Skip to content

feat: add machine-local secure input receiver#59

Open
kanazawahere wants to merge 2 commits into
jmfederico:mainfrom
kanazawahere:feat/secure-input
Open

feat: add machine-local secure input receiver#59
kanazawahere wants to merge 2 commits into
jmfederico:mainfrom
kanazawahere:feat/secure-input

Conversation

@kanazawahere

Copy link
Copy Markdown
Contributor

Summary

  • add an opt-in, machine-local Secret control with a native type="password" field and show/hide toggle
  • send UTF-8 bytes directly to a fixed server-side argv receiver over stdin (shell: false)
  • keep secret values out of the chat composer, Pi session daemon, agent prompt, application state, and transcript
  • expose only receiver availability, label, byte limit, and opaque receipt metadata to the browser
  • deliberately exclude machine federation: the action is hidden while a remote machine is selected

Security boundaries

  • config absent = feature disabled
  • receiver command/args remain server-side and are omitted from config APIs
  • custom non-simple request content type/header, 4 KiB hard limit, timeout, and single-flight guard
  • receiver stdout/stderr discarded; API errors never include receiver diagnostics or submitted input
  • request buffers and browser transport bytes are zeroed after handling
  • responses use Cache-Control: no-store
  • dialog stores the secret only in the native DOM input, clears it before transport, and resets reveal state on submit/close

Configuration

{
  "secureInput": {
    "command": ["/usr/local/bin/store-secret", "--stdin"],
    "label": "Secret",
    "maxBytes": 4096,
    "timeoutMs": 10000
  }
}

See docs/config.md for the threat model and deployment guidance. For remote browser access, use an authenticated HTTPS reverse proxy; Clipboard and other browser security capabilities are restricted on plain HTTP.

Validation

  • npm run verify
    • typecheck passed
    • ESLint passed
    • Knip passed
    • 187 test files; 1,346 passed; 2 skipped
  • npm run build passed
  • mobile-touch canary checks on a 390×844 viewport:
    • Secret open, show/hide, X, Cancel, and post-receipt Close passed
    • HTTPS clipboard path changed message Copy from to and wrote the expected message
  • pre-commit npm run verify:staged passed for both commits

@kanazawahere

Copy link
Copy Markdown
Contributor Author

Mobile operator acceptance completed on the tailnet-only HTTPS canary (390px-class phone viewport).

Accepted checks:

  • open the native Secret dialog
  • show/hide the password with the eye control
  • close with X and Cancel before submission
  • submit and close the receipt state
  • copy a chat message over HTTPS ()

The canary receiver remained machine-local; acceptance was recorded from receipt metadata only and no submitted secret value was inspected or included here. The temporary canary and HTTPS route were stopped after acceptance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant