m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a6ee9ba26f6152c3754d38ca8f6507350c418a5c
rdp-proxy/docs/codex/CURRENT_STATUS.md
T
m 8ba0561f4f Initial project snapshot
2026-04-28 22:29:50 +03:00

2413 lines
93 KiB
Markdown
Raw Blame History

# Current Implementation Status
Date: 2026-04-28
This is the current operational status for Codex continuation. It supersedes
older prompt fragments that still describe platform-core v2, WebSocket takeover
proof, or basic Windows client work as future tasks.
## Project Identity
The project is a Secure Access Fabric platform.
Current implementation focus:
- RDP work is paused by product decision
- preserve RDP as the first proven service baseline
- keep the C++ RDP Adapter as the active runtime when RDP work resumes
- RDP-Perf-6 dirty-region direct binary rendering is completed and
build/probe/live-smoke-proven
- Product model clarified: Remote Server/Desktop Access is one managed product
service. RDP/VNC/SSH are internal adapters selected by organization resource
protocol, not separate organization-facing cluster services.
- preserve the proven backend/session/worker lifecycle
- preserve direct worker WSS and backend gateway fallback
- Stage C10 Fabric Core documentation consolidation and scoped cluster
configuration distribution design is completed.
- Stage C11 signed scoped cluster snapshot model is completed.
- Stage C12 node local state store is completed.
- Stage C13 Fabric Storage / Config Storage service foundation is completed.
- Stage C14 peer directory and cache model is completed.
- Stage C15 Fabric Routing Engine skeleton is completed.
- Stage C16 secure node-to-node channel lifecycle is completed.
- Stage C17 planning is completed.
- Stage C17A synthetic mesh runtime skeleton is implemented and test-proven.
- Stage C17B route health and failover probe skeleton is implemented and
test-proven.
- Stage C17C relay semantic hardening skeleton is implemented and test-proven.
- Stage C17D non-production synthetic test-service path experiment is
implemented and test-proven.
- Stage C17E live node-to-node synthetic HTTP transport skeleton is
implemented, build-proven, and smoke-proven. It remains disabled by default
and carries synthetic traffic only.
- Stage C17F scoped synthetic peer/route config loading and route-health
reporting is implemented, build-proven, and smoke-proven. It remains
synthetic-only and does not enable production mesh traffic.
- Stage C17G Control Plane scoped synthetic config read boundary is
implemented and backend/node-agent-test-proven. It remains synthetic-only and
does not enable production mesh traffic.
- Stage C17H deployed multi-agent synthetic config smoke is implemented and
runtime-proven on `docker-test`. Five running `rap-node-agent` containers
consume backend-issued node-scoped synthetic config, direct and single-relay
synthetic route-health observations return to the Control Plane, and
production forwarding remains disabled.
- Stage C17I production forwarding gate foundation is implemented and
test-proven. `rap-node-agent` now has an explicit
`RAP_MESH_PRODUCTION_FORWARDING_ENABLED` gate, but `/mesh/v1/forward` still
does not forward production payloads without a later approved runtime stage.
- Stage C17J production envelope contract is implemented and test-proven.
`/mesh/v1/forward` validates route-bound production envelopes when the gate
is enabled, accepts only `fabric_control` / `fabric.control` for this stage,
rejects service channels, and still does not forward payloads.
- Stage C17K production envelope observation is implemented and test-proven.
Valid production envelopes can be observed locally as metadata-only records
after validation; rejected envelopes are not observed, observation failure
fails closed, and payloads are still not forwarded.
- Stage C17L bounded production observation sink is implemented and
test-proven. Accepted metadata-only production envelope observations can be
retained locally with fixed capacity and oldest-entry drop behavior; payload
bodies are not stored and payloads are still not forwarded.
- Stage C17M production observation sink wiring is implemented and
test-proven. `rap-node-agent` can wire the bounded local metadata-only sink
when `RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY` is explicitly greater
than zero; the wiring is disabled by default, exposes no read API, stores no
payload bodies, and payloads are still not forwarded.
- Stage C17N production observation sink metrics are implemented and
test-proven. Local sink metrics expose only capacity, current depth, accepted
total, and dropped-oldest total; they expose no observation records, route
IDs, message IDs, hashes, payload metadata, or payload bodies.
- Stage C17O production observation sink local metrics logging is implemented
and test-proven. `rap-node-agent` logs aggregate sink metrics locally when
the sink is explicitly enabled; this adds no read API, no Control Plane
reporting, no payload storage, and no forwarding.
- Stage C17P production observation sink change-driven metrics logging is
implemented and test-proven. `rap-node-agent` suppresses repeated identical
local sink metrics logs; this adds no read API, no Control Plane reporting,
no payload storage, and no forwarding.
- Stage C17Q production forwarding gate/runtime log boundary is implemented
and test-proven. `rap-node-agent` logs production forwarding gate state
separately from production forwarding runtime state; runtime state remains
false and forwarding remains unavailable.
- Stage C17R production observation sink capacity guard is implemented and
test-proven. `RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY` remains
disabled by default, rejects negative values, and rejects values above
`10000`.
- Stage C17S production observation panic fail-closed hardening is implemented
and test-proven. Observer errors and observer panics both fail closed as
observation failure; forwarding remains unavailable.
- Stage C17T production envelope payload boundary is implemented and
test-proven. Validated production `fabric.control` envelope payloads are
bounded to `4096` bytes, and oversized envelopes are rejected before
observation.
- Stage C17U production envelope created-at skew boundary is implemented and
test-proven. Validated production `fabric.control` envelopes whose
`created_at` is more than one minute in the future are rejected before
observation.
- Stage C17V peer endpoint candidate model and NAT/connectivity hints are
implemented and test-proven. Node-scoped synthetic mesh config now carries
route-scoped endpoint candidates with transport, address, reachability, NAT
type, connectivity mode, priority, policy tags, verification time, and
metadata. This does not implement production route scoring, NAT traversal,
shortcut routing, or forwarding runtime.
- Stage C17W peer endpoint candidate scoring model is implemented and
test-proven. `rap-node-agent` can deterministically rank already-scoped
endpoint candidates using soft inputs, but this does not open connections,
choose production routes, or forward payloads.
- Stage C17X health-aware endpoint candidate scoring overlay is implemented
and test-proven. Candidate scoring can optionally use local health
observations keyed by `endpoint_id`, including latency, success/failure
history, recent failure reason, reliability score, and observation freshness.
This remains advisory scoring only.
- Stage C17Y Platform Owner synthetic mesh visibility is implemented and
build/test-proven. `web-admin` now reads node-scoped synthetic mesh config
and shows config enabled state, route counts, peer endpoints, endpoint
candidates, C17X advisory scoring boundary, and `production_forwarding`.
This remains platform-owner visibility only and does not enable production
forwarding.
- Stage C17Z production fabric-control direct forwarding boundary is
implemented and test-proven. `/mesh/v1/forward` no longer always returns
unavailable after validation: when the explicit production gate is enabled,
it can deliver valid route-bound `fabric.control` envelopes at the local
destination or forward them to a direct next hop from explicit peer endpoint
config. Service channels, arbitrary relay forwarding, multi-hop production
route execution, and RDP/VPN/file/video/service workload traffic remain out
of scope.
- Stage C17Z1 production fabric-control multi-hop route-path boundary is
implemented and test-proven. Production `fabric.control` envelopes can carry
`route_path` and `visited_node_ids`; relay nodes validate path position,
forward only to the next path node, update TTL/hop/visited metadata, and
reject loops. Service payloads remain unavailable.
- Stage C17Z2 production fabric-control forwarding observability boundary is
implemented and test-proven. Node-agent now emits local
`mesh_production_forward_event` logs for accepted, forwarded, delivered, and
rejected production `fabric.control` envelopes. Logs are metadata-only and
include no payload bodies, no read API, and no Control Plane reporting.
- Stage C17Z3 production fabric-control route-config boundary is implemented
and test-proven. When scoped/control-plane mesh routes are available locally,
production `fabric.control` envelopes must match configured route_id,
cluster, source, destination, route path, next hop, allowed channel, expiry,
max TTL, and max hop count before forwarding. Service payloads remain
unavailable.
- Stage C17Z4 scoped peer directory and recovery seeds boundary is implemented
and test/build-proven. Node-scoped mesh config now carries scoped
`peer_directory` and explicit bounded `recovery_seeds`; node-agent parses and
validates them, and Platform Owner Control Panel shows peer-directory/recovery
seed counts. This does not implement connection management, NAT traversal,
dynamic endpoint reporting, or service traffic.
- Stage C17Z5 node-agent peer cache runtime boundary is implemented and
test-proven. Node-agent now builds a node-local `PeerCache` from scoped peer
directory, recovery seeds, endpoints, endpoint candidates, and routes; selects
a bounded warm peer set; probes warm peers through `/mesh/v1/health` when
synthetic mesh testing is enabled; and reports metadata-only mesh-link
observations. This does not implement a persistent connection manager,
NAT traversal, dynamic endpoint reporting, or service payload forwarding.
- Stage C17Z6 dynamic endpoint reporting boundary is implemented and
test-proven. Node-agent can report an explicit advertised mesh endpoint in
heartbeat metadata, and Control Plane projects latest reported peer endpoints
and candidates into node-scoped synthetic mesh config. This does not implement
automatic public IP discovery, STUN/TURN/ICE NAT classification, persistent
connection management, or service payload forwarding.
- Stage C17Z7 private/corporate endpoint candidate boundary is implemented and
test-proven. Node-agent can report multiple advertised endpoint candidates,
including private/corporate LAN candidates; scoring rewards `private-lan`,
`corp-lan`, and `same-site`; and peer cache can select the best candidate
address for warm-peer health. This does not implement automatic subnet
discovery, persistent connection management, or service payload forwarding.
- Stage C17Z8 peer connection state machine boundary is implemented and
test-proven. Node-agent now tracks warm-peer connection states
(`disconnected`, `connecting`, `ready`, `degraded`, `backoff`), transitions
on warm-peer health probes, applies bounded backoff after repeated failures,
and reports metadata-only connection state in mesh-link observations. This
does not implement persistent data-plane sockets or service payload
forwarding.
- Stage C17Z9 peer recovery planner boundary is implemented and test-proven.
Node-agent now plans a bounded stable ready-peer set, enters recovery mode
when ready peers fall below target, selects bounded recovery probe
candidates from warm peers, recovery seeds, and other connectable scoped
peers, and reports metadata-only recovery state in heartbeat and mesh-link
observations. This does not implement persistent data-plane sockets, NAT
traversal, relay/rendezvous runtime, or service payload forwarding.
- Stage C17Z10 peer connection intent planner boundary is implemented and
test-proven. Node-agent now classifies bounded peer work as maintain/probe/
recover and classifies transport readiness as direct, private LAN,
corporate LAN, outbound-only, or relay-required, with rendezvous-required
metadata in heartbeat and mesh-link observations. This does not implement
persistent data-plane sockets, STUN/TURN/ICE, NAT traversal,
relay/rendezvous runtime, or service payload forwarding.
- Stage C17Z11 peer connection manager runtime boundary is implemented and
test-proven. Node-agent now uses a reusable HTTP keep-alive client to perform
real control-plane health probes for direct/private/corporate peers selected
by connection intents, updates shared peer connection state, records
`waiting_rendezvous` for outbound-only/relay-required peers, and reports
metadata-only manager cycle state. This does not implement STUN/TURN/ICE,
relay/rendezvous runtime, route leases, VPN runtime, or service payload
forwarding.
- Stage C17Z12 rendezvous/relay control-plane contract is implemented and
docker-test-runtime-proven. Backend now issues node-scoped
`rendezvous_leases` in synthetic mesh config, including explicit
route-policy leases and derived leases for outbound-only or relay-required
candidates when a route has a reachable HTTP relay control endpoint.
Node-agent consumes those leases, resolves matching `waiting_rendezvous`
intents into `relay_control`, probes relay `/mesh/v1/health`, records and
maintains `relay_ready` for the peer control path, and reports manager
metadata. This remains control-plane health only and does not enable
RDP/VPN/service payload forwarding, arbitrary relay packet forwarding,
STUN/TURN/ICE, or host network changes.
- Stage C17Z13 rendezvous lease telemetry is implemented and
docker-test-runtime-proven. Node-agent heartbeat now emits
`mesh_rendezvous_lease_report` with schema
`c17z13.mesh_rendezvous_lease_report.v1`, local role
(`relay`, `peer`, or `entry_or_observer`), relay admission, peer admission,
TTL/renewal posture, `relay_ready`, and explicit no-payload boundary flags.
Web-admin recent heartbeat tables show `rv leases`. This remains
control-plane telemetry only and does not enable RDP/VPN/service payload
forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host
network changes.
- Stage C17Z14 rendezvous lease refresh contract is implemented and
docker-test-runtime-proven. Node-agent refreshes renewal-needed, expired,
invalid, or stale relay leases through the existing node-scoped synthetic
config endpoint, reloads peer cache/leases/routes into the running synthetic
mesh runtime, and reports `c17z14.mesh_rendezvous_lease_report.v1` with
refresh counters plus stale relay withdrawal/reselection telemetry. This
remains control-plane health only and does not enable RDP/VPN/service
payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or
host network changes.
- Stage C17Z15 backend relay replacement policy is implemented and
docker-test-runtime-proven. Backend reads recent
`mesh_rendezvous_lease_report` stale-relay feedback, withdraws stale
explicit rendezvous leases from node-scoped synthetic config, scores
alternate relay candidates using route adjacency, endpoint priority,
policy tags, and recent mesh-link health, and returns a replacement lease
plus `rendezvous_relay_policy` decisions in `c17z15.synthetic.v1`.
Node-agent reports `c17z15.mesh_rendezvous_lease_report.v1`, advertises the
relay replacement contract capability, and keeps stale state bound to the
exact lease/relay instead of smearing it across alternate leases for the same
peer. This remains control-plane health only and does not enable
RDP/VPN/service payload forwarding, arbitrary relay packet forwarding,
STUN/TURN/ICE, or host network changes.
- Stage C17Z16 route/path decision artifact is implemented and
docker-test-runtime-proven. Backend synthetic config now uses
`c17z16.synthetic.v1` and includes `route_path_decisions` with original hops,
effective hops, local previous/next hop, selected replacement relay,
generation, score reasons, and explicit control-plane/no-payload flags.
Node-agent stores the control-plane route generation and reports
`c17z16.mesh_route_path_decision_report.v1` alongside
`c17z16.mesh_rendezvous_lease_report.v1`. This remains route metadata only
and does not enable RDP/VPN/service payload forwarding, arbitrary relay
packet forwarding, STUN/TURN/ICE, or host network changes.
- Stage C17Z17 node-side route generation tracker is implemented and
docker-test-runtime-proven. Backend synthetic config now uses
`c17z17.synthetic.v1`; node-agent tracks Control Plane
`route_path_decisions` apply/unchanged/withdraw transitions and reports
`c17z17.mesh_route_generation_report.v1` alongside
`c17z17.mesh_route_path_decision_report.v1` and
`c17z17.mesh_rendezvous_lease_report.v1`. A first-observed
`stale_relay_replacement` still emits a `withdrawn_by_replacement` record
for the old stale relay path. This remains route metadata/control-plane
health only and does not enable RDP/VPN/service payload forwarding,
arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
- Stage C17Z18 synthetic route-health effective path runtime is implemented
and docker-test-runtime-proven. Backend synthetic config now uses
`c17z18.synthetic.v1`; node-agent refreshes Control Plane route decisions
into a separate route-health route config, probes the selected effective
path through the replacement relay, and reports
`c17z18.mesh_route_health_config_report.v1` plus route-health observations
with expected/observed hops and drift state. Backend latest mesh links now
preserve `synthetic_route_health` separately from peer connection-manager
observations, and web-admin shows route-health rows. This remains synthetic
route-health/control-plane only and does not enable RDP/VPN/service payload
forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host
network changes.
- Stage C17Z19 synthetic route-health feedback scoring is implemented and
docker-test-runtime-proven. Backend now consumes recent
`synthetic_route_health` observations in the relay scoring loop: drift,
unreachable status, or failure metadata can mark the exact selected relay
stale and trigger replacement, while healthy low-latency route-health boosts
alternate relay scoring. Node-agent route-health observations include
rendezvous peer/lease metadata, migration `000022` adds the `synthetic`
mesh service class, and web-admin marks relay policy `rh feedback`. This
remains synthetic/control-plane only and does not enable RDP/VPN/service
payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or
host network changes.
- Stage C17Z20 node-side route-health feedback refresh is implemented and
docker-test-runtime-proven. After node-agent reports synthetic route-health
drift, unreachable status, or failure metadata, it schedules a bounded
node-scoped synthetic-config refresh, applies returned replacement route
decisions to route-health config immediately, and reports
`c17z20.mesh_route_health_feedback_refresh_report.v1` with attempt,
success, failure, and suppressed-repeat counters. Web-admin route-health
heartbeat summary now shows feedback refresh counters. This remains
synthetic/control-plane only and does not enable RDP/VPN/service payload
forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host
network changes.
- Installation Authority foundation is implemented and backend/web-build
verified. Production config now requires `INSTALLATION_AUTHORITY_MODE=strict`
with a Product Root Ed25519 public key. First-owner bootstrap accepts signed
activation manifests, stores installation authority and signed
`platform_role_grants`, and strict platform-admin checks ignore direct
PostgreSQL `users.platform_role` edits unless a valid grant exists. Web-admin
shows installation status and first-owner bootstrap; dev/legacy SQL seed
compatibility remains explicit and gated by
`INSTALLATION_INSECURE_BOOTSTRAP_ENABLED`.
- Cluster Authority foundation is implemented and backend/agent/web-build plus
docker-test lifecycle-smoke verified. Clusters now have Ed25519 authority
keys, join-token scope material is signed, node approval/bootstrap material
is signed, and Control Plane synthetic mesh config snapshots include a
signed hash envelope with `authority_required=true`. Cluster authority
private keys are encrypted at rest when `SECRET_ENCRYPTION_KEY_B64`/file is
configured. `rap-node-agent` verifies signed Control Plane synthetic config
and supports pinned authority public key/fingerprint through env or identity
state. Web-admin shows cluster authority fingerprints in summaries,
join-token output, approval rows, and synthetic config visibility. The
docker-test run `dev-bootstrap-20260428-201430` proved fresh dev cluster
creation, signed join token, real node-agent enrollment, platform-owner
approval, automatic signed bootstrap polling, authority pin persistence,
heartbeat, and signed synthetic-config verification. This is a control-plane
trust contract only; it does not enable RDP/VPN/service payload forwarding or
production relay packet forwarding.
- Node enrollment bootstrap polling is implemented and backend/agent-test plus
docker-test lifecycle-smoke verified. After enrollment, `rap-node-agent`
stores `pending_join_request_id`, polls
`/node-agents/enrollments/{requestID}/bootstrap`, verifies the signed
approval/bootstrap contract, and persists the approved `node_id`,
`identity_status`, and cluster authority pin into `identity.json`. Polling is
controlled by `RAP_ENROLLMENT_POLL_INTERVAL_SECONDS` and
`RAP_ENROLLMENT_POLL_TIMEOUT_SECONDS`.
- Migration `000021_cluster_authority_keys` was hardened after the fresh
docker-test replay found that PostgreSQL cannot change the
`cluster_admin_summaries` view layout through `CREATE OR REPLACE VIEW`; the
migration now drops and recreates the view in both up/down paths.
- `rap-node-agent` desired-workload polling/status reporting is now gated by
`RAP_WORKLOAD_SUPERVISION_ENABLED=false` by default, avoiding repeated
admin-only workload-status `403` logs while service runtime supervision is
still a stub.
- Stage C18 VPN/IP tunnel service target design is completed as
documentation/planning only.
- Stage C18A VPN/IP tunnel control-plane data model foundation is implemented
and backend-test-proven.
- Stage C18B VPN/IP tunnel lease/fencing hardening is implemented and
backend-test-proven.
- Stage C18C VPN/IP tunnel node-agent desired-state consumption/reporting is
implemented and backend-test-proven.
- Version Storage / Update Repository is documented as a future Fabric Core
service for signed releases, OS/arch artifacts, stable/current/candidate
channels, update-cache mirroring, node-agent update supervision, rollback,
and explicit data-structure migration bundles. Runtime updater behavior is
not implemented.
- Web Ingress and Admin UI ownership model is documented:
`docs/architecture/WEB_INGRESS_AND_ADMIN_UI_MODEL.md`.
- Admin endpoint placement decision is documented: storage/config-storage nodes
do not automatically become cluster panels; Platform Owner Console remains
global, Cluster Admin Endpoint requires explicit admin/web ingress role
assignment, and Organization Admin Panel remains tenant-safe.
- Platform Owner Control Panel is implemented in `web-admin` and
build-verified. Report:
`artifacts/web-admin-platform-owner-control-panel-report.md`.
- Fabric service endpoint control-plane foundation is implemented:
cluster-scoped `fabric_entry_points` and `fabric_egress_pools` are durable
PostgreSQL objects for logical client ingress and logical egress zones. This
is not production mesh routing yet.
- Fabric endpoint node assignment is implemented for the Platform Owner
Control Panel: entry points and egress pools can show and assign active
cluster nodes through control-plane APIs. This remains placement intent only;
it does not start mesh routing or service traffic.
- Platform Owner Control Panel Fabric map now visualizes logical ingress,
active cluster nodes, logical egress pools, endpoint-node placement intent,
observed peer links, and node telemetry/service summaries in one cluster
diagram. This remains a platform-owner topology view and must not be exposed
to organization panels.
- Platform Owner Control Panel Fabric page also shows current node-scoped
synthetic mesh config/candidate/scoring/route-health feedback visibility
after C17Z20.
- Stage C17H deployed multi-agent synthetic config smoke on `docker-test` is
complete; next mesh/Fabric work requires an explicit new staged prompt
- prepare the Secure Access Fabric platform-core foundation:
clusters, node enrollment, native node-agent identity, role assignment,
platform admin console, scoped configuration distribution, node-local state,
Fabric Storage/Config Storage, and future multi-cluster administration
- Stage C1 backend cluster/node model foundation is implemented and verified.
- Stage C2 node enrollment hardening is implemented and verified.
- Stage C3 native `rap-node-agent` MVP scaffold is implemented and verified.
- Stage C4 Platform Admin Console MVP is implemented and build-verified.
- Stage C5 service workload supervision contract is implemented and verified.
- Stage C6 mesh control-plane preparation is implemented and verified.
- Stage C7 Mesh MVP skeleton is implemented and verified.
- Stage C8 multi-cluster/partition hardening is implemented and verified.
- Stage C9 organization admin foundation is implemented and verified.
- Current focus: Fabric Core / mesh transport foundation. RDP remains paused.
C17Z20 is complete and remains peer/rendezvous control-plane health
management, stale-relay replacement policy, route/path decision metadata, and
synthetic route-health effective-path feedback scoring/refresh only, not
production service mesh traffic.
Not current scope:
- Web/Admin UI implementation beyond documented ownership/model boundaries
- production mesh runtime
- VPN/IP tunnel runtime
- multi-cluster runtime
- node-agent updater runtime
- production Version Storage / Update Repository runtime
- automatic PostgreSQL migration execution by node-agent
- SSH/VNC adapters
- Linux/mobile clients
- DP-3B adaptive quality expansion
- RDP performance work, including RDP-Perf-7 or further RDP-Perf stages
- Stage 5.2 remaining RDP desktop UI proof
- organization admin UI implementation
- production authentication/session hardening for Web Admin
## Canonical Test Environment
- Docker test host: `192.168.200.61`
- SSH alias: `docker-test`
- Docker endpoint: `ssh://docker-test`
- Backend API: `http://192.168.200.61:8080/api/v1`
- Backend gateway: `ws://192.168.200.61:8080/api/v1/gateway/ws`
- C17A required no active runtime deployment. It is implemented in
`rap-node-agent` tests only, behind a disabled-by-default feature flag, and
carries synthetic `fabric.probe` / `fabric.probe_ack` messages only.
- C17B required no active runtime deployment. It is implemented in
`rap-node-agent` tests only, behind the same disabled-by-default feature
flag, and carries synthetic route health probes only.
- C17C required no active runtime deployment. It is implemented in
`rap-node-agent` tests only, behind the same disabled-by-default feature
flag, and models synthetic relay queues/QoS only.
- C17D required no active runtime deployment. It is implemented in
`rap-node-agent` tests only, behind the same disabled-by-default feature
flag, and carries only bounded `synthetic.echo` test-service payloads.
- C17E adds a live node-to-node synthetic HTTP transport skeleton and smoke
harness. It remains behind `RAP_MESH_SYNTHETIC_RUNTIME_ENABLED=false` by
default and does not authorize production mesh, RDP, VPN, file, video, or
service workload traffic.
- C17F adds a scoped synthetic mesh config file boundary, prefers it over
debug JSON, and reports synthetic route-health observations to the existing
mesh links control-plane endpoint when testing flags allow synthetic links.
- C17G adds backend
`/clusters/{clusterID}/nodes/{nodeID}/mesh/synthetic-config` and node-agent
consumption of that config when no local scoped config file is set.
- C17H proves the C17G boundary in a deployed multi-agent `docker-test` smoke
with synthetic traffic only.
- C17I adds an explicit node-agent production forwarding gate while keeping
production forwarding unavailable.
- C17J adds route-bound production envelope validation on `/mesh/v1/forward`
while keeping production forwarding unavailable.
- C17K adds local metadata-only accepted-envelope observation while keeping
production forwarding unavailable.
- C17L adds a bounded local in-memory sink for accepted metadata-only
observations while keeping production forwarding unavailable.
- C17M adds disabled-by-default node-agent wiring for the bounded local
metadata-only observation sink while keeping production forwarding
unavailable.
- C17N adds local metrics for the bounded observation sink while keeping
production forwarding unavailable.
- C17O adds local node-agent logging for bounded observation sink metrics while
keeping production forwarding unavailable.
- C17P adds change-driven suppression for unchanged local bounded observation
sink metrics logs while keeping production forwarding unavailable.
- C17Q adds explicit local log separation for production forwarding gate state
versus runtime state while keeping production forwarding unavailable.
- C17R adds a maximum capacity guard for the local production observation sink
while keeping production forwarding unavailable.
- C17S adds panic-safe fail-closed observation handling while keeping
production forwarding unavailable.
- C17T adds an explicit payload boundary for validated production
`fabric.control` envelopes while keeping production forwarding unavailable.
- C17U adds an explicit future-skew boundary for validated production
`fabric.control` envelope `created_at` while keeping production forwarding
unavailable.
- C17V adds scoped peer endpoint candidates and NAT/connectivity hints to
synthetic mesh config while keeping production forwarding unavailable.
- C17W adds deterministic local scoring for scoped peer endpoint candidates
while keeping production forwarding unavailable.
- C17X adds an optional local health observation overlay for endpoint
candidate scoring while keeping production forwarding unavailable.
- C17Y updates the Platform Owner Control Panel with node-scoped synthetic
mesh config visibility while keeping production forwarding unavailable.
- C17Z adds gate-controlled production `fabric.control` local delivery and
direct next-hop forwarding while keeping service channels unavailable.
- C17Z1 adds route-path-bound production `fabric.control` multi-hop forwarding
while keeping service channels unavailable.
- C17Z2 adds local metadata-only production `fabric.control` forwarding event
logs while keeping service channels unavailable.
- C17Z3 binds production `fabric.control` forwarding to local route config
when configured routes are available while keeping service channels
unavailable.
- C17Z4 adds scoped peer directory and bounded recovery seeds to node-scoped
mesh config while keeping service channels unavailable.
- C17Z5 adds node-local peer cache and warm-peer health probes while keeping
service channels unavailable.
- C17Z6 adds explicit advertised endpoint reporting and scoped config
projection while keeping service channels unavailable.
- C17Z7 adds multiple public/private/corporate endpoint candidates and
same-site scoring while keeping service channels unavailable.
- C17Z8 adds node-local warm-peer connection states and backoff while keeping
service channels unavailable.
- C17Z9 adds bounded node-local peer recovery planning while keeping service
channels unavailable.
- C17Z10 adds node-local peer connection intent and transport readiness
metadata while keeping service channels unavailable.
- C17Z11 adds a real node-local peer connection manager for control-plane
health while keeping service channels unavailable.
- C17Z12 adds node-scoped rendezvous/relay control-plane leases while keeping
service channels unavailable.
- C17Z13 adds rendezvous lease telemetry while keeping service channels
unavailable.
- C17Z14 adds node-scoped lease refresh/reload and stale relay telemetry while
keeping service channels unavailable.
- C17Z15 adds backend stale-relay replacement policy and alternate relay
scoring while keeping service channels unavailable.
- C17Z16 adds Control Plane route/path decision metadata while keeping service
channels unavailable.
- C17Z17 adds node-side route generation apply/withdraw metadata while keeping
service channels unavailable.
- C18 completed design/planning only and did not implement VPN/IP tunnel
runtime. C18A completed control-plane data model foundation only. C18B
completed lease/fencing control-plane hardening only. C18C completed
node-agent desired-state consumption/reporting only. C18D, if accepted, must
remain credential/config resolver boundary work and must not implement real
VPN/IP tunnel runtime without a separate explicit prompt.
- Latest RDP performance reference image:
`rap-rdp-worker:rdp-perf6-dirty-region`
- Stage 5.2 file-download runtime artifacts remain preserved for when RDP work
resumes, but they are not the active next task.
## Proven Baseline
### Backend
- Go backend builds and tests pass.
- PostgreSQL is the source of truth.
- Redis is live coordination/routing only.
- Auth foundation exists.
- Refresh rotation, auth sessions, devices, and trusted devices exist.
- Multi-tenant organization foundation exists.
- Resources and remote sessions are organization-scoped.
- Platform-core v2 models exist.
- Identity source foundation exists.
- Node and node-agent control-plane foundation exists.
- Session broker lifecycle is implemented.
- Worker coordination and stale worker monitoring are implemented.
- Structured localization-ready messaging exists.
- Per-resource `certificate_verification_mode = strict | ignore` exists.
- `strict` remains default.
- Clipboard policy mode exists.
- File transfer policy mode exists.
- Data-plane token/candidate generation exists.
- Production resource secret-readiness guard exists:
- `APP_ENV=production` rejects plaintext credential-like resource metadata.
- RDP/VNC/SSH resources require `secret_ref` in production.
- development and smoke paths may still use plaintext metadata explicitly.
- Encrypted PostgreSQL-backed resource secret storage/resolver MVP exists:
- `resource_secrets` stores ciphertext, nonce, key id, algorithm, version,
safe metadata, and `payload_sha256`.
- `PUT /api/v1/resources/{resourceID}/secret` creates/rotates a resource
secret without returning plaintext.
- session assignment resolves `secret_ref` only after organization, resource,
session, worker, and lease checks.
- Production direct worker WSS TLS/PKI guard exists:
- backend direct candidates advertise `tls_trust_mode`, `production_trusted`,
`smoke_only`, and optional `tls_ca_ref` metadata.
- production backend omits smoke-only direct candidates and keeps backend
gateway fallback.
- Windows client skips untrusted/smoke-only direct candidates in production.
### Worker / RDP Adapter
- Worker Docker build is reproducible.
- C++ worker is the active RDP runtime.
- FreeRDP is behind the RDP Adapter boundary.
- Worker registration, assignment consumption, heartbeat, leases, and worker
events are implemented.
- Real RDP connection works.
- Detach/reattach/takeover/terminate/failure flows are proven.
- Reattach/takeover do not recreate the remote RDP session.
- Worker death/orphan active-session recovery is proven.
- Direct worker WSS endpoint exists.
- RS256 data-plane token validation exists.
- Current attachment/controller binding is enforced.
- Backend gateway fallback remains available.
- Direct binary `RAP2` render frames exist.
- Region-first BGRA rendering is the current stable path.
- Direct attach baseline full-frame repair exists.
- Region-loss full-frame repair exists.
- Ordered dirty-region delivery is accepted through `SessionRuntime`, worker
direct WSS, Windows transport, and WPF presenter queues.
- Cursor adapter boundary exists.
- Text clipboard through FreeRDP `cliprdr` is accepted.
- Client-to-server file upload to controlled worker storage is accepted.
- Restricted transfer-drive visibility through FreeRDP RDPDR is runtime-proven:
uploaded files are visible and openable inside the remote Windows session via
`RAP_Transfers`.
- Backend gateway fallback/debug frame state reconstructs a full framebuffer by
patching accepted region updates into Redis live state, so fallback screenshots
are not left with region-sized payloads after region-first rendering.
### Windows Client
- Windows WPF client builds.
- Login, refresh, logout, organization selection, resource list, active sessions,
and session window exist.
- Direct worker WSS selection exists with automatic backend gateway fallback.
- Binary direct render receive path exists.
- Real remote desktop is visible.
- Keyboard and mouse input are usable after RDP adapter hardening.
- Session window lifecycle is stable enough for current smoke work.
- Localization-ready resources and structured backend message resolution exist.
- Text clipboard UI/path exists.
- File upload UI/path exists.
## Current Known Gaps
- C1 cluster/node backend foundation is implemented. Remaining platform-core
work continued through C2: production enrollment hardening and node-agent
enrollment API. Runtime reports:
`artifacts/c1-cluster-node-foundation-report.md`.
- `artifacts/c2-node-enrollment-hardening-report.md`.
- `artifacts/c3-rap-node-agent-mvp-report.md`.
- `artifacts/c4-platform-admin-console-report.md`.
- `artifacts/c5-service-workload-supervision-contract-report.md`.
- `artifacts/c6-mesh-control-plane-preparation-report.md`.
- `artifacts/c7-mesh-mvp-skeleton-report.md`.
- `artifacts/c8-multi-cluster-hardening-report.md`.
- `artifacts/c9-organization-admin-foundation-report.md`.
- `artifacts/c10-fabric-core-config-distribution-design-report.md`.
- `artifacts/c11-signed-scoped-cluster-snapshot-model-report.md`.
- `artifacts/c12-node-local-state-store-report.md`.
- `artifacts/c13-fabric-storage-config-service-report.md`.
- `artifacts/c14-peer-directory-cache-model-report.md`.
- `artifacts/c15-fabric-routing-engine-skeleton-report.md`.
- `artifacts/c16-secure-node-to-node-channel-lifecycle-report.md`.
- `artifacts/c17-mesh-routing-runtime-implementation-plan-report.md`.
- `artifacts/c17a-synthetic-mesh-runtime-skeleton-report.md`.
- `artifacts/c17b-route-health-failover-probes-report.md`.
- `artifacts/c17c-relay-semantic-hardening-report.md`.
- `artifacts/c17d-non-production-test-service-path-report.md`.
- `artifacts/c17e-live-node-to-node-synthetic-transport-report.md`.
- `artifacts/c17f-scoped-synthetic-route-config-report.md`.
- `artifacts/c17g-control-plane-scoped-synthetic-config-report.md`.
- `artifacts/c17v-peer-endpoint-candidate-model-report.md`.
- `artifacts/c17w-peer-endpoint-candidate-scoring-report.md`.
- `artifacts/c17x-health-aware-endpoint-candidate-scoring-report.md`.
- `artifacts/c17y-platform-owner-synthetic-mesh-visibility-report.md`.
- `artifacts/c18-vpn-ip-tunnel-service-target-design-report.md`.
- `artifacts/c18a-vpn-control-plane-data-model-report.md`.
- `artifacts/c18b-vpn-lease-fencing-hardening-report.md`.
- `artifacts/c18c-vpn-node-agent-desired-state-report.md`.
- RDP correctness baseline is accepted. Remaining visual/performance limitation:
window drag behaves like older/slow-link RDP clients by showing a drag frame,
and repaint after releasing a moved window is workable but not yet polished.
- RDPGFX is gated and disabled by default because the current live target resets
the connection when RDPGFX is advertised.
- Encoded graphics/codecs/tiles are not production-accepted.
- Server-to-client file download core data path is runtime-proven through both
direct worker WSS and backend gateway fallback. Stage 5.2 lifecycle blocking
is runtime-proven for detach, old-client takeover, and worker failure. Stage
5.2 still needs manual Windows-client UI proof before full runtime
acceptance.
- External KMS/Vault integration and master-key rotation are not implemented.
- Worker production assignment currently receives resolved credentials through
transient assignment metadata; a future resolver pull/token flow should reduce
Redis control-queue exposure.
- The current dev/smoke RDP proof path can still resolve credentials from
resource metadata outside production.
- Production direct-worker certificate issuance/rotation and platform CA
distribution are not automated yet.
- Backend test coverage is thin outside `sessionbroker`.
- Windows client automated tests are missing.
- Worker probes exist, but a full automated adapter conformance suite does not.
- Several documents were updated during P0, but future work must keep them in
sync after every accepted stage.
## Current Verification Snapshot
Additional C17A synthetic mesh runtime skeleton verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- direct synthetic `fabric.probe` / `fabric.probe_ack`: PASS
- single-relay synthetic `fabric.probe` / `fabric.probe_ack`: PASS
- feature flag / kill-switch disabled path: PASS
- wrong cluster rejection: PASS
- wrong node rejection: PASS
- unauthorized channel rejection: PASS
- expired route rejection: PASS
- TTL exhaustion rejection: PASS
- loop rejection: PASS
- unavailable peer rejection: PASS
- existing mesh health and production-forwarding-disabled behavior: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17B route health and failover probe verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- C17A direct/single-relay synthetic probes remain intact: PASS
- route health `fabric.route_health` / `fabric.route_health_ack`: PASS
- local route success observation: PASS
- local route failure observation: PASS
- preferred route failure with fallback route use: PASS
- warm fallback route promotion metric/log boundary: PASS
- route cache invalidation on policy version change: PASS
- same-version route cache preservation: PASS
- feature flag / kill-switch disabled path: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17C relay semantic hardening verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- C17A direct/single-relay synthetic probes remain intact: PASS
- C17B route health/failover probes remain intact: PASS
- synthetic relay envelope validation: PASS
- QoS dequeue order `fabric_control` > `route_control` > `telemetry`: PASS
- telemetry backpressure drops oldest stale telemetry only: PASS
- reliable fabric/control queue full rejects instead of dropping: PASS
- relay rejects wrong cluster, wrong node, unauthorized channel, unsupported
message, TTL exhaustion, and loop: PASS
- relay disabled / kill-switch path: PASS
- relay queue depth metrics: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17D non-production test-service path verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- C17A direct/single-relay synthetic probes remain intact: PASS
- C17B route health/failover probes remain intact: PASS
- C17C relay validation/QoS/backpressure remains intact: PASS
- direct `synthetic.echo` service-path test: PASS
- single-relay `synthetic.echo` service-path test: PASS
- forced fallback `synthetic.echo` service-path test: PASS
- bounded payload max-size behavior: PASS
- wrong organization rejected: PASS
- unsupported service type rejected: PASS
- oversized payload rejected: PASS
- unauthorized channel rejected: PASS
- missing request id rejected: PASS
- runtime disabled / kill-switch path: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17E live node-to-node synthetic transport verification:
```powershell
go test ./...
go run ./cmd/mesh-live-smoke
go build -o bin/rap-node-agent.exe ./cmd/rap-node-agent
go build -o bin/mesh-live-smoke.exe ./cmd/mesh-live-smoke
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- live HTTP peer transport for synthetic envelopes: PASS
- direct `node-a -> node-b` synthetic probe over HTTP endpoints: PASS
- single-relay `node-a -> node-r -> node-b` synthetic probe over HTTP endpoints:
PASS
- bounded `synthetic.echo` test-service over relay HTTP path: PASS
- disabled-by-default `rap-node-agent` synthetic mesh endpoint: PASS
- production `/mesh/v1/forward` remains disabled: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17F scoped synthetic route config verification:
```powershell
go test ./...
go run ./cmd/mesh-live-smoke
go build -o bin/rap-node-agent.exe ./cmd/rap-node-agent
go build -o bin/mesh-live-smoke.exe ./cmd/mesh-live-smoke
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- scoped synthetic config file load: PASS
- wrong cluster rejected: PASS
- wrong node rejected: PASS
- expired route rejected: PASS
- scoped config preferred over debug JSON: PASS
- synthetic route-health reporting boundary added: PASS
- C17E live direct/relay smoke remains intact: PASS
- production `/mesh/v1/forward` remains disabled: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17G Control Plane scoped synthetic config verification:
```powershell
go test ./...
