--- title: Security model description: Trust boundaries, the ordered gates, what is intentionally impossible, the audit trail, and the kill switches of ARGUS remote support. --- # Security model This is the condensed security model for remote support. It covers the trust boundaries, the gates a session must pass in order, what the system deliberately cannot do, how actions are audited, and how a session is killed. ## Trust boundaries ``` PUBLIC INTERNET | v ops API <- operator auth: IP allowlist, ops token, operator credential | | per-session WebSocket, scoped to one agent v streaming agent <- pre-existing agent registration auth | | local IPC to disk and tray v client machine ``` * **Boundary 1 (internet to ops API):** public, hardened by the IP allowlist plus TLS plus auth plus audit. The allowlist check runs before any auth check, so an attacker hitting the activation endpoint from an unlisted IP is rejected with no information. * **Boundary 2 (ops API to agent):** authenticated, scoped per session, end-to-end TLS (`wss://` with certificate validation, no verification shortcuts). The server cannot directly read the agent's disk; it must send a command, and every command is logged. * **Boundary 3 (agent to client machine):** the agent's own filesystem permissions; it runs as a non-privileged user where possible. The patch allowlist is the only thing standing between a compromised ops API and the rest of the client machine, which is why it is fixed in the agent and not hot-pushable. ## The gates, in order Every session passes this pipeline; every box is audited and a failure at the gate produces an audited 403: 1. **Enrollment plus consent** (out of band): the tenant signs, the agent enrolls. 2. **Agent dials OUT** and holds an idle WebSocket. Its capability manifest is ingested as advisory data only; no code path consults it for authorization. 3. **Operator requests activation.** 4. **3-factor gate plus consent check:** operator IP in `REMOTE_SUPPORT_OPERATOR_CIDRS`, the `ARGUS_OPS_TOKEN` second factor (header only, never URLs or logs), and the `remote_support` operator credential, plus a fresh consent check. Activation requests carry a single-use nonce and a timestamp within 60 seconds of server time, so they cannot be replayed. 5. **Client-visible indicator turns ON.** 6. **Time-boxed session:** default 30 minutes, hard cap 120 minutes enforced in server code, not env-overridable. 7. **Curated commands only:** the allowlist, enforced on the agent side. File reads resolve the path first and match it against canonical allowlisted paths before any IO. Patches are Ed25519-signed over the patch ID, content hash, target agent, and validity window; the agent rejects any mismatch, expired window, or seen-before patch ID. Every command's tenant and agent must match the session's binding; a mismatch is a 403 plus an audit row. 8. **Deactivate or expire.** ## What is intentionally NOT possible * **Cold-start reach-in.** The agent connects out; the server has no inbound path. An agent that is not running is simply offline. * **Unconsented access.** Consent is checked at every activation, a database constraint makes enabled-without-signed-consent unrepresentable, and there is no operator override. Covert or cold-start access is out of scope permanently as a legal red line, not a deferred feature. * **A remote command line.** No arbitrary process invocation. The command set is a fixed allowlist. * **File writes outside the patch system.** The signed hotfix is the only write path; there is no generic write-file command. Patches that touch files outside the patch allowlist, add executable bits or shebangs, or change file modes are rejected. * **Capability escalation via the manifest.** The agent's self-reported manifest is advisory; a false manifest can at most mislead the operator's view, never grant authority. ## Audit trail Every activation, command, and patch attempt writes two rows: the operational audit table (`argus.remote_support_audit`, INSERT-only at the role level, with operator email, IP, tenant, and a required non-empty reason) and the append-only events store (`argus.events`, `source='remote_support'`). A nightly auditor compares counts across the two over each 24-hour window and emails on mismatch, so deleting one's own audit row trips a wire. Tripwires also fire on any failed activation, any non-allowlisted-IP attempt, any failed patch signature, long-held sessions, and unusually frequent activation by one operator. ## Kill switches * **Tenant side:** `argus-agent remote-support-off` on the client machine terminates the session immediately. The tray indicator means the tenant always sees that a session is active. * **Operator side:** explicit deactivation, or [disarming the tenant](/docs/remote-support/arm-disarm), which ends any live sessions. * **Automatic:** session expiry (30 minute default, 120 minute hard cap). * **Identity level:** [per-agent revocation](/docs/remote-support/revoke) makes the agent's next dial fail and force-closes a live socket. Every termination path writes `remote_support_session_ended` to audit. --- For a semantic overview of all documentation, see [/sitemap.md](/sitemap.md) For an index of all available documentation, see [/llms.txt](/llms.txt) For agent-facing discovery, including API and MCP surfaces, see [/agents.md](/agents.md)