m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20d361a886ae22102822a5cf4750eebcc4e91d42
rdp-proxy/docs/audits/CURRENT_BASELINE_MATRIX.md
T
m 20d361a886
build / backend (push) Has been cancelled
Details
build / node-agent (push) Has been cancelled
Details
build / worker (push) Has been cancelled
Details
рабочий вариант, но скороть 10 МБит
2026-05-22 21:46:49 +03:00

9.9 KiB
Raw Blame History

Current Baseline Matrix

Date: 2026-04-26

Purpose: single operational snapshot of the current project baseline. This file is not a target architecture document. It describes what is currently proven, what is merely implemented, and what remains unproven.

Environment

Canonical test environment:

Docker host: 192.168.200.61
SSH alias: docker-test
Docker endpoint: ssh://docker-test
Docker context: test-ubuntu
Backend API: http://192.168.200.61:8080/api/v1
Backend gateway: ws://192.168.200.61:8080/api/v1/gateway/ws

Current live/smoke containers:

Container Image Role
rap_backend_smoke rap-backend-smoke:stage5-2-download backend control plane
rap_worker_smoke rap-rdp-worker:stage5-2-download accepted RDP Adapter worker baseline plus runtime-proven Stage 5.2 core download path
rap_postgres postgres:16 source-of-truth database
rap_redis redis:7 live coordination/routing

Current Windows client endpoints:

{
  "api_base_url": "http://192.168.200.61:8080/api/v1",
  "gateway_websocket_url": "ws://192.168.200.61:8080/api/v1/gateway/ws",
  "prefer_direct_data_plane": true,
  "direct_data_plane_connect_timeout_ms": 2500,
  "direct_data_plane_color_mode": "full_color",
  "direct_data_plane_platform_ca_bundle": "artifacts/p3-5-platform-ca.crt",
  "environment": "production",
  "allow_insecure_direct_data_plane_tls_for_smoke": false
}

Build And Probe Snapshot

Commands run during P0:

go test ./...
dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-dataplane-bind-probe --scenario valid

Additional accepted P1 baseline checks:

go test ./...
dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx
docker -H ssh://docker-test build --tag rap-rdp-worker:rdp-p1-region-order2 --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-dataplane-bind-probe --scenario valid

Results:

Check Result Notes
Backend go test ./... PASS Most packages still have no test files
Windows solution build PASS 0 warnings, 0 errors
Worker graphics adapter probe PASS graphics_adapter_probe ok
Worker cursor adapter probe PASS cursor_adapter_probe ok
Worker service adapter protocol probe PASS channel model prints successfully
Worker direct bind valid probe PASS PASS scenario=valid
P1 worker image build PASS rap-rdp-worker:rdp-p1-region-order2
P1 worker probes PASS graphics, cursor, protocol, direct bind
P1 smoke-worker deployment PASS rap_worker_smoke online on test Docker
P3 backend secret guard tests PASS production plaintext metadata rejected; dev/smoke allowed
P3 data-plane policy test PASS allowed channels follow clipboard/file-transfer policy
P3 worker bind denial probes PASS wrong worker/user/org/resource/attachment/channels/state rejected
P3.3 production secret smoke PASS secret-backed RDP resource starts real session on test stand
P3.3 production fallback smoke PASS production backend omits smoke-only direct WSS candidate
P3.3 dev/smoke direct candidate PASS direct candidate is smoke_only=true, not production trusted
P3.4 production WSS trust design PASS platform CA, certificate lifecycle, app-local trust, smoke plan documented
P3.5 app-local platform CA smoke PASS direct worker WSS selected without insecure TLS bypass; unknown CA and smoke-only production fallback proved
P3.6 stale worker event idempotency PASS backend restart survives stale Redis worker events; terminal PostgreSQL sessions stay terminal
Stage 5.2 file download build PASS backend/worker/client build
Stage 5.2 core download runtime PASS direct worker WSS and backend gateway text/binary size/hash; policy block for disabled/client_to_server
Stage 5.2 download lifecycle blocking PASS detach blocks, old-controller takeover returns session.taken_over, worker failure marks session failed and closes direct WS

Important limitation:

  • this snapshot does not replace a live manual RDP smoke pass
  • the repository directory used for this audit is not currently a Git checkout, so commit-level provenance is unavailable here

Feature Matrix

Area Status Current proof level Next action
Backend foundation Implemented build/test PASS expand automated tests
Auth/refresh/devices Implemented previous runtime proof add regression tests
Organization scope Implemented previous hardening pass add cross-org tests
Session lifecycle Implemented live-proven protect from regression
Worker registration/leases Implemented live-proven protect from regression
Worker-death recovery Implemented live-proven add automated smoke
Structured messaging/localization Implemented runtime-proven protect from regression
Direct worker WSS Implemented live-proven preserve
Backend gateway fallback Implemented smoke-proven preserve
Binary direct render Implemented smoke-proven preserve
RDP region-first render Implemented live/manual usable harden artifacts
Direct attach baseline Implemented current baseline preserve
Region-loss repair Implemented current baseline diagnose remaining artifacts
Ordered region delivery Implemented manual visual smoke accepted protect
RDPGFX Gated only default path smoke-proven keep disabled
Keyboard/mouse input Implemented manually usable protect
Cursor updates Implemented probe/smoke-proven protect
Text clipboard Implemented accepted protect
File upload Implemented accepted to worker storage protect
Restricted drive visibility Implemented runtime-proven via RAP_Transfers protect
File download Implemented core data path and lifecycle blocking runtime-proven; desktop UI proof pending prove remaining UI next
Resource secret readiness Guard implemented backend tests PASS protect
Encrypted secret resolver MVP implemented live smoke PASS on test stand harden KMS/rotation later
Direct worker WSS TLS/PKI guard Guard implemented production platform CA smoke PASS preserve
Stale worker event restart safety Implemented runtime smoke PASS protect
Node-agent runtime Not implemented control-plane foundation only future
Mesh/VPN/runtime Not implemented target architecture only future
SSH/VNC adapters Not implemented none future after RDP

RDP Baseline

Current accepted RDP worker image:

rap-rdp-worker:rdp-p1-region-order2

Previous accepted baseline image:

rap-rdp-worker:rdp-region-repair

Current RDP render model:

  • classic FreeRDP/GDI region-first BGRA path
  • direct worker WSS binary RAP2 frames
  • backend gateway JSON/base64 fallback
  • full frame on connect/attach/baseline/recovery/fallback repair
  • dirty region updates as normal display path
  • cursor as independent latest-only channel
  • input highest priority
  • clipboard and file upload reliable/policy-gated

Current RDP known limitation:

  • window drag uses old-client/slow-link style frame-only movement; repaint after releasing a moved window is usable but not yet polished

Current accepted P1 behavior:

  • dirty-region updates are preserved in-order through SessionRuntime, worker direct WSS, Windows transport, and WPF presenter queues
  • full frames still supersede pending region queues
  • worker direct region queue overflow requests throttled full-frame repair
  • client logs region sequence gaps and regions received before a baseline
  • manual visual smoke accepted idle repaint, Start menu/hover, drag usability, keyboard, mouse, and session close

Current RDP non-goals:

  • no DP-3B adaptive quality yet
  • no compression/codecs/tiles yet
  • no RDPGFX default enable
  • no full Stage 5.2 desktop UI acceptance yet
  • no UI redesign
  • no backend/session lifecycle rewrite

Documentation Truth Status

Updated during P0:

  • README.md
  • README_START_HERE.md
  • docs/codex/CURRENT_STATUS.md
  • docs/codex/NEXT_STEP_PROMPT.md
  • clients/windows/README.md
  • workers/rdp-worker/README.md
  • docs/architecture/DATA_PLANE_V1.md
  • docs/architecture/RDP_ADAPTER_RUNTIME.md
  • docs/architecture/RDP_SERVICE_CPP_PERFORMANCE_TARGET.md
  • docs/architecture/RDP_FILE_DOWNLOAD_STAGE_5_2.md
  • docs/audits/CURRENT_BASELINE_MATRIX.md

Current authoritative audit:

  • docs/audits/PROJECT_AUDIT_2026-04-26.md

Archive warning:

  • archived docs/_archive_v1 is historical reference only and must not be used for implementation decisions

Correct Next Step

Proceed with Stage 5.2 remaining live runtime proof - Server-to-Client File Download:

  • keep rap-backend-smoke:stage5-2-download and rap-rdp-worker:stage5-2-download deployed on docker-test
  • prove Windows desktop UI download for files placed in RAP_Transfers\ToClient
  • prove rendering/input/clipboard/upload/reconnect/takeover regressions
  • keep backend gateway fallback active
  • do not start arbitrary remote path download, SMB/WebDAV, Windows agent, binary file chunk frames, DP-3B, mesh/VPN, node-agent runtime, or new adapters
Reference in New Issue View Git Blame Copy Permalink