```
Run from:
```powershell
backend
agents\rap-node-agent
```
Result:
- backend node-scoped synthetic config endpoint/service: PASS
- disabled testing flag returns no routes and no peer endpoints: PASS
- unrelated route intent does not leak to requesting node: PASS
- production forwarding remains false in config: PASS
- node-agent consumes Control Plane config when local scoped config file is not
set: PASS
- local `RAP_MESH_SYNTHETIC_CONFIG` remains preferred debug fallback: PASS
- C17F live direct/relay smoke remains intact: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
Additional C17H deployed multi-agent synthetic config smoke verification:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\c17h-multi-agent-synthetic-smoke-ssh.ps1 -KeepRunning
go test ./...
```
Run from:
```powershell
backend
agents\rap-node-agent
```
Result:
- deployed backend on `docker-test` stayed ready at `http://192.168.200.61:18080/api/v1`: PASS
- five running `rap-node-agent` containers loaded `source=control_plane`
synthetic config: PASS
- scoped config route counts: node-a=2, node-r=1, node-b=1, node-c=1,
node-idle=0: PASS
- direct route-health observation reported reachable to Control Plane: PASS
- single-relay route-health observation reported reachable to Control Plane:
PASS
- Platform Owner cluster summary showed 5 nodes and 5 healthy nodes: PASS
- all scoped configs kept `production_forwarding=false`: PASS
- backend `go test ./...`: PASS
- node-agent `go test ./...`: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17H runtime report:
- `artifacts/c17h-deployed-multi-agent-synthetic-config-smoke-report.md`
Additional C17I production forwarding gate verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- `RAP_MESH_PRODUCTION_FORWARDING_ENABLED` config gate: PASS
- `/mesh/v1/forward` remains disabled by default: PASS
- explicit gate enabled still reports unavailable production runtime: PASS
- backend tests: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17I report:
- `artifacts/c17i-production-forwarding-gate-report.md`
Additional C17J production envelope contract verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- route-bound production envelope contract validation: PASS
- invalid payload hash rejected: PASS
- service channel rejected: PASS
- gate-enabled `/mesh/v1/forward` still returns unavailable runtime after
successful validation: PASS
- backend tests: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17J report:
- `artifacts/c17j-production-envelope-contract-report.md`
Additional C17K production envelope observation verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- valid production envelope triggers metadata-only observation: PASS
- rejected production envelope does not trigger observation: PASS
- observation failure fails closed: PASS
- gate-enabled `/mesh/v1/forward` still returns unavailable runtime after
validation/observation: PASS
- backend tests: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17K report:
- `artifacts/c17k-production-envelope-observation-report.md`
Additional C17L bounded production observation sink verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- bounded metadata-only sink stores accepted observations: PASS
- oldest observation is dropped when capacity is exceeded: PASS
- payload hash/length metadata is preserved: PASS
- payload body is not stored by the sink: PASS
- gate-enabled `/mesh/v1/forward` still returns unavailable runtime after
validation/observation/sink storage: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17L report:
- `artifacts/c17l-bounded-production-observation-sink-report.md`
Additional C17M production observation sink wiring verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- `RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY` config loading: PASS
- negative sink capacity rejected: PASS
- observer wiring disabled by default: PASS
- observer wiring created only when capacity is greater than zero: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17M report:
- `artifacts/c17m-production-observation-sink-wiring-report.md`
Additional C17N production observation sink metrics verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- empty sink metrics start at zero depth/accepted/dropped: PASS
- bounded sink metrics track capacity/current depth: PASS
- accepted observations increment accepted total: PASS
- oldest-entry drop increments dropped total: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17N report:
- `artifacts/c17n-production-observation-sink-metrics-report.md`
Additional C17O production observation sink local metrics log verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- sink wiring remains disabled by default: PASS
- enabled sink keeps configured capacity: PASS
- nil mesh state metrics logging is safe: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17O report:
- `artifacts/c17o-production-observation-sink-local-metrics-log-report.md`
Additional C17P production observation sink change-driven metrics log
verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- first metrics snapshot logs locally: PASS
- unchanged metrics do not log again: PASS
- changed metrics log again: PASS
- metrics equality helper detects identical/different snapshots: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17P report:
- `artifacts/c17p-production-observation-sink-change-driven-metrics-log-report.md`
Additional C17Q production forwarding gate/runtime log boundary verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- production forwarding gate state is logged separately from runtime state:
PASS
- default gate/runtime log state remains false/false: PASS
- gate-enabled log state remains true/false: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17Q report:
- `artifacts/c17q-production-forwarding-gate-runtime-log-boundary-report.md`
Additional C17R production observation sink capacity guard verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- normal sink capacity config still loads: PASS
- negative sink capacity rejected: PASS
- too-large sink capacity rejected: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17R report:
- `artifacts/c17r-production-observation-sink-capacity-guard-report.md`
Additional C17S production observation panic fail-closed verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- observer error fails closed: PASS
- observer panic fails closed: PASS
- nil observer is allowed: PASS
- rejected envelopes are not observed: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17S report:
- `artifacts/c17s-production-observation-panic-fail-closed-report.md`
Additional C17T production envelope payload boundary verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- valid fabric-control envelope still passes validation/observation: PASS
- oversized fabric-control envelope rejected: PASS
- oversized rejected envelope does not call observer: PASS
- invalid payload hash still rejected: PASS
- service channel still rejected: PASS
- existing mesh/forwarding tests remain green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17T report:
- `artifacts/c17t-production-envelope-payload-boundary-report.md`
Additional C17U production envelope created-at skew verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- valid fabric-control envelope still passes validation/observation: PASS
- future-created fabric-control envelope rejected: PASS
- future-created rejected envelope does not call observer: PASS
- existing payload/hash/channel/time validation remains green: PASS
- RDP/runtime/data-plane behavior changed: no
- production service traffic over mesh: no
C17U report:
- `artifacts/c17u-production-envelope-created-at-skew-report.md`
Additional C17V peer endpoint candidate model verification:
```powershell
go test ./...
```
Run from:
```powershell
backend
agents\rap-node-agent
```
Result:
- backend synthetic config includes route-scoped peer endpoint candidates:
PASS
- unrelated peer endpoints and endpoint candidates do not leak across route
paths: PASS
- candidate validation rejects unknown transport/NAT, route-path mismatch,
node mismatch, and invalid metadata: PASS
- node-agent scoped config loads valid peer endpoint candidates: PASS
- node-agent scoped config rejects invalid peer endpoint candidates: PASS
- production forwarding remained unavailable: PASS
- production service traffic over mesh: no
C17V report:
- `artifacts/c17v-peer-endpoint-candidate-model-report.md`
Additional C17W peer endpoint candidate scoring verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- direct/fresh/public endpoint candidate ranks above relay and stale
candidates: PASS
- tie-breaking by priority/node/endpoint is deterministic: PASS
- relay and outbound fallback candidates are retained instead of dropped:
PASS
- production forwarding remained unavailable: PASS
- production service traffic over mesh: no
C17W report:
- `artifacts/c17w-peer-endpoint-candidate-scoring-report.md`
Additional C17X health-aware endpoint candidate scoring verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- local health observations can promote lower-latency, high-reliability
candidates: PASS
- failure history and recent failure reasons penalize candidates: PASS
- stale observations do not contribute fresh latency benefits: PASS
- production forwarding remained unavailable: PASS
- production service traffic over mesh: no
C17X report:
- `artifacts/c17x-health-aware-endpoint-candidate-scoring-report.md`
Additional C17Y Platform Owner synthetic mesh visibility verification:
```powershell
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
go test ./...
```
Run from:
```powershell
web-admin
backend
agents\rap-node-agent
```
Result:
- web-admin TypeScript/Vite build: PASS
- backend tests: PASS
- node-agent tests: PASS
- Platform Owner Fabric page reads node-scoped synthetic mesh config: PASS
- Fabric page shows route/endpoint/candidate counts and production forwarding
state: PASS
- production forwarding remained unavailable: PASS
- RDP/runtime/data-plane behavior changed: no
C17Y report:
- `artifacts/c17y-platform-owner-synthetic-mesh-visibility-report.md`
Additional C17Z production fabric-control direct forwarding verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
```
Run from:
```powershell
agents\rap-node-agent
backend
web-admin
```
Result:
- local destination delivery for valid `fabric.control`: PASS
- direct next-hop forwarding for valid `fabric.control`: PASS
- no-transport path still returns runtime unavailable: PASS
- invalid/hash/channel/time/payload boundaries remain enforced: PASS
- service channels remain rejected: PASS
- web-admin build with updated C17Z boundary wording: PASS
- RDP/runtime service payload behavior changed: no
C17Z report:
- `artifacts/c17z-production-fabric-control-direct-forwarding-report.md`
Additional C17Z1 production fabric-control multi-hop route-path verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
```
Run from:
```powershell
agents\rap-node-agent
backend
web-admin
```
Result:
- route-path-bound multi-hop `fabric.control` forwarding: PASS
- wrong next hop rejected: PASS
- duplicate route path loop rejected: PASS
- visited node metadata propagated to the destination: PASS
- service channels remain rejected: PASS
- RDP/runtime service payload behavior changed: no
C17Z1 report:
- `artifacts/c17z1-production-fabric-control-multihop-route-path-report.md`
Additional C17Z2 production fabric-control forwarding observability
verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
```
Run from:
```powershell
agents\rap-node-agent
backend
web-admin
```
Result:
- accepted production `fabric.control` events logged: PASS
- forwarded production `fabric.control` events logged: PASS
- delivered production `fabric.control` events logged: PASS
- rejected production `fabric.control` events logged: PASS
- payload bodies are not logged: PASS
- service channels remain rejected: PASS
- RDP/runtime service payload behavior changed: no
C17Z2 report:
- `artifacts/c17z2-production-fabric-control-forwarding-observability-report.md`
Additional C17Z3 production fabric-control route-config verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- configured production `fabric.control` route forwarding: PASS
- unknown configured route rejection: PASS
- wrong configured next-hop rejection: PASS
- existing direct and route-path forwarding tests: PASS
- service channels remain rejected: PASS
- RDP/runtime service payload behavior changed: no
C17Z3 report:
- `artifacts/c17z3-production-fabric-control-route-config-boundary-report.md`
Additional C17Z4 scoped peer directory/recovery seed verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
```
Run from:
```powershell
backend
agents\rap-node-agent
web-admin
```
Result:
- backend scoped peer-directory projection: PASS
- backend recovery seed projection/ordering: PASS
- node-agent scoped config validation: PASS
- web-admin peer directory/recovery seed counters: PASS
- RDP/runtime service payload behavior changed: no
C17Z4 report:
- `artifacts/c17z4-scoped-peer-directory-recovery-seeds-report.md`
Additional C17Z5 node-agent peer cache runtime verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- peer cache warm selection: PASS
- recovery seed warm promotion: PASS
- endpoint candidate scoring integration: PASS
- node-agent config loading with peer runtime config: PASS
- warm-peer health probe code compiles in node-agent: PASS
- RDP/runtime service payload behavior changed: no
C17Z5 report:
- `artifacts/c17z5-node-agent-peer-cache-runtime-report.md`
Additional C17Z6 dynamic endpoint reporting verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- node-agent advertised endpoint config loading: PASS
- heartbeat endpoint report payload: PASS
- backend projection of reported endpoint into scoped config: PASS
- backend projection of reported endpoint candidate into scoped config: PASS
- peer directory counts include reported endpoint/candidate: PASS
- RDP/runtime service payload behavior changed: no
C17Z6 report:
- `artifacts/c17z6-dynamic-endpoint-reporting-report.md`
Additional C17Z7 private/corporate endpoint candidate verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result:
- multiple advertised endpoint heartbeat payload: PASS
- private/corporate endpoint candidate preservation: PASS
- corporate/private endpoint scoring preference: PASS
- peer cache selects corporate LAN address for warm health: PASS
- backend tests remain green: PASS
- RDP/runtime service payload behavior changed: no
C17Z7 report:
- `artifacts/c17z7-private-corporate-endpoint-candidates-report.md`
Additional C17Z8 peer connection state-machine verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- ready/degraded transitions: PASS
- repeated-failure backoff transition: PASS
- backoff probe suppression/recovery: PASS
- snapshot state counters: PASS
- node-agent warm-peer health metadata compiles with connection states: PASS
- RDP/runtime service payload behavior changed: no
C17Z8 report:
- `artifacts/c17z8-peer-connection-state-machine-report.md`
Additional C17Z9 peer recovery planner verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- bounded steady ready-peer selection: PASS
- recovery seed candidate selection during ready deficit: PASS
- active backoff candidate suppression: PASS
- target capped by connectable peer count: PASS
- node-agent recovery report metadata compiles: PASS
- RDP/runtime service payload behavior changed: no
C17Z9 report:
- `artifacts/c17z9-peer-recovery-planner-report.md`
Additional C17Z10 peer connection intent planner verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- corporate/private direct intent classification: PASS
- outbound-only rendezvous-required classification: PASS
- relay-required rendezvous-required classification: PASS
- private endpoint classification without explicit candidate hints: PASS
- heartbeat intent report without advertised endpoint: PASS
- RDP/runtime service payload behavior changed: no
C17Z10 report:
- `artifacts/c17z10-peer-connection-intent-planner-report.md`
Additional C17Z11 peer connection manager runtime verification:
```powershell
go test ./...
```
Run from:
```powershell
agents\rap-node-agent
```
Result:
- direct control-plane health probe through manager: PASS
- relay/rendezvous-required peer deferred: PASS
- repeated failure enters backoff and is suppressed: PASS
- heartbeat manager report compiles: PASS
- RDP/runtime service payload behavior changed: no
C17Z11 report:
- `artifacts/c17z11-peer-connection-manager-runtime-report.md`
Additional C17Z12 rendezvous/relay control-plane contract verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
```
Run from:
```powershell
backend
agents\rap-node-agent
```
Result:
- backend node-scoped `rendezvous_leases` contract and no unrelated leak: PASS
- scoped config rendezvous lease validation: PASS
- rendezvous-required intent resolved to relay_control with lease: PASS
- peer connection manager probes relay health and records `relay_ready`: PASS
- peer recovery planner maintains `relay_ready` peers in steady mode: PASS
- web-admin synthetic config visibility for rendezvous leases: PASS
- RDP/VPN/service payload behavior changed: no
Docker-test C17Z12 runtime smoke:
```powershell
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Result from run `c17z12-20260428-142108`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- C17Z12 web-admin view on `http://192.168.200.61:5174/`: PASS
- C17Z12 containers left running on `docker-test`: PASS
- backend auto-derived `rendezvous_leases` for outbound-only node C via relay
node R: PASS
- entry node A resolved `waiting_rendezvous` to `relay_control`: PASS
- A -> C manager observation through relay was `reachable`: PASS
- A -> C connection state was `relay_ready`: PASS
- direct baseline synthetic route delivery: PASS
- production forwarding remained disabled: PASS
C17Z12 report:
- `artifacts/c17z12-rendezvous-relay-control-plane-contract-report.md`
Additional C17Z13 rendezvous lease telemetry verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result from docker-test run `c17z13-20260428-145133`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- web-admin on `http://192.168.200.61:5174/`: PASS
- entry node A heartbeat reports
`c17z13.mesh_rendezvous_lease_report.v1`: PASS
- entry node A reports `entry_observer_count=1` and
`relay_control_ready_count=1`: PASS
- relay node R reports `admitted_as_relay_count=1`: PASS
- outbound-only node C reports `admitted_as_peer_count=1`: PASS
- expired lease skip and active lease reselection test: PASS
- lease telemetry boundary flags keep payload forwarding disabled: PASS
- A -> C relay-control manager observation remains `reachable` and
`relay_ready`: PASS
C17Z13 report:
- `artifacts/c17z13-rendezvous-lease-telemetry-report.md`
Additional C17Z14 rendezvous lease refresh verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result from docker-test run `c17z14-20260428-151435`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- web-admin on `http://192.168.200.61:5174/`: PASS
- entry node A heartbeat reports
`c17z14.mesh_rendezvous_lease_report.v1`: PASS
- entry node A reports `refresh_contract=node_scoped_synthetic_config_get`,
`refresh_needed_count=1`, and `refresh_success_count=2`: PASS
- relay node R reports `admitted_as_relay_count=2` and refresh success: PASS
- outbound-only node C reports `admitted_as_peer_count=2` and refresh
success: PASS
- stale relay withdrawal/reselection fields are present and zero in the
healthy smoke path: PASS
- refresh telemetry boundary flags keep payload forwarding disabled: PASS
- direct baseline synthetic route delivery: PASS
- A -> C relay-control manager observation remains `reachable` and
`relay_ready`: PASS
C17Z14 report:
- `artifacts/c17z14-rendezvous-lease-refresh-report.md`
Additional C17Z15 rendezvous relay replacement verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result from docker-test run `c17z15-20260428-153917`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- web-admin on `http://192.168.200.61:5174/`: PASS
- backend synthetic config schema `c17z15.synthetic.v1`: PASS
- entry node A heartbeat reports
`c17z15.mesh_rendezvous_lease_report.v1`: PASS
- entry node A initially receives an explicit stale relay lease through old
relay R with bad relay endpoint `http://127.0.0.1:19210`: PASS
- Control Plane withdraws the stale old-relay lease and issues a replacement
`stale_relay_replacement` lease through alternate relay S: PASS
- replacement lease metadata includes
`relay_replacement_contract=stale_relay_feedback_policy` and
`replacement_for_stale_relay=true`: PASS
- relay S reports `admitted_as_relay_count=1`: PASS
- R or S reports `last_refresh_reason=stale_relay` and refresh success: PASS
- direct baseline synthetic route delivery remains available: PASS
- payload forwarding boundary flags keep RDP/VPN/service forwarding disabled:
PASS
C17Z15 report:
- `artifacts/c17z15-rendezvous-relay-replacement-report.md`
Additional C17Z16 route/path decision artifact verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result from docker-test run `c17z16-20260428-160621`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- web-admin on `http://192.168.200.61:5174/`: PASS
- backend synthetic config schema `c17z16.synthetic.v1`: PASS
- entry node A heartbeat reports
`c17z16.mesh_rendezvous_lease_report.v1`: PASS
- entry node A heartbeat reports
`c17z16.mesh_route_path_decision_report.v1`: PASS
- Control Plane route/path decision removes stale relay R from effective hops
and selects alternate relay S as next hop for A -> C: PASS
- route/path decision report includes generation, score reasons,
`control_plane_only=true`, `route_path_forwarding_runtime=false`, and
`production_payload_forwarding=false`: PASS
- replacement lease through alternate relay S remains `relay_ready`: PASS
- direct baseline synthetic route delivery remains available: PASS
- payload forwarding boundary flags keep RDP/VPN/service forwarding disabled:
PASS
C17Z16 report:
- `artifacts/c17z16-route-path-decision-report.md`
Additional C17Z17 route generation tracker verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
agents\rap-node-agent
backend
```
Result from docker-test run `c17z17-20260428-165118`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- web-admin on `http://192.168.200.61:5174/`: PASS
- backend synthetic config schema `c17z17.synthetic.v1`: PASS
- entry node A heartbeat reports
`c17z17.mesh_rendezvous_lease_report.v1`: PASS
- entry node A heartbeat reports
`c17z17.mesh_route_path_decision_report.v1`: PASS
- entry node A heartbeat reports
`c17z17.mesh_route_generation_report.v1`: PASS
- route generation tracker reports active decisions, applied decisions,
withdrawn decisions, total withdrawn count, and `generation_changed=true`:
PASS
- first-observed replacement records old relay path withdrawal as
`withdrawn_by_replacement`: PASS
- route generation boundary flags keep `control_plane_only=true`,
`route_path_forwarding_runtime=false`, `service_workload_traffic=false`, and
`production_payload_forwarding=false`: PASS
- replacement lease through alternate relay S remains `relay_ready`: PASS
- direct baseline synthetic route delivery remains available: PASS
- payload forwarding boundary flags keep RDP/VPN/service forwarding disabled:
PASS
C17Z17 report:
- `artifacts/c17z17-route-generation-tracker-report.md`
Additional C17Z18 route-health effective path verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
backend
agents\rap-node-agent
```
Result from docker-test run `c17z18-20260428-174559`:
- backend API on `http://192.168.200.61:18120/api/v1`: PASS
- web-admin on `http://192.168.200.61:5174/`: PASS
- backend synthetic config schema `c17z18.synthetic.v1`: PASS
- entry node A heartbeat reports
`c17z18.mesh_rendezvous_lease_report.v1`: PASS
- entry node A heartbeat reports
`c17z18.mesh_route_path_decision_report.v1`: PASS
- entry node A heartbeat reports
`c17z18.mesh_route_generation_report.v1`: PASS
- entry node A heartbeat reports
`c17z18.mesh_route_health_config_report.v1`: PASS
- synthetic route-health runtime uses the replacement effective path
A -> alternate relay S -> outbound-only C: PASS
- route-health drift detection stays false for the selected effective path:
PASS
- backend latest mesh links preserve `synthetic_route_health` separately from
`peer_connection_manager`: PASS
- web-admin Fabric links show route-health observation type, selected relay,
and effective/observed path: PASS
- payload forwarding boundary flags keep RDP/VPN/service forwarding disabled:
PASS
C17Z18 report:
- `artifacts/c17z18-route-health-effective-path-report.md`
Additional C17Z19 route-health feedback scoring verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\c17z19-route-health-feedback-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
backend
agents\rap-node-agent
web-admin
```
Result from docker-test run `c17z19-20260428-214427`:
- isolated backend API on `http://192.168.200.61:18122/api/v1`: PASS
- fresh migration replay through `000022_synthetic_mesh_service_class`: PASS
- `synthetic` mesh route intent service class accepted by PostgreSQL: PASS
- initial fast-path relay selection prefers `node-s`: PASS
- injected synthetic route-health drift for selected relay `node-s` causes
stale relay replacement through `node-t`: PASS
- route path decision records `node-t` as selected relay and `node-s` as stale
relay: PASS
- healthy low-latency route-health for `node-t` keeps `node-t` selected with
`route_health_reachable`, `route_health_no_drift`,
`route_health_quality`, and `route_health_latency` score reasons: PASS
- signed synthetic config is still required and present: PASS
- payload forwarding boundary flags keep RDP/VPN/service forwarding disabled:
PASS
C17Z19 report:
- `artifacts/c17z19-route-health-feedback-report.md`
- `artifacts/c17z19-route-health-feedback-smoke-result.json`
Additional C17Z20 route-health feedback refresh verification:
```powershell
go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning
```
Run from:
```powershell
backend
agents\rap-node-agent
web-admin
```
Result from docker-test run `c17z18-20260428-221601`:
- multi-agent backend API on `http://192.168.200.61:18120/api/v1`: PASS
- backend/node-agent images rebuilt on docker-test: PASS
- node A reports `c17z20.mesh_route_health_config_report.v1`: PASS
- node A reports
`c17z20.mesh_route_health_feedback_refresh_report.v1`: PASS
- route-health failure triggers immediate config refresh before normal
periodic interval: PASS
- heartbeat reports feedback refresh attempts/successes/failures/suppressed:
PASS
- replacement route-health effective path through alternate relay remains
active: PASS
- payload forwarding boundary flags keep RDP/VPN/service forwarding disabled:
PASS
C17Z20 report:
- `artifacts/c17z20-route-health-feedback-refresh-report.md`
Dev cluster enrollment/bootstrap lifecycle verification:
```powershell
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\dev-cluster-enrollment-bootstrap-smoke-ssh.ps1 -KeepRunning
```
Result from docker-test run `dev-bootstrap-20260428-201430`:
- isolated backend API on `http://192.168.200.61:18121/api/v1`: PASS
- fresh migration replay through `000021_cluster_authority_keys`: PASS
- first-owner dev bootstrap through `/installation/bootstrap-owner`: PASS
- signed join token, real node-agent enrollment, pending join request, and
platform-owner approval: PASS
- node-agent automatic bootstrap polling verified signed approval and
persisted cluster authority pin: PASS
- node heartbeat after bootstrap: PASS
- signed `c17z18.synthetic.v1` Control Plane synthetic config verified and
loaded by node-agent: PASS
- workload supervision stub is disabled by default, so no repeated admin-only
desired-workload `403` loop is produced: PASS
- production/service payload forwarding remains disabled: PASS
Dev enrollment/bootstrap report:
- `artifacts/dev-cluster-enrollment-bootstrap-smoke-report.md`
Commands run during P0 baseline freeze:
```powershell
go test ./...
dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-dataplane-bind-probe --scenario valid
```
Additional accepted P1 baseline verification:
```powershell
go test ./...
dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx
docker -H ssh://docker-test build --tag rap-rdp-worker:rdp-p1-region-order2 --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-dataplane-bind-probe --scenario valid
pwsh -ExecutionPolicy Bypass -File scripts\smoke\drive-visibility-smoke.ps1 -WorkerImage rap-rdp-worker:rdp-p1-region-order2 -OutputFrame artifacts\stage5-drive-visibility-frame-p1-rerun.bmp
```
Result:
- backend tests: PASS
- Windows build: PASS, 0 warnings, 0 errors
- worker probes: PASS
- P1 worker image build: PASS
- P1 smoke-worker deployment: PASS, `worker:registration:rdp-worker-1`
reports `status=online`
- P1 manual visual smoke: PASS, idle Task Manager updates, Start menu/hover,
mouse, keyboard, and session close work; window drag is usable with old-client
style frame-only movement and non-perfect release repaint
- Stage 5.1.1 restricted drive visibility smoke: PASS, remote Notepad opened
`stage5-upload-text.txt` from the redirected `RAP_Transfers` drive
Additional P3 security-readiness verification:
```powershell
go test ./...
docker -H ssh://docker-test build --tag rap-rdp-worker:p3-security-probes --file workers/rdp-worker/Dockerfile workers/rdp-worker
$scenarios = @('valid','starting','wrong-worker','wrong-attachment','wrong-user','wrong-organization','wrong-resource','channels-too-broad','failed-state','terminated-state')
foreach ($scenario in $scenarios) {
docker -H ssh://docker-test run --rm rap-rdp-worker:p3-security-probes rdp-worker-dataplane-bind-probe --scenario $scenario
}
```
Result:
- backend tests: PASS, including production secret-readiness guard tests
- sessionbroker data-plane policy test: PASS
- worker P3 probe image build: PASS
- direct bind denial probes: PASS for valid/starting/wrong-worker/
wrong-attachment/wrong-user/wrong-organization/wrong-resource/
channels-too-broad/failed-state/terminated-state
Additional P3.1 secret resolver verification:
```powershell
go test ./...
```
Result:
- encrypted secret AES-256-GCM round trip: PASS
- wrong AAD decrypt rejection: PASS
- assignment-time resolved secret merge: PASS
- session metadata plaintext mutation prevention: PASS
- production missing resolver denial: PASS
- development metadata fallback compatibility: PASS
Additional P3.2 direct worker TLS/PKI guard verification:
```powershell
go test ./...
dotnet build clients\windows\RemoteAccessPlatform.Windows.slnx
```
Result:
- production backend omits smoke-only direct worker WSS candidates: PASS
- production-trusted direct candidate metadata: PASS
- Windows client build with production/smoke direct TLS guard: PASS
Additional P3.3 production secret/TLS test-stand smoke:
```powershell
docker -H ssh://docker-test build --tag rap-backend-smoke:p3-3 --file - backend
Get-Content -Raw backend\migrations\000009_resource_secrets.up.sql |
docker -H ssh://docker-test exec -i rap_postgres psql -U rap_user -d remote_access_platform -v ON_ERROR_STOP=1 -f -
pwsh -ExecutionPolicy Bypass -File scripts\smoke\drive-visibility-smoke.ps1 `
-WorkerImage rap-rdp-worker:rdp-p1-region-order2 `
-ResourceName "P3.3 Secret RDP Resource" `
-OutputFrame artifacts\p3-3-secret-backed-drive-frame.bmp
```
Result:
- backend image `rap-backend-smoke:p3-3`: PASS
- backend production-like start with `SECRET_ENCRYPTION_KEY_FILE`: PASS
- secret-backed RDP resource through `PUT /api/v1/resources/{id}/secret`: PASS
- real RDP session through resolver-backed assignment: PASS
- resource/session metadata plaintext credential checks: PASS
- audit plaintext credential checks: PASS
- production backend omits smoke-only direct worker WSS candidate: PASS
- development/smoke backend advertises explicit smoke-only direct worker WSS
candidate: PASS
- backend gateway fallback smoke with rendering/input/clipboard/file upload:
PASS
- secret-backed detach/reattach/takeover API lifecycle regression: PASS
Additional P3.4 production direct-worker WSS trust design/prep:
- production worker WSS certificate model: documented
- platform CA vs public CA recommendation: documented
- worker certificate SAN and identity binding rules: documented
- app-local Windows client trust approach: documented
- rotation/revocation/fallback behavior: documented
- future `platform_ca` smoke plan: documented
- runtime behavior changed: no
Additional P3.5 app-local platform CA trust smoke:
```powershell
dotnet build clients/windows/src/RemoteAccessPlatform.Windows.App/RemoteAccessPlatform.Windows.App.csproj
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts/smoke/prepare-platform-ca-direct-worker.ps1 `
-DockerSshAlias docker-test `
-LocalCaOutputPath artifacts/p3-5-platform-ca.crt `
-WorkerHost 192.168.200.61 `
-WorkerId rdp-worker-1 `
-ClusterId default
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts/windows-smoke/desktop-smoke.ps1 `
-DefaultResourceName "P3.3 Secret RDP Resource" `
-PreferDirectDataPlane:$true `
-AllowInsecureDirectDataPlaneTlsForSmoke:$false `
-DirectDataPlaneConnectTimeoutMs 2500 `
-DirectDataPlaneColorMode full_color `
-DirectDataPlanePlatformCaBundle "\\192.168.220.200\mst\codex\rdp-proxy\artifacts\p3-5-platform-ca.crt" `
-BackendEnvironment production `
-SkipOrgSwitchAndTokenRefresh `
-DockerSshAlias docker-test
```
Result:
- Windows client app-local platform CA bundle support: PASS
- worker WSS test cert with IP SAN and URI SAN: PASS
- backend `platform_ca` candidate metadata: PASS
- production client direct worker WSS selected without insecure TLS bypass:
PASS
- direct binary render over trusted WSS: PASS
- input/lifecycle smoke over trusted WSS: PASS
- unknown CA rejected and backend gateway fallback activated: PASS
- `smoke_insecure` production case used backend gateway fallback: PASS
- backend gateway fallback remained usable: PASS
P3.5 runtime report:
- `artifacts/p3-5-app-local-platform-ca-smoke-report.md`
New P3.6 hardening finding:
- stale Redis live/worker events after backend restart can crash the backend
with `invalid session state transition: terminated -> active`
- Redis was safely cleared for the test stand because PostgreSQL is the source
of truth
- next step should make stale worker events idempotent, not add product
features
P3.6 stale worker event / restart idempotency hardening:
```powershell
go test ./...
docker -H ssh://docker-test build --tag rap-backend-smoke:p3-6 --file - backend
```
Runtime smoke:
- start real secret-backed RDP session
- wait for PostgreSQL state `active`
- terminate session
- stop backend
- push stale `session_connected` to Redis `worker:events`
- restart backend
- verify backend stays up
- verify PostgreSQL state remains `terminated`
- verify new normal RDP session still reaches `active`
Result:
- stale `session_connected` for terminal session ignored: PASS
- stale render telemetry for terminal session does not recreate live state:
PASS
- backend restart survives stale Redis worker event: PASS
- terminal PostgreSQL session is not reopened: PASS
- normal new RDP session after restart: PASS
P3.6 runtime report:
- `artifacts/p3-6-stale-worker-event-idempotency-report.md`
Stage 5.2 server-to-client file download design pass:
- safest v1 model selected: restricted `RAP_Transfers\ToClient` outbound
drop zone
- no Windows agent, SMB/WebDAV, remote filesystem browser, arbitrary path
download, or expanded drive mapping
- download remains policy-gated by `file_transfer_mode`
- direct worker WSS remains preferred; backend gateway remains fallback
- implementation prompt is documented for the next step
Design document:
- `docs/architecture/RDP_FILE_DOWNLOAD_STAGE_5_2.md`
Stage 5.2 server-to-client file download implementation:
```powershell
go test ./...
dotnet build clients/windows/src/RemoteAccessPlatform.Windows.App/RemoteAccessPlatform.Windows.App.csproj
docker -H ssh://docker-test build --tag rap-rdp-worker:stage5-2-download --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-dataplane-bind-probe --scenario valid
docker -H ssh://docker-test build --tag rap-backend-smoke:stage5-2-download --file - backend
```
Result:
- backend tests: PASS
- Windows build: PASS, 0 warnings, 0 errors
- worker image build: PASS
- worker probes: PASS
- backend smoke image build: PASS
- live runtime proof: pending
Build report:
- `artifacts/stage5-2-file-download-build-report.md`
Stage 5.2 server-to-client file download runtime proof, core data path:
```powershell
docker -H ssh://docker-test build --tag rap-rdp-worker:stage5-2-download-direct-block --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test tag rap-rdp-worker:stage5-2-download-direct-block rap-rdp-worker:stage5-2-download
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -OutputDirectory artifacts/stage5-2-download-smoke-direct-fixed2
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode bidirectional -Transport direct_worker_wss -OutputDirectory artifacts/stage5-2-download-smoke-direct-bidirectional
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode client_to_server -Transport direct_worker_wss -ExpectBlocked -OutputDirectory artifacts/stage5-2-download-smoke-direct-client-to-server-block-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode disabled -Transport direct_worker_wss -ExpectBlocked -OutputDirectory artifacts/stage5-2-download-smoke-direct-disabled-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport backend_gateway -OutputDirectory artifacts/stage5-2-download-smoke-backend-regression-after-direct-block
```
Result:
- direct worker WSS `server_to_client`: PASS, text and binary size/hash match
- direct worker WSS `bidirectional`: PASS, text and binary size match
- direct worker WSS `client_to_server`: PASS, download blocked with
`access denied`
- direct worker WSS `disabled`: PASS, download blocked with `access denied`
- backend gateway fallback `server_to_client`: PASS, text and binary size/hash
match
- direct WSS smoke harness bug fixed: PowerShell TLS callback now uses a static
.NET delegate and URL query construction now uses `?` correctly
- direct WSS policy feedback bug fixed: disallowed file download now returns
`file_download.blocked` instead of silently dropping the request
Stage 5.2 server-to-client file download lifecycle proof:
```powershell
docker -H ssh://docker-test build --tag rap-rdp-worker:stage5-2-download --file workers/rdp-worker/Dockerfile workers/rdp-worker
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -LifecycleScenario detach -OutputDirectory artifacts/stage5-2-download-lifecycle-detach-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -LifecycleScenario takeover_old_controller -OutputDirectory artifacts/stage5-2-download-lifecycle-takeover-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -LifecycleScenario worker_failure -OutputDirectory artifacts/stage5-2-download-lifecycle-worker-failure
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -OutputDirectory artifacts/stage5-2-download-smoke-direct-after-lifecycle-fix
```
Result:
- detach: PASS, PostgreSQL state `detached`, outcome `file_download.blocked`,
reason `session is not active`
- old-client takeover: PASS, stale attachment receives `session.taken_over`
and cannot continue download
- worker failure: PASS, PostgreSQL state `failed`, audit `session_failed`,
direct WebSocket closes and download cannot continue
- post-fix direct download regression: PASS, text and binary size match
- direct WSS stale attachment feedback bug fixed: stale attachment now receives
`session.taken_over` instead of observing silence
Runtime report:
- `artifacts/stage5-2-file-download-runtime-report.md`
Coverage warning:
- this is not a full live RDP smoke pass
- most confidence for RDP UX still comes from manual/live smoke history
- automated regression coverage must be expanded before production readiness
## Correct Next Step
C17Z20 is complete. Do not automatically continue into VPN runtime, RDP work, or
service workload traffic.
The next step must be chosen as a new explicit staged prompt. Until then, keep
the proven C17A-C17Z20 mesh proof/gate/contract/observation/config/scoring/
visibility/fabric-control-forwarding/forwarding-observability/route-config
boundary/scoped-peer-directory/peer-cache-runtime/dynamic-endpoint-reporting
private/corporate endpoint candidate/peer-connection-state/recovery-planner
/connection-intent/connection-manager/rendezvous-lease-telemetry/lease-refresh
/relay-replacement-policy/route-path-decision/route-generation-tracker/
synthetic-route-health-effective-path/route-health-feedback-scoring/
route-health-feedback-refresh set preserved. Production forwarding remains
explicitly gate-controlled and limited to `fabric.control`; service payload
forwarding remains unavailable.
Do not start:
- RDP performance work
- Stage 5.2 RDP download UI proof
- production service mesh runtime traffic
- VPN/IP tunnel runtime implementation
- C18D VPN credential/config resolver work
- TUN/TAP, host route, or firewall manipulation
- general relay packet routing
- service workload traffic over mesh
- RDP/VNC/SSH/file/video traffic over mesh
- QUIC/WebRTC
- service workload execution
- backend/session lifecycle changes
- Windows client changes
RDP status:
- RDP is paused by product decision.
- RDP-Perf-6 is completed and smoke-proven.
- The C++ RDP Adapter remains the preserved runtime baseline for when RDP work
explicitly resumes.
- C10-C17 planning are completed as documentation/planning. C17A, C17B, C17C,
C17D, C17E, C17F, C17G, C17H, C17I, C17J, C17K, C17L, C17M, C17N, C17O, C17P, C17Q, C17R, C17S, C17T, C17U, C17V, C17W, C17X, C17Y, C17Z, C17Z1, C17Z2, C17Z3, C17Z4, C17Z5, C17Z6, C17Z7, C17Z8, C17Z9, C17Z10, C17Z11, C17Z12, C17Z13, C17Z14, C17Z15, C17Z16, C17Z17, C17Z18, C17Z19, and C17Z20 are implemented/proven
with synthetic traffic, explicit production-forwarding gate checks, envelope
contract validation, metadata-only observation, or bounded local observation
retention/wiring/metrics/local logging/capacity guard/fail-closed hardening
and payload/time-boundary validation only. C18 planning is completed as
documentation only. C18A
control-plane data model foundation is implemented and backend-test-proven.
C18B lease/fencing hardening is implemented and backend-test-proven. C18C
node-agent desired-state consumption/reporting is implemented and
backend-test-proven. C18 runtime is not authorized.
Reference in New Issue View Git Blame Copy Permalink