# Remote Access Platform Production-oriented Secure Access Fabric platform. The project started as an RDP proxy, but the target architecture is broader: - multi-tenant control plane - direct realtime data plane - service adapters for RDP now and VNC/SSH/VPN/file/video later - native Access Clients - future secure mesh / node-agent / updater / connector model RDP is the first proven service baseline. RDP work is currently paused by product decision while the project moves to the Secure Access Fabric platform-core foundation: clusters, node enrollment, node-agent identity, role assignments, and platform administration. ## Current Baseline - Backend: Go control plane with PostgreSQL as source of truth and Redis for live coordination/routing only. - Worker: active C++ RDP Adapter worker based on FreeRDP. - Windows client: C# / WPF native Access Client. - Data plane: direct worker WSS for realtime RDP when available, backend WebSocket gateway retained as fallback/debug. - Current test Docker host: `docker-test` / `192.168.200.61`. - Current test Docker deployment for Stage 5.2 proof: `rap-backend-smoke:stage5-2-download` and `rap-rdp-worker:stage5-2-download`. See the current audit and baseline matrix before starting new work: - `docs/audits/PROJECT_AUDIT_2026-04-26.md` - `docs/audits/CURRENT_BASELINE_MATRIX.md` ## Proven RDP Capabilities - real RDP connect through worker - active/detach/reattach/takeover/terminate lifecycle - takeover without remote session recreation - worker-death/orphan-active-session recovery - direct worker WSS data plane - binary direct render frames - backend gateway JSON/base64 fallback - Windows client rendering and input - text clipboard with policy enforcement - client-to-server file upload into controlled worker storage - restricted transfer-drive visibility through `RAP_Transfers`, runtime-proven - server-to-client file download implementation through `RAP_Transfers\ToClient`; core direct/fallback data path is runtime-proven, lifecycle blocking is runtime-proven, and manual desktop UI acceptance remains pending ## Repository Structure - `backend/` - Go control plane - `workers/rdp-worker/` - active C++ RDP Adapter worker - `workers/rdp-service-csharp/` - inactive research scaffold, not current runtime - `clients/windows/` - Windows native Access Client - `docs/architecture/` - target and staged architecture documents - `docs/codex/` - current Codex status and next-step prompts - `docs/audits/` - current audits and baseline matrices - `scripts/` - smoke and helper scripts - `deploy/` - deployment assets - `web-admin/` - future/admin UI area ## Read Order 1. `CODEX_CONTEXT.md` 2. `docs/audits/PROJECT_AUDIT_2026-04-26.md` 3. `docs/audits/CURRENT_BASELINE_MATRIX.md` 4. `docs/codex/CURRENT_STATUS.md` 5. `docs/codex/ARCHITECTURE_GUARDRAILS.md` 6. `docs/architecture/RDP_ADAPTER_RUNTIME.md` 7. `docs/architecture/DATA_PLANE_V1.md` 8. `docs/architecture/CLUSTER_NODE_ADMIN_FOUNDATION.md` 9. `docs/codex/NEXT_STEP_PROMPT.md` Do not use `docs/_legacy_v1` for implementation decisions. Legacy files are historical reference only. ## Current Next Step RDP work is paused. Platform-core stages C1-C9 are implemented and verified: cluster/node model foundation, node enrollment hardening, native `rap-node-agent` MVP, Platform Admin Console MVP, service workload supervision contract, mesh control-plane preparation, Mesh MVP skeleton, multi-cluster hardening, and organization admin foundation. Planning baseline: - `docs/architecture/CLUSTER_NODE_ADMIN_FOUNDATION.md` - `artifacts/c1-cluster-node-foundation-report.md` - `artifacts/c2-node-enrollment-hardening-report.md` - `artifacts/c3-rap-node-agent-mvp-report.md` - `artifacts/c4-platform-admin-console-report.md` - `artifacts/c5-service-workload-supervision-contract-report.md` - `artifacts/c6-mesh-control-plane-preparation-report.md` - `artifacts/c7-mesh-mvp-skeleton-report.md` - `artifacts/c8-multi-cluster-hardening-report.md` - `artifacts/c9-organization-admin-foundation-report.md` Stage C1 implemented the backend foundation for: - explicit clusters - cluster memberships - node join tokens with hashed tokens only - node join requests - node identity/certificate metadata - node role assignments - node heartbeat/latest health - cluster audit events - safe migration/backfill of existing node data into a default cluster Recommended next step is a decision between platform auth hardening for web-admin, node PKI hardening, node-agent runtime hardening, mesh runtime DP-0, or returning to paused RDP work. Do not start all continuation paths at once.