Skip to content

Guardian edge TLS + CORS for remote clients (Phase 6.5 — gates the phone/PWA story) #557

Description

@fwdslsh-dev

Summary

Give the guardian edge an HTTPS story and a CORS allowlist so remote clients (the hosted PWA at the official URL, and any phone) can connect. This is Phase 6.5 of docs/technical/ui-runtime-modes-plan.md and a hard prerequisite for the mobile half of #511.

Why this is unavoidable (platform rules, not our code)

  • Secure context: a PWA installs only over HTTPS or from localhost. Plain HTTP on a LAN IP is never installable.
  • Mixed content: an HTTPS origin (the hosted client) cannot fetch() a plain-HTTP guardian. So every phone → guardian connection needs TLS, regardless of where the client was installed from.
  • The desktop/localhost install path needs none of this — a http://127.0.0.1 origin is a secure context and may call plain-HTTP LAN guardians (loopback is the most-trusted Private Network Access tier). That's why it's the zero-setup default and this issue only gates the remote/phone story.

Today there is no TLS anywhere in the stack (verified: no caddy/tls references in packages/skeleton/system/stack/ or containers/) and guardian sends no CORS headers.

Simplicity guardrail (from the ratified plan, §8 rule 11)

TLS is never a manual user task on default paths. Explicit non-goal: asking non-technical users to install a private CA on iOS/Android (mkcert-style). The chosen flows must be guided.

Scope

  • Recommended default: Tailscale. Guided docs + (optionally) a sidecar/serve integration so a guardian gets a ts.net name with a real Let's Encrypt cert — no cert management for the user
  • Alternative: Caddy front for the guardian with a user-owned domain (DNS-challenge Let's Encrypt) for users who don't want Tailscale
  • CORS allowlist on guardian ingress: official hosted origin (e.g. app.openpalm.dev) baked in, additional origins configurable; enforced tests
  • requiresHttpsForRemoteConnections enforced client-side too: the hosted client refuses plain-HTTP non-loopback targets with an actionable message deep-linking to the TLS guide
  • Coordinate with Guardian LAN/mDNS self-advertisement #488 (mDNS advertisement should surface the HTTPS name when enabled) and Guardian: mTLS adapter auth + keep authn/authz seams generic  #435 (credentials only ever sent over HTTPS for non-loopback targets)

Non-goals

  • No change to the loopback-default posture: guardian stays LAN-dark unless explicitly exposed (OP_BIND_ADDRESS policy unchanged)
  • No public-internet exposure guidance beyond the Tailscale/Caddy paths

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions