Skip to content

P0: broker attest exact Mac control-plane and ACL readiness #667

Description

@100yenadmin

Problem

The Mac can prove that a Tailscale-compatible client is installed, running, enrolled, and locally online. It cannot authoritatively prove that the client is connected to the evaOS customer’s assigned control plane or that the required customer-scoped ACL route is allowed.

The bridge therefore omits correct_control_plane and acl_allowed, and Workbench #664 correctly keeps readiness blocked. Those facts need a broker/control-plane authority contract; they must never be guessed from a 100.x address, interface, local client output, or stale connector row.

Required authority contract

  • For the exact authenticated customer/device/grant scope, return redacted booleans for:
    • correct_control_plane;
    • acl_allowed;
    • freshness/expiry sufficient to reject stale proof.
  • Bind proof to the active device identity and current enrollment/grant, not a display label or pending row.
  • Revoke/demote immediately on wrong network, ACL denial, grant expiry, stop/revoke, kill switch, device replacement, or offline transition.
  • Do not expose control-plane URLs, ACL contents, private addresses, connector endpoints, tokens, customer data, or raw logs.
  • Keep local Workbench evidence and authoritative broker evidence separate in diagnostics and audit proof.

Acceptance proof

Dependencies

Proof boundary

Local Tailscale status, a private address, or a connector health response does not prove the assigned control plane, ACL authorization, or customer readiness.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area:brokerevaOS broker/session/auth integrationarea:native-companionNative macOS companion boundaryevaosevaOS public beta R&D workkind:integrationIntegration implementation issuepriority:P0Critical customer/runtime blocker requiring immediate attentionpublic-betaBlocks or contributes to the public beta gateready-for-agentIssue has enough handoff detail for an agent to startrelease-train:runtime-reliabilityCross-version Workbench/runtime reliability release trainrisk:securitySecurity, auth, secrets, permission risk

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions