients/windows/README.md` - `workers/rdp-worker/README.md` - `docs/architecture/DATA_PLANE_V1.md` - `docs/architecture/RDP_ADAPTER_RUNTIME.md` - `docs/architecture/RDP_SERVICE_CPP_PERFORMANCE_TARGET.md` - `docs/architecture/RDP_FILE_DOWNLOAD_STAGE_5_2.md` - `docs/audits/CURRENT_BASELINE_MATRIX.md` Current authoritative audit: - `docs/audits/PROJECT_AUDIT_2026-04-26.md` Legacy warning: - `docs/_legacy_v1` is historical reference only and must not be used for implementation decisions ## Correct Next Step Proceed with Stage 5.2 remaining live runtime proof - Server-to-Client File Download: - keep `rap-backend-smoke:stage5-2-download` and `rap-rdp-worker:stage5-2-download` deployed on `docker-test` - prove Windows desktop UI download for files placed in `RAP_Transfers\ToClient` - prove rendering/input/clipboard/upload/reconnect/takeover regressions - keep backend gateway fallback active - do not start arbitrary remote path download, SMB/WebDAV, Windows agent, binary file chunk frames, DP-3B, mesh/VPN, node-agent runtime, or new adapters