m/rdp-proxy

Fork 0

Files

T

m 8ba0561f4f Initial project snapshot

2026-04-28 22:29:50 +03:00

93 KiB

Raw Blame History

Current Implementation Status

Date: 2026-04-28

This is the current operational status for Codex continuation. It supersedes older prompt fragments that still describe platform-core v2, WebSocket takeover proof, or basic Windows client work as future tasks.

Project Identity

The project is a Secure Access Fabric platform.

Current implementation focus:

RDP work is paused by product decision
preserve RDP as the first proven service baseline
keep the C++ RDP Adapter as the active runtime when RDP work resumes
RDP-Perf-6 dirty-region direct binary rendering is completed and build/probe/live-smoke-proven
Product model clarified: Remote Server/Desktop Access is one managed product service. RDP/VNC/SSH are internal adapters selected by organization resource protocol, not separate organization-facing cluster services.
preserve the proven backend/session/worker lifecycle
preserve direct worker WSS and backend gateway fallback
Stage C10 Fabric Core documentation consolidation and scoped cluster configuration distribution design is completed.
Stage C11 signed scoped cluster snapshot model is completed.
Stage C12 node local state store is completed.
Stage C13 Fabric Storage / Config Storage service foundation is completed.
Stage C14 peer directory and cache model is completed.
Stage C15 Fabric Routing Engine skeleton is completed.
Stage C16 secure node-to-node channel lifecycle is completed.
Stage C17 planning is completed.
Stage C17A synthetic mesh runtime skeleton is implemented and test-proven.
Stage C17B route health and failover probe skeleton is implemented and test-proven.
Stage C17C relay semantic hardening skeleton is implemented and test-proven.
Stage C17D non-production synthetic test-service path experiment is implemented and test-proven.
Stage C17E live node-to-node synthetic HTTP transport skeleton is implemented, build-proven, and smoke-proven. It remains disabled by default and carries synthetic traffic only.
Stage C17F scoped synthetic peer/route config loading and route-health reporting is implemented, build-proven, and smoke-proven. It remains synthetic-only and does not enable production mesh traffic.
Stage C17G Control Plane scoped synthetic config read boundary is implemented and backend/node-agent-test-proven. It remains synthetic-only and does not enable production mesh traffic.
Stage C17H deployed multi-agent synthetic config smoke is implemented and runtime-proven on docker-test. Five running rap-node-agent containers consume backend-issued node-scoped synthetic config, direct and single-relay synthetic route-health observations return to the Control Plane, and production forwarding remains disabled.
Stage C17I production forwarding gate foundation is implemented and test-proven. rap-node-agent now has an explicit RAP_MESH_PRODUCTION_FORWARDING_ENABLED gate, but /mesh/v1/forward still does not forward production payloads without a later approved runtime stage.
Stage C17J production envelope contract is implemented and test-proven. /mesh/v1/forward validates route-bound production envelopes when the gate is enabled, accepts only fabric_control / fabric.control for this stage, rejects service channels, and still does not forward payloads.
Stage C17K production envelope observation is implemented and test-proven. Valid production envelopes can be observed locally as metadata-only records after validation; rejected envelopes are not observed, observation failure fails closed, and payloads are still not forwarded.
Stage C17L bounded production observation sink is implemented and test-proven. Accepted metadata-only production envelope observations can be retained locally with fixed capacity and oldest-entry drop behavior; payload bodies are not stored and payloads are still not forwarded.
Stage C17M production observation sink wiring is implemented and test-proven. rap-node-agent can wire the bounded local metadata-only sink when RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY is explicitly greater than zero; the wiring is disabled by default, exposes no read API, stores no payload bodies, and payloads are still not forwarded.
Stage C17N production observation sink metrics are implemented and test-proven. Local sink metrics expose only capacity, current depth, accepted total, and dropped-oldest total; they expose no observation records, route IDs, message IDs, hashes, payload metadata, or payload bodies.
Stage C17O production observation sink local metrics logging is implemented and test-proven. rap-node-agent logs aggregate sink metrics locally when the sink is explicitly enabled; this adds no read API, no Control Plane reporting, no payload storage, and no forwarding.
Stage C17P production observation sink change-driven metrics logging is implemented and test-proven. rap-node-agent suppresses repeated identical local sink metrics logs; this adds no read API, no Control Plane reporting, no payload storage, and no forwarding.
Stage C17Q production forwarding gate/runtime log boundary is implemented and test-proven. rap-node-agent logs production forwarding gate state separately from production forwarding runtime state; runtime state remains false and forwarding remains unavailable.
Stage C17R production observation sink capacity guard is implemented and test-proven. RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY remains disabled by default, rejects negative values, and rejects values above 10000.
Stage C17S production observation panic fail-closed hardening is implemented and test-proven. Observer errors and observer panics both fail closed as observation failure; forwarding remains unavailable.
Stage C17T production envelope payload boundary is implemented and test-proven. Validated production fabric.control envelope payloads are bounded to 4096 bytes, and oversized envelopes are rejected before observation.
Stage C17U production envelope created-at skew boundary is implemented and test-proven. Validated production fabric.control envelopes whose created_at is more than one minute in the future are rejected before observation.
Stage C17V peer endpoint candidate model and NAT/connectivity hints are implemented and test-proven. Node-scoped synthetic mesh config now carries route-scoped endpoint candidates with transport, address, reachability, NAT type, connectivity mode, priority, policy tags, verification time, and metadata. This does not implement production route scoring, NAT traversal, shortcut routing, or forwarding runtime.
Stage C17W peer endpoint candidate scoring model is implemented and test-proven. rap-node-agent can deterministically rank already-scoped endpoint candidates using soft inputs, but this does not open connections, choose production routes, or forward payloads.
Stage C17X health-aware endpoint candidate scoring overlay is implemented and test-proven. Candidate scoring can optionally use local health observations keyed by endpoint_id, including latency, success/failure history, recent failure reason, reliability score, and observation freshness. This remains advisory scoring only.
Stage C17Y Platform Owner synthetic mesh visibility is implemented and build/test-proven. web-admin now reads node-scoped synthetic mesh config and shows config enabled state, route counts, peer endpoints, endpoint candidates, C17X advisory scoring boundary, and production_forwarding. This remains platform-owner visibility only and does not enable production forwarding.
Stage C17Z production fabric-control direct forwarding boundary is implemented and test-proven. /mesh/v1/forward no longer always returns unavailable after validation: when the explicit production gate is enabled, it can deliver valid route-bound fabric.control envelopes at the local destination or forward them to a direct next hop from explicit peer endpoint config. Service channels, arbitrary relay forwarding, multi-hop production route execution, and RDP/VPN/file/video/service workload traffic remain out of scope.
Stage C17Z1 production fabric-control multi-hop route-path boundary is implemented and test-proven. Production fabric.control envelopes can carry route_path and visited_node_ids; relay nodes validate path position, forward only to the next path node, update TTL/hop/visited metadata, and reject loops. Service payloads remain unavailable.
Stage C17Z2 production fabric-control forwarding observability boundary is implemented and test-proven. Node-agent now emits local mesh_production_forward_event logs for accepted, forwarded, delivered, and rejected production fabric.control envelopes. Logs are metadata-only and include no payload bodies, no read API, and no Control Plane reporting.
Stage C17Z3 production fabric-control route-config boundary is implemented and test-proven. When scoped/control-plane mesh routes are available locally, production fabric.control envelopes must match configured route_id, cluster, source, destination, route path, next hop, allowed channel, expiry, max TTL, and max hop count before forwarding. Service payloads remain unavailable.
Stage C17Z4 scoped peer directory and recovery seeds boundary is implemented and test/build-proven. Node-scoped mesh config now carries scoped peer_directory and explicit bounded recovery_seeds; node-agent parses and validates them, and Platform Owner Control Panel shows peer-directory/recovery seed counts. This does not implement connection management, NAT traversal, dynamic endpoint reporting, or service traffic.
Stage C17Z5 node-agent peer cache runtime boundary is implemented and test-proven. Node-agent now builds a node-local PeerCache from scoped peer directory, recovery seeds, endpoints, endpoint candidates, and routes; selects a bounded warm peer set; probes warm peers through /mesh/v1/health when synthetic mesh testing is enabled; and reports metadata-only mesh-link observations. This does not implement a persistent connection manager, NAT traversal, dynamic endpoint reporting, or service payload forwarding.
Stage C17Z6 dynamic endpoint reporting boundary is implemented and test-proven. Node-agent can report an explicit advertised mesh endpoint in heartbeat metadata, and Control Plane projects latest reported peer endpoints and candidates into node-scoped synthetic mesh config. This does not implement automatic public IP discovery, STUN/TURN/ICE NAT classification, persistent connection management, or service payload forwarding.
Stage C17Z7 private/corporate endpoint candidate boundary is implemented and test-proven. Node-agent can report multiple advertised endpoint candidates, including private/corporate LAN candidates; scoring rewards private-lan, corp-lan, and same-site; and peer cache can select the best candidate address for warm-peer health. This does not implement automatic subnet discovery, persistent connection management, or service payload forwarding.
Stage C17Z8 peer connection state machine boundary is implemented and test-proven. Node-agent now tracks warm-peer connection states (disconnected, connecting, ready, degraded, backoff), transitions on warm-peer health probes, applies bounded backoff after repeated failures, and reports metadata-only connection state in mesh-link observations. This does not implement persistent data-plane sockets or service payload forwarding.
Stage C17Z9 peer recovery planner boundary is implemented and test-proven. Node-agent now plans a bounded stable ready-peer set, enters recovery mode when ready peers fall below target, selects bounded recovery probe candidates from warm peers, recovery seeds, and other connectable scoped peers, and reports metadata-only recovery state in heartbeat and mesh-link observations. This does not implement persistent data-plane sockets, NAT traversal, relay/rendezvous runtime, or service payload forwarding.
Stage C17Z10 peer connection intent planner boundary is implemented and test-proven. Node-agent now classifies bounded peer work as maintain/probe/ recover and classifies transport readiness as direct, private LAN, corporate LAN, outbound-only, or relay-required, with rendezvous-required metadata in heartbeat and mesh-link observations. This does not implement persistent data-plane sockets, STUN/TURN/ICE, NAT traversal, relay/rendezvous runtime, or service payload forwarding.
Stage C17Z11 peer connection manager runtime boundary is implemented and test-proven. Node-agent now uses a reusable HTTP keep-alive client to perform real control-plane health probes for direct/private/corporate peers selected by connection intents, updates shared peer connection state, records waiting_rendezvous for outbound-only/relay-required peers, and reports metadata-only manager cycle state. This does not implement STUN/TURN/ICE, relay/rendezvous runtime, route leases, VPN runtime, or service payload forwarding.
Stage C17Z12 rendezvous/relay control-plane contract is implemented and docker-test-runtime-proven. Backend now issues node-scoped rendezvous_leases in synthetic mesh config, including explicit route-policy leases and derived leases for outbound-only or relay-required candidates when a route has a reachable HTTP relay control endpoint. Node-agent consumes those leases, resolves matching waiting_rendezvous intents into relay_control, probes relay /mesh/v1/health, records and maintains relay_ready for the peer control path, and reports manager metadata. This remains control-plane health only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z13 rendezvous lease telemetry is implemented and docker-test-runtime-proven. Node-agent heartbeat now emits mesh_rendezvous_lease_report with schema c17z13.mesh_rendezvous_lease_report.v1, local role (relay, peer, or entry_or_observer), relay admission, peer admission, TTL/renewal posture, relay_ready, and explicit no-payload boundary flags. Web-admin recent heartbeat tables show rv leases. This remains control-plane telemetry only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z14 rendezvous lease refresh contract is implemented and docker-test-runtime-proven. Node-agent refreshes renewal-needed, expired, invalid, or stale relay leases through the existing node-scoped synthetic config endpoint, reloads peer cache/leases/routes into the running synthetic mesh runtime, and reports c17z14.mesh_rendezvous_lease_report.v1 with refresh counters plus stale relay withdrawal/reselection telemetry. This remains control-plane health only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z15 backend relay replacement policy is implemented and docker-test-runtime-proven. Backend reads recent mesh_rendezvous_lease_report stale-relay feedback, withdraws stale explicit rendezvous leases from node-scoped synthetic config, scores alternate relay candidates using route adjacency, endpoint priority, policy tags, and recent mesh-link health, and returns a replacement lease plus rendezvous_relay_policy decisions in c17z15.synthetic.v1. Node-agent reports c17z15.mesh_rendezvous_lease_report.v1, advertises the relay replacement contract capability, and keeps stale state bound to the exact lease/relay instead of smearing it across alternate leases for the same peer. This remains control-plane health only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z16 route/path decision artifact is implemented and docker-test-runtime-proven. Backend synthetic config now uses c17z16.synthetic.v1 and includes route_path_decisions with original hops, effective hops, local previous/next hop, selected replacement relay, generation, score reasons, and explicit control-plane/no-payload flags. Node-agent stores the control-plane route generation and reports c17z16.mesh_route_path_decision_report.v1 alongside c17z16.mesh_rendezvous_lease_report.v1. This remains route metadata only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z17 node-side route generation tracker is implemented and docker-test-runtime-proven. Backend synthetic config now uses c17z17.synthetic.v1; node-agent tracks Control Plane route_path_decisions apply/unchanged/withdraw transitions and reports c17z17.mesh_route_generation_report.v1 alongside c17z17.mesh_route_path_decision_report.v1 and c17z17.mesh_rendezvous_lease_report.v1. A first-observed stale_relay_replacement still emits a withdrawn_by_replacement record for the old stale relay path. This remains route metadata/control-plane health only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z18 synthetic route-health effective path runtime is implemented and docker-test-runtime-proven. Backend synthetic config now uses c17z18.synthetic.v1; node-agent refreshes Control Plane route decisions into a separate route-health route config, probes the selected effective path through the replacement relay, and reports c17z18.mesh_route_health_config_report.v1 plus route-health observations with expected/observed hops and drift state. Backend latest mesh links now preserve synthetic_route_health separately from peer connection-manager observations, and web-admin shows route-health rows. This remains synthetic route-health/control-plane only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z19 synthetic route-health feedback scoring is implemented and docker-test-runtime-proven. Backend now consumes recent synthetic_route_health observations in the relay scoring loop: drift, unreachable status, or failure metadata can mark the exact selected relay stale and trigger replacement, while healthy low-latency route-health boosts alternate relay scoring. Node-agent route-health observations include rendezvous peer/lease metadata, migration 000022 adds the synthetic mesh service class, and web-admin marks relay policy rh feedback. This remains synthetic/control-plane only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Stage C17Z20 node-side route-health feedback refresh is implemented and docker-test-runtime-proven. After node-agent reports synthetic route-health drift, unreachable status, or failure metadata, it schedules a bounded node-scoped synthetic-config refresh, applies returned replacement route decisions to route-health config immediately, and reports c17z20.mesh_route_health_feedback_refresh_report.v1 with attempt, success, failure, and suppressed-repeat counters. Web-admin route-health heartbeat summary now shows feedback refresh counters. This remains synthetic/control-plane only and does not enable RDP/VPN/service payload forwarding, arbitrary relay packet forwarding, STUN/TURN/ICE, or host network changes.
Installation Authority foundation is implemented and backend/web-build verified. Production config now requires INSTALLATION_AUTHORITY_MODE=strict with a Product Root Ed25519 public key. First-owner bootstrap accepts signed activation manifests, stores installation authority and signed platform_role_grants, and strict platform-admin checks ignore direct PostgreSQL users.platform_role edits unless a valid grant exists. Web-admin shows installation status and first-owner bootstrap; dev/legacy SQL seed compatibility remains explicit and gated by INSTALLATION_INSECURE_BOOTSTRAP_ENABLED.
Cluster Authority foundation is implemented and backend/agent/web-build plus docker-test lifecycle-smoke verified. Clusters now have Ed25519 authority keys, join-token scope material is signed, node approval/bootstrap material is signed, and Control Plane synthetic mesh config snapshots include a signed hash envelope with authority_required=true. Cluster authority private keys are encrypted at rest when SECRET_ENCRYPTION_KEY_B64/file is configured. rap-node-agent verifies signed Control Plane synthetic config and supports pinned authority public key/fingerprint through env or identity state. Web-admin shows cluster authority fingerprints in summaries, join-token output, approval rows, and synthetic config visibility. The docker-test run dev-bootstrap-20260428-201430 proved fresh dev cluster creation, signed join token, real node-agent enrollment, platform-owner approval, automatic signed bootstrap polling, authority pin persistence, heartbeat, and signed synthetic-config verification. This is a control-plane trust contract only; it does not enable RDP/VPN/service payload forwarding or production relay packet forwarding.
Node enrollment bootstrap polling is implemented and backend/agent-test plus docker-test lifecycle-smoke verified. After enrollment, rap-node-agent stores pending_join_request_id, polls /node-agents/enrollments/{requestID}/bootstrap, verifies the signed approval/bootstrap contract, and persists the approved node_id, identity_status, and cluster authority pin into identity.json. Polling is controlled by RAP_ENROLLMENT_POLL_INTERVAL_SECONDS and RAP_ENROLLMENT_POLL_TIMEOUT_SECONDS.
Migration 000021_cluster_authority_keys was hardened after the fresh docker-test replay found that PostgreSQL cannot change the cluster_admin_summaries view layout through CREATE OR REPLACE VIEW; the migration now drops and recreates the view in both up/down paths.
rap-node-agent desired-workload polling/status reporting is now gated by RAP_WORKLOAD_SUPERVISION_ENABLED=false by default, avoiding repeated admin-only workload-status 403 logs while service runtime supervision is still a stub.
Stage C18 VPN/IP tunnel service target design is completed as documentation/planning only.
Stage C18A VPN/IP tunnel control-plane data model foundation is implemented and backend-test-proven.
Stage C18B VPN/IP tunnel lease/fencing hardening is implemented and backend-test-proven.
Stage C18C VPN/IP tunnel node-agent desired-state consumption/reporting is implemented and backend-test-proven.
Version Storage / Update Repository is documented as a future Fabric Core service for signed releases, OS/arch artifacts, stable/current/candidate channels, update-cache mirroring, node-agent update supervision, rollback, and explicit data-structure migration bundles. Runtime updater behavior is not implemented.
Web Ingress and Admin UI ownership model is documented: docs/architecture/WEB_INGRESS_AND_ADMIN_UI_MODEL.md.
Admin endpoint placement decision is documented: storage/config-storage nodes do not automatically become cluster panels; Platform Owner Console remains global, Cluster Admin Endpoint requires explicit admin/web ingress role assignment, and Organization Admin Panel remains tenant-safe.
Platform Owner Control Panel is implemented in web-admin and build-verified. Report: artifacts/web-admin-platform-owner-control-panel-report.md.
Fabric service endpoint control-plane foundation is implemented: cluster-scoped fabric_entry_points and fabric_egress_pools are durable PostgreSQL objects for logical client ingress and logical egress zones. This is not production mesh routing yet.
Fabric endpoint node assignment is implemented for the Platform Owner Control Panel: entry points and egress pools can show and assign active cluster nodes through control-plane APIs. This remains placement intent only; it does not start mesh routing or service traffic.
Platform Owner Control Panel Fabric map now visualizes logical ingress, active cluster nodes, logical egress pools, endpoint-node placement intent, observed peer links, and node telemetry/service summaries in one cluster diagram. This remains a platform-owner topology view and must not be exposed to organization panels.
Platform Owner Control Panel Fabric page also shows current node-scoped synthetic mesh config/candidate/scoring/route-health feedback visibility after C17Z20.
Stage C17H deployed multi-agent synthetic config smoke on docker-test is complete; next mesh/Fabric work requires an explicit new staged prompt
prepare the Secure Access Fabric platform-core foundation: clusters, node enrollment, native node-agent identity, role assignment, platform admin console, scoped configuration distribution, node-local state, Fabric Storage/Config Storage, and future multi-cluster administration
Stage C1 backend cluster/node model foundation is implemented and verified.
Stage C2 node enrollment hardening is implemented and verified.
Stage C3 native rap-node-agent MVP scaffold is implemented and verified.
Stage C4 Platform Admin Console MVP is implemented and build-verified.
Stage C5 service workload supervision contract is implemented and verified.
Stage C6 mesh control-plane preparation is implemented and verified.
Stage C7 Mesh MVP skeleton is implemented and verified.
Stage C8 multi-cluster/partition hardening is implemented and verified.
Stage C9 organization admin foundation is implemented and verified.
Current focus: Fabric Core / mesh transport foundation. RDP remains paused. C17Z20 is complete and remains peer/rendezvous control-plane health management, stale-relay replacement policy, route/path decision metadata, and synthetic route-health effective-path feedback scoring/refresh only, not production service mesh traffic.

Not current scope:

Web/Admin UI implementation beyond documented ownership/model boundaries
production mesh runtime
VPN/IP tunnel runtime
multi-cluster runtime
node-agent updater runtime
production Version Storage / Update Repository runtime
automatic PostgreSQL migration execution by node-agent
SSH/VNC adapters
Linux/mobile clients
DP-3B adaptive quality expansion
RDP performance work, including RDP-Perf-7 or further RDP-Perf stages
Stage 5.2 remaining RDP desktop UI proof
organization admin UI implementation
production authentication/session hardening for Web Admin

Canonical Test Environment

Docker test host: 192.168.200.61
SSH alias: docker-test
Docker endpoint: ssh://docker-test
Backend API: http://192.168.200.61:8080/api/v1
Backend gateway: ws://192.168.200.61:8080/api/v1/gateway/ws
C17A required no active runtime deployment. It is implemented in rap-node-agent tests only, behind a disabled-by-default feature flag, and carries synthetic fabric.probe / fabric.probe_ack messages only.
C17B required no active runtime deployment. It is implemented in rap-node-agent tests only, behind the same disabled-by-default feature flag, and carries synthetic route health probes only.
C17C required no active runtime deployment. It is implemented in rap-node-agent tests only, behind the same disabled-by-default feature flag, and models synthetic relay queues/QoS only.
C17D required no active runtime deployment. It is implemented in rap-node-agent tests only, behind the same disabled-by-default feature flag, and carries only bounded synthetic.echo test-service payloads.
C17E adds a live node-to-node synthetic HTTP transport skeleton and smoke harness. It remains behind RAP_MESH_SYNTHETIC_RUNTIME_ENABLED=false by default and does not authorize production mesh, RDP, VPN, file, video, or service workload traffic.
C17F adds a scoped synthetic mesh config file boundary, prefers it over debug JSON, and reports synthetic route-health observations to the existing mesh links control-plane endpoint when testing flags allow synthetic links.
C17G adds backend /clusters/{clusterID}/nodes/{nodeID}/mesh/synthetic-config and node-agent consumption of that config when no local scoped config file is set.
C17H proves the C17G boundary in a deployed multi-agent docker-test smoke with synthetic traffic only.
C17I adds an explicit node-agent production forwarding gate while keeping production forwarding unavailable.
C17J adds route-bound production envelope validation on /mesh/v1/forward while keeping production forwarding unavailable.
C17K adds local metadata-only accepted-envelope observation while keeping production forwarding unavailable.
C17L adds a bounded local in-memory sink for accepted metadata-only observations while keeping production forwarding unavailable.
C17M adds disabled-by-default node-agent wiring for the bounded local metadata-only observation sink while keeping production forwarding unavailable.
C17N adds local metrics for the bounded observation sink while keeping production forwarding unavailable.
C17O adds local node-agent logging for bounded observation sink metrics while keeping production forwarding unavailable.
C17P adds change-driven suppression for unchanged local bounded observation sink metrics logs while keeping production forwarding unavailable.
C17Q adds explicit local log separation for production forwarding gate state versus runtime state while keeping production forwarding unavailable.
C17R adds a maximum capacity guard for the local production observation sink while keeping production forwarding unavailable.
C17S adds panic-safe fail-closed observation handling while keeping production forwarding unavailable.
C17T adds an explicit payload boundary for validated production fabric.control envelopes while keeping production forwarding unavailable.
C17U adds an explicit future-skew boundary for validated production fabric.control envelope created_at while keeping production forwarding unavailable.
C17V adds scoped peer endpoint candidates and NAT/connectivity hints to synthetic mesh config while keeping production forwarding unavailable.
C17W adds deterministic local scoring for scoped peer endpoint candidates while keeping production forwarding unavailable.
C17X adds an optional local health observation overlay for endpoint candidate scoring while keeping production forwarding unavailable.
C17Y updates the Platform Owner Control Panel with node-scoped synthetic mesh config visibility while keeping production forwarding unavailable.
C17Z adds gate-controlled production fabric.control local delivery and direct next-hop forwarding while keeping service channels unavailable.
C17Z1 adds route-path-bound production fabric.control multi-hop forwarding while keeping service channels unavailable.
C17Z2 adds local metadata-only production fabric.control forwarding event logs while keeping service channels unavailable.
C17Z3 binds production fabric.control forwarding to local route config when configured routes are available while keeping service channels unavailable.
C17Z4 adds scoped peer directory and bounded recovery seeds to node-scoped mesh config while keeping service channels unavailable.
C17Z5 adds node-local peer cache and warm-peer health probes while keeping service channels unavailable.
C17Z6 adds explicit advertised endpoint reporting and scoped config projection while keeping service channels unavailable.
C17Z7 adds multiple public/private/corporate endpoint candidates and same-site scoring while keeping service channels unavailable.
C17Z8 adds node-local warm-peer connection states and backoff while keeping service channels unavailable.
C17Z9 adds bounded node-local peer recovery planning while keeping service channels unavailable.
C17Z10 adds node-local peer connection intent and transport readiness metadata while keeping service channels unavailable.
C17Z11 adds a real node-local peer connection manager for control-plane health while keeping service channels unavailable.
C17Z12 adds node-scoped rendezvous/relay control-plane leases while keeping service channels unavailable.
C17Z13 adds rendezvous lease telemetry while keeping service channels unavailable.
C17Z14 adds node-scoped lease refresh/reload and stale relay telemetry while keeping service channels unavailable.
C17Z15 adds backend stale-relay replacement policy and alternate relay scoring while keeping service channels unavailable.
C17Z16 adds Control Plane route/path decision metadata while keeping service channels unavailable.
C17Z17 adds node-side route generation apply/withdraw metadata while keeping service channels unavailable.
C18 completed design/planning only and did not implement VPN/IP tunnel runtime. C18A completed control-plane data model foundation only. C18B completed lease/fencing control-plane hardening only. C18C completed node-agent desired-state consumption/reporting only. C18D, if accepted, must remain credential/config resolver boundary work and must not implement real VPN/IP tunnel runtime without a separate explicit prompt.
Latest RDP performance reference image: rap-rdp-worker:rdp-perf6-dirty-region
Stage 5.2 file-download runtime artifacts remain preserved for when RDP work resumes, but they are not the active next task.

Proven Baseline

Backend

Go backend builds and tests pass.
PostgreSQL is the source of truth.
Redis is live coordination/routing only.
Auth foundation exists.
Refresh rotation, auth sessions, devices, and trusted devices exist.
Multi-tenant organization foundation exists.
Resources and remote sessions are organization-scoped.
Platform-core v2 models exist.
Identity source foundation exists.
Node and node-agent control-plane foundation exists.
Session broker lifecycle is implemented.
Worker coordination and stale worker monitoring are implemented.
Structured localization-ready messaging exists.
Per-resource certificate_verification_mode = strict | ignore exists.
strict remains default.
Clipboard policy mode exists.
File transfer policy mode exists.
Data-plane token/candidate generation exists.
Production resource secret-readiness guard exists:
- APP_ENV=production rejects plaintext credential-like resource metadata.
- RDP/VNC/SSH resources require secret_ref in production.
- development and smoke paths may still use plaintext metadata explicitly.
Encrypted PostgreSQL-backed resource secret storage/resolver MVP exists:
- resource_secrets stores ciphertext, nonce, key id, algorithm, version, safe metadata, and payload_sha256.
- PUT /api/v1/resources/{resourceID}/secret creates/rotates a resource secret without returning plaintext.
- session assignment resolves secret_ref only after organization, resource, session, worker, and lease checks.
Production direct worker WSS TLS/PKI guard exists:
- backend direct candidates advertise tls_trust_mode, production_trusted, smoke_only, and optional tls_ca_ref metadata.
- production backend omits smoke-only direct candidates and keeps backend gateway fallback.
- Windows client skips untrusted/smoke-only direct candidates in production.

Worker / RDP Adapter

Worker Docker build is reproducible.
C++ worker is the active RDP runtime.
FreeRDP is behind the RDP Adapter boundary.
Worker registration, assignment consumption, heartbeat, leases, and worker events are implemented.
Real RDP connection works.
Detach/reattach/takeover/terminate/failure flows are proven.
Reattach/takeover do not recreate the remote RDP session.
Worker death/orphan active-session recovery is proven.
Direct worker WSS endpoint exists.
RS256 data-plane token validation exists.
Current attachment/controller binding is enforced.
Backend gateway fallback remains available.
Direct binary RAP2 render frames exist.
Region-first BGRA rendering is the current stable path.
Direct attach baseline full-frame repair exists.
Region-loss full-frame repair exists.
Ordered dirty-region delivery is accepted through SessionRuntime, worker direct WSS, Windows transport, and WPF presenter queues.
Cursor adapter boundary exists.
Text clipboard through FreeRDP cliprdr is accepted.
Client-to-server file upload to controlled worker storage is accepted.
Restricted transfer-drive visibility through FreeRDP RDPDR is runtime-proven: uploaded files are visible and openable inside the remote Windows session via RAP_Transfers.
Backend gateway fallback/debug frame state reconstructs a full framebuffer by patching accepted region updates into Redis live state, so fallback screenshots are not left with region-sized payloads after region-first rendering.

Windows Client

Windows WPF client builds.
Login, refresh, logout, organization selection, resource list, active sessions, and session window exist.
Direct worker WSS selection exists with automatic backend gateway fallback.
Binary direct render receive path exists.
Real remote desktop is visible.
Keyboard and mouse input are usable after RDP adapter hardening.
Session window lifecycle is stable enough for current smoke work.
Localization-ready resources and structured backend message resolution exist.
Text clipboard UI/path exists.
File upload UI/path exists.

Current Known Gaps

C1 cluster/node backend foundation is implemented. Remaining platform-core work continued through C2: production enrollment hardening and node-agent enrollment API. Runtime reports: artifacts/c1-cluster-node-foundation-report.md.
artifacts/c2-node-enrollment-hardening-report.md.
artifacts/c3-rap-node-agent-mvp-report.md.
artifacts/c4-platform-admin-console-report.md.
artifacts/c5-service-workload-supervision-contract-report.md.
artifacts/c6-mesh-control-plane-preparation-report.md.
artifacts/c7-mesh-mvp-skeleton-report.md.
artifacts/c8-multi-cluster-hardening-report.md.
artifacts/c9-organization-admin-foundation-report.md.
artifacts/c10-fabric-core-config-distribution-design-report.md.
artifacts/c11-signed-scoped-cluster-snapshot-model-report.md.
artifacts/c12-node-local-state-store-report.md.
artifacts/c13-fabric-storage-config-service-report.md.
artifacts/c14-peer-directory-cache-model-report.md.
artifacts/c15-fabric-routing-engine-skeleton-report.md.
artifacts/c16-secure-node-to-node-channel-lifecycle-report.md.
artifacts/c17-mesh-routing-runtime-implementation-plan-report.md.
artifacts/c17a-synthetic-mesh-runtime-skeleton-report.md.
artifacts/c17b-route-health-failover-probes-report.md.
artifacts/c17c-relay-semantic-hardening-report.md.
artifacts/c17d-non-production-test-service-path-report.md.
artifacts/c17e-live-node-to-node-synthetic-transport-report.md.
artifacts/c17f-scoped-synthetic-route-config-report.md.
artifacts/c17g-control-plane-scoped-synthetic-config-report.md.
artifacts/c17v-peer-endpoint-candidate-model-report.md.
artifacts/c17w-peer-endpoint-candidate-scoring-report.md.
artifacts/c17x-health-aware-endpoint-candidate-scoring-report.md.
artifacts/c17y-platform-owner-synthetic-mesh-visibility-report.md.
artifacts/c18-vpn-ip-tunnel-service-target-design-report.md.
artifacts/c18a-vpn-control-plane-data-model-report.md.
artifacts/c18b-vpn-lease-fencing-hardening-report.md.
artifacts/c18c-vpn-node-agent-desired-state-report.md.
RDP correctness baseline is accepted. Remaining visual/performance limitation: window drag behaves like older/slow-link RDP clients by showing a drag frame, and repaint after releasing a moved window is workable but not yet polished.
RDPGFX is gated and disabled by default because the current live target resets the connection when RDPGFX is advertised.
Encoded graphics/codecs/tiles are not production-accepted.
Server-to-client file download core data path is runtime-proven through both direct worker WSS and backend gateway fallback. Stage 5.2 lifecycle blocking is runtime-proven for detach, old-client takeover, and worker failure. Stage 5.2 still needs manual Windows-client UI proof before full runtime acceptance.
External KMS/Vault integration and master-key rotation are not implemented.
Worker production assignment currently receives resolved credentials through transient assignment metadata; a future resolver pull/token flow should reduce Redis control-queue exposure.
The current dev/smoke RDP proof path can still resolve credentials from resource metadata outside production.
Production direct-worker certificate issuance/rotation and platform CA distribution are not automated yet.
Backend test coverage is thin outside sessionbroker.
Windows client automated tests are missing.
Worker probes exist, but a full automated adapter conformance suite does not.
Several documents were updated during P0, but future work must keep them in sync after every accepted stage.

Current Verification Snapshot

Additional C17A synthetic mesh runtime skeleton verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

direct synthetic fabric.probe / fabric.probe_ack: PASS
single-relay synthetic fabric.probe / fabric.probe_ack: PASS
feature flag / kill-switch disabled path: PASS
wrong cluster rejection: PASS
wrong node rejection: PASS
unauthorized channel rejection: PASS
expired route rejection: PASS
TTL exhaustion rejection: PASS
loop rejection: PASS
unavailable peer rejection: PASS
existing mesh health and production-forwarding-disabled behavior: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17B route health and failover probe verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

C17A direct/single-relay synthetic probes remain intact: PASS
route health fabric.route_health / fabric.route_health_ack: PASS
local route success observation: PASS
local route failure observation: PASS
preferred route failure with fallback route use: PASS
warm fallback route promotion metric/log boundary: PASS
route cache invalidation on policy version change: PASS
same-version route cache preservation: PASS
feature flag / kill-switch disabled path: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17C relay semantic hardening verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

C17A direct/single-relay synthetic probes remain intact: PASS
C17B route health/failover probes remain intact: PASS
synthetic relay envelope validation: PASS
QoS dequeue order fabric_control > route_control > telemetry: PASS
telemetry backpressure drops oldest stale telemetry only: PASS
reliable fabric/control queue full rejects instead of dropping: PASS
relay rejects wrong cluster, wrong node, unauthorized channel, unsupported message, TTL exhaustion, and loop: PASS
relay disabled / kill-switch path: PASS
relay queue depth metrics: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17D non-production test-service path verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

C17A direct/single-relay synthetic probes remain intact: PASS
C17B route health/failover probes remain intact: PASS
C17C relay validation/QoS/backpressure remains intact: PASS
direct synthetic.echo service-path test: PASS
single-relay synthetic.echo service-path test: PASS
forced fallback synthetic.echo service-path test: PASS
bounded payload max-size behavior: PASS
wrong organization rejected: PASS
unsupported service type rejected: PASS
oversized payload rejected: PASS
unauthorized channel rejected: PASS
missing request id rejected: PASS
runtime disabled / kill-switch path: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17E live node-to-node synthetic transport verification:

go test ./...
go run ./cmd/mesh-live-smoke
go build -o bin/rap-node-agent.exe ./cmd/rap-node-agent
go build -o bin/mesh-live-smoke.exe ./cmd/mesh-live-smoke

Run from:

agents\rap-node-agent

Result:

live HTTP peer transport for synthetic envelopes: PASS
direct node-a -> node-b synthetic probe over HTTP endpoints: PASS
single-relay node-a -> node-r -> node-b synthetic probe over HTTP endpoints: PASS
bounded synthetic.echo test-service over relay HTTP path: PASS
disabled-by-default rap-node-agent synthetic mesh endpoint: PASS
production /mesh/v1/forward remains disabled: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17F scoped synthetic route config verification:

go test ./...
go run ./cmd/mesh-live-smoke
go build -o bin/rap-node-agent.exe ./cmd/rap-node-agent
go build -o bin/mesh-live-smoke.exe ./cmd/mesh-live-smoke

Run from:

agents\rap-node-agent

Result:

scoped synthetic config file load: PASS
wrong cluster rejected: PASS
wrong node rejected: PASS
expired route rejected: PASS
scoped config preferred over debug JSON: PASS
synthetic route-health reporting boundary added: PASS
C17E live direct/relay smoke remains intact: PASS
production /mesh/v1/forward remains disabled: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17G Control Plane scoped synthetic config verification:

go test ./...

Run from:

backend
agents\rap-node-agent

Result:

backend node-scoped synthetic config endpoint/service: PASS
disabled testing flag returns no routes and no peer endpoints: PASS
unrelated route intent does not leak to requesting node: PASS
production forwarding remains false in config: PASS
node-agent consumes Control Plane config when local scoped config file is not set: PASS
local RAP_MESH_SYNTHETIC_CONFIG remains preferred debug fallback: PASS
C17F live direct/relay smoke remains intact: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

Additional C17H deployed multi-agent synthetic config smoke verification:

powershell -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\c17h-multi-agent-synthetic-smoke-ssh.ps1 -KeepRunning
go test ./...

Run from:

backend
agents\rap-node-agent

Result:

deployed backend on docker-test stayed ready at http://192.168.200.61:18080/api/v1: PASS
five running rap-node-agent containers loaded source=control_plane synthetic config: PASS
scoped config route counts: node-a=2, node-r=1, node-b=1, node-c=1, node-idle=0: PASS
direct route-health observation reported reachable to Control Plane: PASS
single-relay route-health observation reported reachable to Control Plane: PASS
Platform Owner cluster summary showed 5 nodes and 5 healthy nodes: PASS
all scoped configs kept production_forwarding=false: PASS
backend go test ./...: PASS
node-agent go test ./...: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17H runtime report:

artifacts/c17h-deployed-multi-agent-synthetic-config-smoke-report.md

Additional C17I production forwarding gate verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

RAP_MESH_PRODUCTION_FORWARDING_ENABLED config gate: PASS
/mesh/v1/forward remains disabled by default: PASS
explicit gate enabled still reports unavailable production runtime: PASS
backend tests: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17I report:

artifacts/c17i-production-forwarding-gate-report.md

Additional C17J production envelope contract verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

route-bound production envelope contract validation: PASS
invalid payload hash rejected: PASS
service channel rejected: PASS
gate-enabled /mesh/v1/forward still returns unavailable runtime after successful validation: PASS
backend tests: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17J report:

artifacts/c17j-production-envelope-contract-report.md

Additional C17K production envelope observation verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

valid production envelope triggers metadata-only observation: PASS
rejected production envelope does not trigger observation: PASS
observation failure fails closed: PASS
gate-enabled /mesh/v1/forward still returns unavailable runtime after validation/observation: PASS
backend tests: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17K report:

artifacts/c17k-production-envelope-observation-report.md

Additional C17L bounded production observation sink verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

bounded metadata-only sink stores accepted observations: PASS
oldest observation is dropped when capacity is exceeded: PASS
payload hash/length metadata is preserved: PASS
payload body is not stored by the sink: PASS
gate-enabled /mesh/v1/forward still returns unavailable runtime after validation/observation/sink storage: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17L report:

artifacts/c17l-bounded-production-observation-sink-report.md

Additional C17M production observation sink wiring verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

RAP_MESH_PRODUCTION_OBSERVATION_SINK_CAPACITY config loading: PASS
negative sink capacity rejected: PASS
observer wiring disabled by default: PASS
observer wiring created only when capacity is greater than zero: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17M report:

artifacts/c17m-production-observation-sink-wiring-report.md

Additional C17N production observation sink metrics verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

empty sink metrics start at zero depth/accepted/dropped: PASS
bounded sink metrics track capacity/current depth: PASS
accepted observations increment accepted total: PASS
oldest-entry drop increments dropped total: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17N report:

artifacts/c17n-production-observation-sink-metrics-report.md

Additional C17O production observation sink local metrics log verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

sink wiring remains disabled by default: PASS
enabled sink keeps configured capacity: PASS
nil mesh state metrics logging is safe: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17O report:

artifacts/c17o-production-observation-sink-local-metrics-log-report.md

Additional C17P production observation sink change-driven metrics log verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

first metrics snapshot logs locally: PASS
unchanged metrics do not log again: PASS
changed metrics log again: PASS
metrics equality helper detects identical/different snapshots: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17P report:

artifacts/c17p-production-observation-sink-change-driven-metrics-log-report.md

Additional C17Q production forwarding gate/runtime log boundary verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

production forwarding gate state is logged separately from runtime state: PASS
default gate/runtime log state remains false/false: PASS
gate-enabled log state remains true/false: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17Q report:

artifacts/c17q-production-forwarding-gate-runtime-log-boundary-report.md

Additional C17R production observation sink capacity guard verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

normal sink capacity config still loads: PASS
negative sink capacity rejected: PASS
too-large sink capacity rejected: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17R report:

artifacts/c17r-production-observation-sink-capacity-guard-report.md

Additional C17S production observation panic fail-closed verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

observer error fails closed: PASS
observer panic fails closed: PASS
nil observer is allowed: PASS
rejected envelopes are not observed: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17S report:

artifacts/c17s-production-observation-panic-fail-closed-report.md

Additional C17T production envelope payload boundary verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

valid fabric-control envelope still passes validation/observation: PASS
oversized fabric-control envelope rejected: PASS
oversized rejected envelope does not call observer: PASS
invalid payload hash still rejected: PASS
service channel still rejected: PASS
existing mesh/forwarding tests remain green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17T report:

artifacts/c17t-production-envelope-payload-boundary-report.md

Additional C17U production envelope created-at skew verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

valid fabric-control envelope still passes validation/observation: PASS
future-created fabric-control envelope rejected: PASS
future-created rejected envelope does not call observer: PASS
existing payload/hash/channel/time validation remains green: PASS
RDP/runtime/data-plane behavior changed: no
production service traffic over mesh: no

C17U report:

artifacts/c17u-production-envelope-created-at-skew-report.md

Additional C17V peer endpoint candidate model verification:

go test ./...

Run from:

backend
agents\rap-node-agent

Result:

backend synthetic config includes route-scoped peer endpoint candidates: PASS
unrelated peer endpoints and endpoint candidates do not leak across route paths: PASS
candidate validation rejects unknown transport/NAT, route-path mismatch, node mismatch, and invalid metadata: PASS
node-agent scoped config loads valid peer endpoint candidates: PASS
node-agent scoped config rejects invalid peer endpoint candidates: PASS
production forwarding remained unavailable: PASS
production service traffic over mesh: no

C17V report:

artifacts/c17v-peer-endpoint-candidate-model-report.md

Additional C17W peer endpoint candidate scoring verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

direct/fresh/public endpoint candidate ranks above relay and stale candidates: PASS
tie-breaking by priority/node/endpoint is deterministic: PASS
relay and outbound fallback candidates are retained instead of dropped: PASS
production forwarding remained unavailable: PASS
production service traffic over mesh: no

C17W report:

artifacts/c17w-peer-endpoint-candidate-scoring-report.md

Additional C17X health-aware endpoint candidate scoring verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

local health observations can promote lower-latency, high-reliability candidates: PASS
failure history and recent failure reasons penalize candidates: PASS
stale observations do not contribute fresh latency benefits: PASS
production forwarding remained unavailable: PASS
production service traffic over mesh: no

C17X report:

artifacts/c17x-health-aware-endpoint-candidate-scoring-report.md

Additional C17Y Platform Owner synthetic mesh visibility verification:

cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
go test ./...

Run from:

web-admin
backend
agents\rap-node-agent

Result:

web-admin TypeScript/Vite build: PASS
backend tests: PASS
node-agent tests: PASS
Platform Owner Fabric page reads node-scoped synthetic mesh config: PASS
Fabric page shows route/endpoint/candidate counts and production forwarding state: PASS
production forwarding remained unavailable: PASS
RDP/runtime/data-plane behavior changed: no

C17Y report:

artifacts/c17y-platform-owner-synthetic-mesh-visibility-report.md

Additional C17Z production fabric-control direct forwarding verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"

Run from:

agents\rap-node-agent
backend
web-admin

Result:

local destination delivery for valid fabric.control: PASS
direct next-hop forwarding for valid fabric.control: PASS
no-transport path still returns runtime unavailable: PASS
invalid/hash/channel/time/payload boundaries remain enforced: PASS
service channels remain rejected: PASS
web-admin build with updated C17Z boundary wording: PASS
RDP/runtime service payload behavior changed: no

C17Z report:

artifacts/c17z-production-fabric-control-direct-forwarding-report.md

Additional C17Z1 production fabric-control multi-hop route-path verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"

Run from:

agents\rap-node-agent
backend
web-admin

Result:

route-path-bound multi-hop fabric.control forwarding: PASS
wrong next hop rejected: PASS
duplicate route path loop rejected: PASS
visited node metadata propagated to the destination: PASS
service channels remain rejected: PASS
RDP/runtime service payload behavior changed: no

C17Z1 report:

artifacts/c17z1-production-fabric-control-multihop-route-path-report.md

Additional C17Z2 production fabric-control forwarding observability verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"

Run from:

agents\rap-node-agent
backend
web-admin

Result:

accepted production fabric.control events logged: PASS
forwarded production fabric.control events logged: PASS
delivered production fabric.control events logged: PASS
rejected production fabric.control events logged: PASS
payload bodies are not logged: PASS
service channels remain rejected: PASS
RDP/runtime service payload behavior changed: no

C17Z2 report:

artifacts/c17z2-production-fabric-control-forwarding-observability-report.md

Additional C17Z3 production fabric-control route-config verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

configured production fabric.control route forwarding: PASS
unknown configured route rejection: PASS
wrong configured next-hop rejection: PASS
existing direct and route-path forwarding tests: PASS
service channels remain rejected: PASS
RDP/runtime service payload behavior changed: no

C17Z3 report:

artifacts/c17z3-production-fabric-control-route-config-boundary-report.md

Additional C17Z4 scoped peer directory/recovery seed verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"

Run from:

backend
agents\rap-node-agent
web-admin

Result:

backend scoped peer-directory projection: PASS
backend recovery seed projection/ordering: PASS
node-agent scoped config validation: PASS
web-admin peer directory/recovery seed counters: PASS
RDP/runtime service payload behavior changed: no

C17Z4 report:

artifacts/c17z4-scoped-peer-directory-recovery-seeds-report.md

Additional C17Z5 node-agent peer cache runtime verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

peer cache warm selection: PASS
recovery seed warm promotion: PASS
endpoint candidate scoring integration: PASS
node-agent config loading with peer runtime config: PASS
warm-peer health probe code compiles in node-agent: PASS
RDP/runtime service payload behavior changed: no

C17Z5 report:

artifacts/c17z5-node-agent-peer-cache-runtime-report.md

Additional C17Z6 dynamic endpoint reporting verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

node-agent advertised endpoint config loading: PASS
heartbeat endpoint report payload: PASS
backend projection of reported endpoint into scoped config: PASS
backend projection of reported endpoint candidate into scoped config: PASS
peer directory counts include reported endpoint/candidate: PASS
RDP/runtime service payload behavior changed: no

C17Z6 report:

artifacts/c17z6-dynamic-endpoint-reporting-report.md

Additional C17Z7 private/corporate endpoint candidate verification:

go test ./...

Run from:

agents\rap-node-agent
backend

Result:

multiple advertised endpoint heartbeat payload: PASS
private/corporate endpoint candidate preservation: PASS
corporate/private endpoint scoring preference: PASS
peer cache selects corporate LAN address for warm health: PASS
backend tests remain green: PASS
RDP/runtime service payload behavior changed: no

C17Z7 report:

artifacts/c17z7-private-corporate-endpoint-candidates-report.md

Additional C17Z8 peer connection state-machine verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

ready/degraded transitions: PASS
repeated-failure backoff transition: PASS
backoff probe suppression/recovery: PASS
snapshot state counters: PASS
node-agent warm-peer health metadata compiles with connection states: PASS
RDP/runtime service payload behavior changed: no

C17Z8 report:

artifacts/c17z8-peer-connection-state-machine-report.md

Additional C17Z9 peer recovery planner verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

bounded steady ready-peer selection: PASS
recovery seed candidate selection during ready deficit: PASS
active backoff candidate suppression: PASS
target capped by connectable peer count: PASS
node-agent recovery report metadata compiles: PASS
RDP/runtime service payload behavior changed: no

C17Z9 report:

artifacts/c17z9-peer-recovery-planner-report.md

Additional C17Z10 peer connection intent planner verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

corporate/private direct intent classification: PASS
outbound-only rendezvous-required classification: PASS
relay-required rendezvous-required classification: PASS
private endpoint classification without explicit candidate hints: PASS
heartbeat intent report without advertised endpoint: PASS
RDP/runtime service payload behavior changed: no

C17Z10 report:

artifacts/c17z10-peer-connection-intent-planner-report.md

Additional C17Z11 peer connection manager runtime verification:

go test ./...

Run from:

agents\rap-node-agent

Result:

direct control-plane health probe through manager: PASS
relay/rendezvous-required peer deferred: PASS
repeated failure enters backoff and is suppressed: PASS
heartbeat manager report compiles: PASS
RDP/runtime service payload behavior changed: no

C17Z11 report:

artifacts/c17z11-peer-connection-manager-runtime-report.md

Additional C17Z12 rendezvous/relay control-plane contract verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"

Run from:

backend
agents\rap-node-agent

Result:

backend node-scoped rendezvous_leases contract and no unrelated leak: PASS
scoped config rendezvous lease validation: PASS
rendezvous-required intent resolved to relay_control with lease: PASS
peer connection manager probes relay health and records relay_ready: PASS
peer recovery planner maintains relay_ready peers in steady mode: PASS
web-admin synthetic config visibility for rendezvous leases: PASS
RDP/VPN/service payload behavior changed: no

Docker-test C17Z12 runtime smoke:

.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Result from run c17z12-20260428-142108:

backend API on http://192.168.200.61:18120/api/v1: PASS
C17Z12 web-admin view on http://192.168.200.61:5174/: PASS
C17Z12 containers left running on docker-test: PASS
backend auto-derived rendezvous_leases for outbound-only node C via relay node R: PASS
entry node A resolved waiting_rendezvous to relay_control: PASS
A -> C manager observation through relay was reachable: PASS
A -> C connection state was relay_ready: PASS
direct baseline synthetic route delivery: PASS
production forwarding remained disabled: PASS

C17Z12 report:

artifacts/c17z12-rendezvous-relay-control-plane-contract-report.md

Additional C17Z13 rendezvous lease telemetry verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build && popd"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

agents\rap-node-agent
backend

Result from docker-test run c17z13-20260428-145133:

backend API on http://192.168.200.61:18120/api/v1: PASS
web-admin on http://192.168.200.61:5174/: PASS
entry node A heartbeat reports c17z13.mesh_rendezvous_lease_report.v1: PASS
entry node A reports entry_observer_count=1 and relay_control_ready_count=1: PASS
relay node R reports admitted_as_relay_count=1: PASS
outbound-only node C reports admitted_as_peer_count=1: PASS
expired lease skip and active lease reselection test: PASS
lease telemetry boundary flags keep payload forwarding disabled: PASS
A -> C relay-control manager observation remains reachable and relay_ready: PASS

C17Z13 report:

artifacts/c17z13-rendezvous-lease-telemetry-report.md

Additional C17Z14 rendezvous lease refresh verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

agents\rap-node-agent
backend

Result from docker-test run c17z14-20260428-151435:

backend API on http://192.168.200.61:18120/api/v1: PASS
web-admin on http://192.168.200.61:5174/: PASS
entry node A heartbeat reports c17z14.mesh_rendezvous_lease_report.v1: PASS
entry node A reports refresh_contract=node_scoped_synthetic_config_get, refresh_needed_count=1, and refresh_success_count=2: PASS
relay node R reports admitted_as_relay_count=2 and refresh success: PASS
outbound-only node C reports admitted_as_peer_count=2 and refresh success: PASS
stale relay withdrawal/reselection fields are present and zero in the healthy smoke path: PASS
refresh telemetry boundary flags keep payload forwarding disabled: PASS
direct baseline synthetic route delivery: PASS
A -> C relay-control manager observation remains reachable and relay_ready: PASS

C17Z14 report:

artifacts/c17z14-rendezvous-lease-refresh-report.md

Additional C17Z15 rendezvous relay replacement verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

agents\rap-node-agent
backend

Result from docker-test run c17z15-20260428-153917:

backend API on http://192.168.200.61:18120/api/v1: PASS
web-admin on http://192.168.200.61:5174/: PASS
backend synthetic config schema c17z15.synthetic.v1: PASS
entry node A heartbeat reports c17z15.mesh_rendezvous_lease_report.v1: PASS
entry node A initially receives an explicit stale relay lease through old relay R with bad relay endpoint http://127.0.0.1:19210: PASS
Control Plane withdraws the stale old-relay lease and issues a replacement stale_relay_replacement lease through alternate relay S: PASS
replacement lease metadata includes relay_replacement_contract=stale_relay_feedback_policy and replacement_for_stale_relay=true: PASS
relay S reports admitted_as_relay_count=1: PASS
R or S reports last_refresh_reason=stale_relay and refresh success: PASS
direct baseline synthetic route delivery remains available: PASS
payload forwarding boundary flags keep RDP/VPN/service forwarding disabled: PASS

C17Z15 report:

artifacts/c17z15-rendezvous-relay-replacement-report.md

Additional C17Z16 route/path decision artifact verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

agents\rap-node-agent
backend

Result from docker-test run c17z16-20260428-160621:

backend API on http://192.168.200.61:18120/api/v1: PASS
web-admin on http://192.168.200.61:5174/: PASS
backend synthetic config schema c17z16.synthetic.v1: PASS
entry node A heartbeat reports c17z16.mesh_rendezvous_lease_report.v1: PASS
entry node A heartbeat reports c17z16.mesh_route_path_decision_report.v1: PASS
Control Plane route/path decision removes stale relay R from effective hops and selects alternate relay S as next hop for A -> C: PASS
route/path decision report includes generation, score reasons, control_plane_only=true, route_path_forwarding_runtime=false, and production_payload_forwarding=false: PASS
replacement lease through alternate relay S remains relay_ready: PASS
direct baseline synthetic route delivery remains available: PASS
payload forwarding boundary flags keep RDP/VPN/service forwarding disabled: PASS

C17Z16 report:

artifacts/c17z16-route-path-decision-report.md

Additional C17Z17 route generation tracker verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

agents\rap-node-agent
backend

Result from docker-test run c17z17-20260428-165118:

backend API on http://192.168.200.61:18120/api/v1: PASS
web-admin on http://192.168.200.61:5174/: PASS
backend synthetic config schema c17z17.synthetic.v1: PASS
entry node A heartbeat reports c17z17.mesh_rendezvous_lease_report.v1: PASS
entry node A heartbeat reports c17z17.mesh_route_path_decision_report.v1: PASS
entry node A heartbeat reports c17z17.mesh_route_generation_report.v1: PASS
route generation tracker reports active decisions, applied decisions, withdrawn decisions, total withdrawn count, and generation_changed=true: PASS
first-observed replacement records old relay path withdrawal as withdrawn_by_replacement: PASS
route generation boundary flags keep control_plane_only=true, route_path_forwarding_runtime=false, service_workload_traffic=false, and production_payload_forwarding=false: PASS
replacement lease through alternate relay S remains relay_ready: PASS
direct baseline synthetic route delivery remains available: PASS
payload forwarding boundary flags keep RDP/VPN/service forwarding disabled: PASS

C17Z17 report:

artifacts/c17z17-route-generation-tracker-report.md

Additional C17Z18 route-health effective path verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
.\scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

backend
agents\rap-node-agent

Result from docker-test run c17z18-20260428-174559:

backend API on http://192.168.200.61:18120/api/v1: PASS
web-admin on http://192.168.200.61:5174/: PASS
backend synthetic config schema c17z18.synthetic.v1: PASS
entry node A heartbeat reports c17z18.mesh_rendezvous_lease_report.v1: PASS
entry node A heartbeat reports c17z18.mesh_route_path_decision_report.v1: PASS
entry node A heartbeat reports c17z18.mesh_route_generation_report.v1: PASS
entry node A heartbeat reports c17z18.mesh_route_health_config_report.v1: PASS
synthetic route-health runtime uses the replacement effective path A -> alternate relay S -> outbound-only C: PASS
route-health drift detection stays false for the selected effective path: PASS
backend latest mesh links preserve synthetic_route_health separately from peer_connection_manager: PASS
web-admin Fabric links show route-health observation type, selected relay, and effective/observed path: PASS
payload forwarding boundary flags keep RDP/VPN/service forwarding disabled: PASS

C17Z18 report:

artifacts/c17z18-route-health-effective-path-report.md

Additional C17Z19 route-health feedback scoring verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\c17z19-route-health-feedback-smoke-ssh.ps1 -KeepRunning

Run from:

backend
agents\rap-node-agent
web-admin

Result from docker-test run c17z19-20260428-214427:

isolated backend API on http://192.168.200.61:18122/api/v1: PASS
fresh migration replay through 000022_synthetic_mesh_service_class: PASS
synthetic mesh route intent service class accepted by PostgreSQL: PASS
initial fast-path relay selection prefers node-s: PASS
injected synthetic route-health drift for selected relay node-s causes stale relay replacement through node-t: PASS
route path decision records node-t as selected relay and node-s as stale relay: PASS
healthy low-latency route-health for node-t keeps node-t selected with route_health_reachable, route_health_no_drift, route_health_quality, and route_health_latency score reasons: PASS
signed synthetic config is still required and present: PASS
payload forwarding boundary flags keep RDP/VPN/service forwarding disabled: PASS

C17Z19 report:

artifacts/c17z19-route-health-feedback-report.md
artifacts/c17z19-route-health-feedback-smoke-result.json

Additional C17Z20 route-health feedback refresh verification:

go test ./...
cmd /c "pushd \\nas\MST\codex\rdp-proxy\web-admin && npm run build"
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\c17z12-rendezvous-relay-smoke-ssh.ps1 -KeepRunning

Run from:

backend
agents\rap-node-agent
web-admin

Result from docker-test run c17z18-20260428-221601:

multi-agent backend API on http://192.168.200.61:18120/api/v1: PASS
backend/node-agent images rebuilt on docker-test: PASS
node A reports c17z20.mesh_route_health_config_report.v1: PASS
node A reports c17z20.mesh_route_health_feedback_refresh_report.v1: PASS
route-health failure triggers immediate config refresh before normal periodic interval: PASS
heartbeat reports feedback refresh attempts/successes/failures/suppressed: PASS
replacement route-health effective path through alternate relay remains active: PASS
payload forwarding boundary flags keep RDP/VPN/service forwarding disabled: PASS

C17Z20 report:

artifacts/c17z20-route-health-feedback-refresh-report.md

Dev cluster enrollment/bootstrap lifecycle verification:

pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\fabric\dev-cluster-enrollment-bootstrap-smoke-ssh.ps1 -KeepRunning

Result from docker-test run dev-bootstrap-20260428-201430:

isolated backend API on http://192.168.200.61:18121/api/v1: PASS
fresh migration replay through 000021_cluster_authority_keys: PASS
first-owner dev bootstrap through /installation/bootstrap-owner: PASS
signed join token, real node-agent enrollment, pending join request, and platform-owner approval: PASS
node-agent automatic bootstrap polling verified signed approval and persisted cluster authority pin: PASS
node heartbeat after bootstrap: PASS
signed c17z18.synthetic.v1 Control Plane synthetic config verified and loaded by node-agent: PASS
workload supervision stub is disabled by default, so no repeated admin-only desired-workload 403 loop is produced: PASS
production/service payload forwarding remains disabled: PASS

Dev enrollment/bootstrap report:

artifacts/dev-cluster-enrollment-bootstrap-smoke-report.md

Commands run during P0 baseline freeze:

go test ./...
dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-region-repair rdp-worker-dataplane-bind-probe --scenario valid

Additional accepted P1 baseline verification:

go test ./...
dotnet build .\clients\windows\RemoteAccessPlatform.Windows.slnx
docker -H ssh://docker-test build --tag rap-rdp-worker:rdp-p1-region-order2 --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:rdp-p1-region-order2 rdp-worker-dataplane-bind-probe --scenario valid
pwsh -ExecutionPolicy Bypass -File scripts\smoke\drive-visibility-smoke.ps1 -WorkerImage rap-rdp-worker:rdp-p1-region-order2 -OutputFrame artifacts\stage5-drive-visibility-frame-p1-rerun.bmp

Result:

backend tests: PASS
Windows build: PASS, 0 warnings, 0 errors
worker probes: PASS
P1 worker image build: PASS
P1 smoke-worker deployment: PASS, worker:registration:rdp-worker-1 reports status=online
P1 manual visual smoke: PASS, idle Task Manager updates, Start menu/hover, mouse, keyboard, and session close work; window drag is usable with old-client style frame-only movement and non-perfect release repaint
Stage 5.1.1 restricted drive visibility smoke: PASS, remote Notepad opened stage5-upload-text.txt from the redirected RAP_Transfers drive

Additional P3 security-readiness verification:

go test ./...
docker -H ssh://docker-test build --tag rap-rdp-worker:p3-security-probes --file workers/rdp-worker/Dockerfile workers/rdp-worker
$scenarios = @('valid','starting','wrong-worker','wrong-attachment','wrong-user','wrong-organization','wrong-resource','channels-too-broad','failed-state','terminated-state')
foreach ($scenario in $scenarios) {
  docker -H ssh://docker-test run --rm rap-rdp-worker:p3-security-probes rdp-worker-dataplane-bind-probe --scenario $scenario
}

Result:

backend tests: PASS, including production secret-readiness guard tests
sessionbroker data-plane policy test: PASS
worker P3 probe image build: PASS
direct bind denial probes: PASS for valid/starting/wrong-worker/ wrong-attachment/wrong-user/wrong-organization/wrong-resource/ channels-too-broad/failed-state/terminated-state

Additional P3.1 secret resolver verification:

go test ./...

Result:

encrypted secret AES-256-GCM round trip: PASS
wrong AAD decrypt rejection: PASS
assignment-time resolved secret merge: PASS
session metadata plaintext mutation prevention: PASS
production missing resolver denial: PASS
development metadata fallback compatibility: PASS

Additional P3.2 direct worker TLS/PKI guard verification:

go test ./...
dotnet build clients\windows\RemoteAccessPlatform.Windows.slnx

Result:

production backend omits smoke-only direct worker WSS candidates: PASS
production-trusted direct candidate metadata: PASS
Windows client build with production/smoke direct TLS guard: PASS

Additional P3.3 production secret/TLS test-stand smoke:

docker -H ssh://docker-test build --tag rap-backend-smoke:p3-3 --file - backend
Get-Content -Raw backend\migrations\000009_resource_secrets.up.sql |
  docker -H ssh://docker-test exec -i rap_postgres psql -U rap_user -d remote_access_platform -v ON_ERROR_STOP=1 -f -
pwsh -ExecutionPolicy Bypass -File scripts\smoke\drive-visibility-smoke.ps1 `
  -WorkerImage rap-rdp-worker:rdp-p1-region-order2 `
  -ResourceName "P3.3 Secret RDP Resource" `
  -OutputFrame artifacts\p3-3-secret-backed-drive-frame.bmp

Result:

backend image rap-backend-smoke:p3-3: PASS
backend production-like start with SECRET_ENCRYPTION_KEY_FILE: PASS
secret-backed RDP resource through PUT /api/v1/resources/{id}/secret: PASS
real RDP session through resolver-backed assignment: PASS
resource/session metadata plaintext credential checks: PASS
audit plaintext credential checks: PASS
production backend omits smoke-only direct worker WSS candidate: PASS
development/smoke backend advertises explicit smoke-only direct worker WSS candidate: PASS
backend gateway fallback smoke with rendering/input/clipboard/file upload: PASS
secret-backed detach/reattach/takeover API lifecycle regression: PASS

Additional P3.4 production direct-worker WSS trust design/prep:

production worker WSS certificate model: documented
platform CA vs public CA recommendation: documented
worker certificate SAN and identity binding rules: documented
app-local Windows client trust approach: documented
rotation/revocation/fallback behavior: documented
future platform_ca smoke plan: documented
runtime behavior changed: no

Additional P3.5 app-local platform CA trust smoke:

dotnet build clients/windows/src/RemoteAccessPlatform.Windows.App/RemoteAccessPlatform.Windows.App.csproj
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts/smoke/prepare-platform-ca-direct-worker.ps1 `
  -DockerSshAlias docker-test `
  -LocalCaOutputPath artifacts/p3-5-platform-ca.crt `
  -WorkerHost 192.168.200.61 `
  -WorkerId rdp-worker-1 `
  -ClusterId default
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts/windows-smoke/desktop-smoke.ps1 `
  -DefaultResourceName "P3.3 Secret RDP Resource" `
  -PreferDirectDataPlane:$true `
  -AllowInsecureDirectDataPlaneTlsForSmoke:$false `
  -DirectDataPlaneConnectTimeoutMs 2500 `
  -DirectDataPlaneColorMode full_color `
  -DirectDataPlanePlatformCaBundle "\\192.168.220.200\mst\codex\rdp-proxy\artifacts\p3-5-platform-ca.crt" `
  -BackendEnvironment production `
  -SkipOrgSwitchAndTokenRefresh `
  -DockerSshAlias docker-test

Result:

Windows client app-local platform CA bundle support: PASS
worker WSS test cert with IP SAN and URI SAN: PASS
backend platform_ca candidate metadata: PASS
production client direct worker WSS selected without insecure TLS bypass: PASS
direct binary render over trusted WSS: PASS
input/lifecycle smoke over trusted WSS: PASS
unknown CA rejected and backend gateway fallback activated: PASS
smoke_insecure production case used backend gateway fallback: PASS
backend gateway fallback remained usable: PASS

P3.5 runtime report:

artifacts/p3-5-app-local-platform-ca-smoke-report.md

New P3.6 hardening finding:

stale Redis live/worker events after backend restart can crash the backend with invalid session state transition: terminated -> active
Redis was safely cleared for the test stand because PostgreSQL is the source of truth
next step should make stale worker events idempotent, not add product features

P3.6 stale worker event / restart idempotency hardening:

go test ./...
docker -H ssh://docker-test build --tag rap-backend-smoke:p3-6 --file - backend

Runtime smoke:

start real secret-backed RDP session
wait for PostgreSQL state active
terminate session
stop backend
push stale session_connected to Redis worker:events
restart backend
verify backend stays up
verify PostgreSQL state remains terminated
verify new normal RDP session still reaches active

Result:

stale session_connected for terminal session ignored: PASS
stale render telemetry for terminal session does not recreate live state: PASS
backend restart survives stale Redis worker event: PASS
terminal PostgreSQL session is not reopened: PASS
normal new RDP session after restart: PASS

P3.6 runtime report:

artifacts/p3-6-stale-worker-event-idempotency-report.md

Stage 5.2 server-to-client file download design pass:

safest v1 model selected: restricted RAP_Transfers\ToClient outbound drop zone
no Windows agent, SMB/WebDAV, remote filesystem browser, arbitrary path download, or expanded drive mapping
download remains policy-gated by file_transfer_mode
direct worker WSS remains preferred; backend gateway remains fallback
implementation prompt is documented for the next step

Design document:

docs/architecture/RDP_FILE_DOWNLOAD_STAGE_5_2.md

Stage 5.2 server-to-client file download implementation:

go test ./...
dotnet build clients/windows/src/RemoteAccessPlatform.Windows.App/RemoteAccessPlatform.Windows.App.csproj
docker -H ssh://docker-test build --tag rap-rdp-worker:stage5-2-download --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-graphics-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-cursor-adapter-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-service-adapter-protocol-probe
docker -H ssh://docker-test run --rm rap-rdp-worker:stage5-2-download rdp-worker-dataplane-bind-probe --scenario valid
docker -H ssh://docker-test build --tag rap-backend-smoke:stage5-2-download --file - backend

Result:

backend tests: PASS
Windows build: PASS, 0 warnings, 0 errors
worker image build: PASS
worker probes: PASS
backend smoke image build: PASS
live runtime proof: pending

Build report:

artifacts/stage5-2-file-download-build-report.md

Stage 5.2 server-to-client file download runtime proof, core data path:

docker -H ssh://docker-test build --tag rap-rdp-worker:stage5-2-download-direct-block --file workers/rdp-worker/Dockerfile workers/rdp-worker
docker -H ssh://docker-test tag rap-rdp-worker:stage5-2-download-direct-block rap-rdp-worker:stage5-2-download
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -OutputDirectory artifacts/stage5-2-download-smoke-direct-fixed2
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode bidirectional -Transport direct_worker_wss -OutputDirectory artifacts/stage5-2-download-smoke-direct-bidirectional
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode client_to_server -Transport direct_worker_wss -ExpectBlocked -OutputDirectory artifacts/stage5-2-download-smoke-direct-client-to-server-block-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode disabled -Transport direct_worker_wss -ExpectBlocked -OutputDirectory artifacts/stage5-2-download-smoke-direct-disabled-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport backend_gateway -OutputDirectory artifacts/stage5-2-download-smoke-backend-regression-after-direct-block

Result:

direct worker WSS server_to_client: PASS, text and binary size/hash match
direct worker WSS bidirectional: PASS, text and binary size match
direct worker WSS client_to_server: PASS, download blocked with access denied
direct worker WSS disabled: PASS, download blocked with access denied
backend gateway fallback server_to_client: PASS, text and binary size/hash match
direct WSS smoke harness bug fixed: PowerShell TLS callback now uses a static .NET delegate and URL query construction now uses ? correctly
direct WSS policy feedback bug fixed: disallowed file download now returns file_download.blocked instead of silently dropping the request

Stage 5.2 server-to-client file download lifecycle proof:

docker -H ssh://docker-test build --tag rap-rdp-worker:stage5-2-download --file workers/rdp-worker/Dockerfile workers/rdp-worker
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -LifecycleScenario detach -OutputDirectory artifacts/stage5-2-download-lifecycle-detach-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -LifecycleScenario takeover_old_controller -OutputDirectory artifacts/stage5-2-download-lifecycle-takeover-fixed
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -LifecycleScenario worker_failure -OutputDirectory artifacts/stage5-2-download-lifecycle-worker-failure
pwsh -NoProfile -ExecutionPolicy Bypass -File scripts\smoke\file-download-smoke.ps1 -AllowMode server_to_client -Transport direct_worker_wss -OutputDirectory artifacts/stage5-2-download-smoke-direct-after-lifecycle-fix

Result:

detach: PASS, PostgreSQL state detached, outcome file_download.blocked, reason session is not active
old-client takeover: PASS, stale attachment receives session.taken_over and cannot continue download
worker failure: PASS, PostgreSQL state failed, audit session_failed, direct WebSocket closes and download cannot continue
post-fix direct download regression: PASS, text and binary size match
direct WSS stale attachment feedback bug fixed: stale attachment now receives session.taken_over instead of observing silence

Runtime report:

artifacts/stage5-2-file-download-runtime-report.md

Coverage warning:

this is not a full live RDP smoke pass
most confidence for RDP UX still comes from manual/live smoke history
automated regression coverage must be expanded before production readiness

Correct Next Step

C17Z20 is complete. Do not automatically continue into VPN runtime, RDP work, or service workload traffic.

The next step must be chosen as a new explicit staged prompt. Until then, keep the proven C17A-C17Z20 mesh proof/gate/contract/observation/config/scoring/ visibility/fabric-control-forwarding/forwarding-observability/route-config boundary/scoped-peer-directory/peer-cache-runtime/dynamic-endpoint-reporting private/corporate endpoint candidate/peer-connection-state/recovery-planner /connection-intent/connection-manager/rendezvous-lease-telemetry/lease-refresh /relay-replacement-policy/route-path-decision/route-generation-tracker/ synthetic-route-health-effective-path/route-health-feedback-scoring/ route-health-feedback-refresh set preserved. Production forwarding remains explicitly gate-controlled and limited to fabric.control; service payload forwarding remains unavailable.

Do not start:

RDP performance work
Stage 5.2 RDP download UI proof
production service mesh runtime traffic
VPN/IP tunnel runtime implementation
C18D VPN credential/config resolver work
TUN/TAP, host route, or firewall manipulation
general relay packet routing
service workload traffic over mesh
RDP/VNC/SSH/file/video traffic over mesh
QUIC/WebRTC
service workload execution
backend/session lifecycle changes
Windows client changes

RDP status:

RDP is paused by product decision.
RDP-Perf-6 is completed and smoke-proven.
The C++ RDP Adapter remains the preserved runtime baseline for when RDP work explicitly resumes.
C10-C17 planning are completed as documentation/planning. C17A, C17B, C17C, C17D, C17E, C17F, C17G, C17H, C17I, C17J, C17K, C17L, C17M, C17N, C17O, C17P, C17Q, C17R, C17S, C17T, C17U, C17V, C17W, C17X, C17Y, C17Z, C17Z1, C17Z2, C17Z3, C17Z4, C17Z5, C17Z6, C17Z7, C17Z8, C17Z9, C17Z10, C17Z11, C17Z12, C17Z13, C17Z14, C17Z15, C17Z16, C17Z17, C17Z18, C17Z19, and C17Z20 are implemented/proven with synthetic traffic, explicit production-forwarding gate checks, envelope contract validation, metadata-only observation, or bounded local observation retention/wiring/metrics/local logging/capacity guard/fail-closed hardening and payload/time-boundary validation only. C18 planning is completed as documentation only. C18A control-plane data model foundation is implemented and backend-test-proven. C18B lease/fencing hardening is implemented and backend-test-proven. C18C node-agent desired-state consumption/reporting is implemented and backend-test-proven. C18 runtime is not authorized.

93 KiB Raw Blame History

Current Implementation Status

Project Identity

Canonical Test Environment

Proven Baseline

Backend

Worker / RDP Adapter

Windows Client

Current Known Gaps

Current Verification Snapshot

Correct Next Step

93 KiB

Raw Blame History