# Final platform technical direction (summary)

## Product definition
A distributed secure access platform with:
- multi-tenant organizations
- proven persistent session broker for RDP
- cluster of platform-managed and customer-managed nodes
- node-agent based service fabric
- connector/VPN layer
- future split/full tunnel capability
- future collaboration extensions

## Main top-level domains

### Platform
Owns:
- global policies
- cluster control plane
- platform admins
- node trust
- artifact signing and update policy
- disaster recovery authority

### Organization
Owns:
- users
- groups
- organization admins
- identity sources
- resources
- policies
- connectors
- audits
- quotas
- domains / branding later

### Node
Has:
- node identity
- ownership type (platform-managed, customer-managed)
- capabilities
- enabled services
- health
- update policy
- version state
- partition state

### Node Agent
Small stable agent that:
- keeps running
- supervises services
- downloads signed updates
- verifies integrity
- restarts crashed services
- rolls back if needed
- reports health

### Connector
Reusable network access method:
- direct
- VPN
- relay-backed
- future egress mode
Bound to resources by policy, not duplicated blindly per server.

### Session broker
Already proven for RDP persistent lifecycle.

## Mandatory capabilities

### Multi-tenant
- org isolation
- organization memberships
- user may belong to multiple organizations
- clear org switching UX later
- org admins only see their org

### Identity federation
- local accounts
- LDAP / AD
- OIDC
- group/claim mapping to access

### Resource authorization
- local manual mapping
- external group / claim driven mapping
- feature scopes:
  - RDP only
  - connector/VPN only
  - both
  - future scopes

### Cluster behavior
- dynamic membership
- encrypted inter-node communication
- no mandatory single center
- quorum-based authority
- degraded / recovery / isolated modes
- manual partition promotion only by highly privileged recovery admin
- multi-hop route support
- not every node needs full mesh

### Updates
- signed artifacts
- canary rollout
- staged rollout
- rollback
- thin node vs artifact-cache node

### Customer-managed nodes
- can join common cluster
- can be scoped to their organization
- can serve ingress / connector / egress functions for that organization
- must not automatically become cluster-global trusted nodes

## What to implement first
- organization model
- memberships and roles
- org-scoped resource model
- identity source model
- node and node-agent control plane model
- service capabilities / enabled services model

## What to delay
- full mesh engine
- full connector scheduler
- internet exit mode
- collaboration/video meetings
- heavy media routing