Skip to content

P0: broker mint one-use Mac private-network enrollment after customer approval #666

Description

@100yenadmin

Problem

Workbench can now distinguish an installed secure-network client that is not enrolled, but the broker has no explicit customer-click API for a one-use Headscale/Tailscale-compatible Mac enrollment. The existing create_enrollment action registers the evaOS Desktop Bridge connector; it is not private-network enrollment and must not be reused or conflated.

Required broker contract

  • After an authenticated user click and exact customer/device selection, mint one short-lived, one-use private-network enrollment authorization.
  • Bind it to the exact customer, device identity, supported client variant, intended control plane, expiry, and audit record.
  • Return material only to the Workbench main process; renderer state receives typed progress only.
  • Invoke the installed vendor client through an explicit approved app-bundled path.
  • Never persist or log the control-plane URL, enrollment key, callback material, private address, raw command output, or customer data.
  • Expire on use/cancellation/timeout; revoke stale pending material; wrong-network state must fail closed and require an explicit reconnect flow.
  • Preserve current broker grants, Headscale ACLs, stop/revoke, kill-switch, and customer isolation.

Acceptance proof

Dependencies

Proof boundary

Bridge connector enrollment is not secure-network enrollment. Source/UI tests are not a live Headscale enrollment or customer-ready claim.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:brokerevaOS broker/session/auth integrationarea:native-companionNative macOS companion boundaryevaosevaOS public beta R&D workkind:integrationIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionpublic-betaBlocks or contributes to the public beta gateready-for-agentIssue has enough handoff detail for an agent to startrelease-train:runtime-reliabilityCross-version Workbench/runtime reliability release trainrisk:securitySecurity, auth, secrets, permission risk

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions