README.md

# Remote Access Platform — Alpha

A self-hostable remote support platform for IT teams: technicians log in to a web
console, see their team's machines, and start a screen-share + remote-control
session to any online machine after the end user grants consent. Built to the
spec in `PRD-remote-access-platform.md`.

This alpha implements the PRD's P0 requirements: authenticated console, **MFA**,
**RBAC**, **machine enrollment**, **per-session consent**, **WebRTC screen
streaming + remote input**, and an **immutable audit log**.

```
remote-access-app/
├── server/        Backend: HTTP API + WebSocket signaling + SQLite
│   ├── server.js  Auth, MFA, machines, audit API + signaling broker
│   ├── auth.js    scrypt passwords, TOTP MFA, tokens (no external auth deps)
│   ├── db.js      Schema via Node's built-in node:sqlite
│   ├── public/    Web console (index.html) + remote viewer (viewer.html)
│   └── test/e2e.js  26-check end-to-end test of the whole backend flow
└── agent/         Native host agent (Electron)
    ├── main.js          Consent window, screen source, OS input injection
    ├── input/inject.js  Mouse/keyboard injection via nut-js (Win32 SendInput)
    └── renderer/        Agent UI + WebRTC screen capture
```

## Quick start

### 1. Server (any OS, Node 22.5+)

```bash
cd server
npm install        # only dependency is `ws`
npm start          # serves http://localhost:8090
```

Open **http://localhost:8090**, click **Register team**, then set up MFA
(add the shown secret to Google Authenticator / Authy / 1Password and enter a code).
Log in, and enroll a machine — you'll get an `AGENT_ENROLL_TOKEN`.

### 2. Agent (on the Windows/macOS PC to be controlled)

```bash
cd agent
npm install                     # installs Electron + nut-js (input injection)
set SERVER_URL=http://<server-ip>:8090     # Windows
set AGENT_ENROLL_TOKEN=<token from console>
npm start
```

The agent window comes online; the machine shows green in the console.
Click **Connect** in the console — the agent shows a consent prompt. On **Allow**,
the technician sees the live screen and can control it. A red banner stays on the
host screen for the whole session, and every step is written to the audit log.

> Set a machine to **unattended** at enrollment to skip the consent prompt
> (for servers / headless machines), per the PRD's unattended-access policy.

## What's tested (in this sandbox)

```
cd server && npm test            # 26/26 checks pass
cd agent  && npm run test:input  # 5/5 input-mapping checks pass
```

The e2e test drives the real backend: register → enable MFA → login (password +
TOTP) → enroll machine → agent connects → technician requests session → consent →
SDP/ICE relay → session end → audit verification → consent-denial path.

## What requires real hardware (not testable in a headless sandbox)

- **OS input injection** runs through `nut-js` (Win32 `SendInput` on Windows,
  `CGEvent` on macOS). Without it installed, `inject.js` degrades to a safe
  logging no-op so the agent still runs. Verify on a real desktop.
- **Screen capture** uses Electron's `desktopCapturer` / `getDisplayMedia`.

## Architecture notes

- **Media is peer-to-peer.** The server only brokers signaling (SDP/ICE) and
  consent; screen frames and input never pass through it. Channels are
  DTLS-encrypted by WebRTC.
- **NAT traversal** uses a public STUN server. ~10–15% of connections behind
  symmetric NATs will need a **TURN relay** (coturn) — the next infra item.
- **Auth** uses scrypt password hashing and RFC-6238 TOTP, implemented on Node's
  built-in `crypto` — no `bcrypt`/`jsonwebtoken`/`speakeasy` dependencies.
- **Storage** is `node:sqlite` (built into Node 22.5+), so the backend has a
  single runtime dependency (`ws`).

## Gaps before production (from PRD §5)

1. **TURN relay** for non-P2P connections (coturn).
2. **macOS/Linux agents** + code-signed installers; packaged Windows binary.
3. **File transfer, clipboard sync, multi-monitor** (PRD P1).
4. **SSO, session recording, SOC 2** (PRD P1/T8).
5. Harden signaling: rate limiting, per-session authz checks, CSRF on cookie API.
first commit 2026-06-05 17:29:09 +05:30			`# Remote Access Platform — Alpha`

			`A self-hostable remote support platform for IT teams: technicians log in to a web`
			`console, see their team's machines, and start a screen-share + remote-control`
			`session to any online machine after the end user grants consent. Built to the`
			spec in `PRD-remote-access-platform.md`.

			`This alpha implements the PRD's P0 requirements: authenticated console, MFA,`
			`RBAC, machine enrollment, per-session consent, **WebRTC screen`
			`streaming + remote input, and an immutable audit log**.`

			```
			`remote-access-app/`
			`├── server/ Backend: HTTP API + WebSocket signaling + SQLite`
			`│ ├── server.js Auth, MFA, machines, audit API + signaling broker`
			`│ ├── auth.js scrypt passwords, TOTP MFA, tokens (no external auth deps)`
			`│ ├── db.js Schema via Node's built-in node:sqlite`
			`│ ├── public/ Web console (index.html) + remote viewer (viewer.html)`
			`│ └── test/e2e.js 26-check end-to-end test of the whole backend flow`
			`└── agent/ Native host agent (Electron)`
			`├── main.js Consent window, screen source, OS input injection`
			`├── input/inject.js Mouse/keyboard injection via nut-js (Win32 SendInput)`
			`└── renderer/ Agent UI + WebRTC screen capture`
			```

			`## Quick start`

			`### 1. Server (any OS, Node 22.5+)`

			```bash
			`cd server`
			npm install # only dependency is `ws`
			`npm start # serves http://localhost:8090`
			```

			`Open http://localhost:8090, click Register team, then set up MFA`
			`(add the shown secret to Google Authenticator / Authy / 1Password and enter a code).`
			Log in, and enroll a machine — you'll get an `AGENT_ENROLL_TOKEN`.

			`### 2. Agent (on the Windows/macOS PC to be controlled)`

			```bash
			`cd agent`
			`npm install # installs Electron + nut-js (input injection)`
			`set SERVER_URL=http://<server-ip>:8090 # Windows`
			`set AGENT_ENROLL_TOKEN=<token from console>`
			`npm start`
			```

			`The agent window comes online; the machine shows green in the console.`
			`Click Connect in the console — the agent shows a consent prompt. On Allow,`
			`the technician sees the live screen and can control it. A red banner stays on the`
			`host screen for the whole session, and every step is written to the audit log.`

			`> Set a machine to unattended at enrollment to skip the consent prompt`
			`> (for servers / headless machines), per the PRD's unattended-access policy.`

			`## What's tested (in this sandbox)`

			```
			`cd server && npm test # 26/26 checks pass`
			`cd agent && npm run test:input # 5/5 input-mapping checks pass`
			```

			`The e2e test drives the real backend: register → enable MFA → login (password +`
			`TOTP) → enroll machine → agent connects → technician requests session → consent →`
			`SDP/ICE relay → session end → audit verification → consent-denial path.`

			`## What requires real hardware (not testable in a headless sandbox)`

			- OS input injection runs through `nut-js` (Win32 `SendInput` on Windows,
			`CGEvent` on macOS). Without it installed, `inject.js` degrades to a safe
			`logging no-op so the agent still runs. Verify on a real desktop.`
			- Screen capture uses Electron's `desktopCapturer` / `getDisplayMedia`.

			`## Architecture notes`

			`- Media is peer-to-peer. The server only brokers signaling (SDP/ICE) and`
			`consent; screen frames and input never pass through it. Channels are`
			`DTLS-encrypted by WebRTC.`
			`- NAT traversal uses a public STUN server. ~10–15% of connections behind`
			`symmetric NATs will need a TURN relay (coturn) — the next infra item.`
			`- Auth uses scrypt password hashing and RFC-6238 TOTP, implemented on Node's`
			built-in `crypto` — no `bcrypt`/`jsonwebtoken`/`speakeasy` dependencies.
			- Storage is `node:sqlite` (built into Node 22.5+), so the backend has a
			single runtime dependency (`ws`).

			`## Gaps before production (from PRD §5)`

			`1. TURN relay for non-P2P connections (coturn).`
			`2. macOS/Linux agents + code-signed installers; packaged Windows binary.`
			`3. File transfer, clipboard sync, multi-monitor (PRD P1).`
			`4. SSO, session recording, SOC 2 (PRD P1/T8).`
			`5. Harden signaling: rate limiting, per-session authz checks, CSRF on cookie API.`