proposal: network-neutral enterprise installer and signed connect links#2671
proposal: network-neutral enterprise installer and signed connect links#2671reachjalil wants to merge 8 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
@reachjalil is attempting to deploy a commit to the Different AI Team on Vercel. A member of the Team first needs to authorize it. |
fraimz — ✅ PASSED1 passed · 0 failed · 0 skipped — run Full frame proof with validated screenshots: ✅ client-connect-link — A clean enterprise client pairs to its company through one signed, confirmed linkUser-facing flow demo
(screenshot upload failed: BLOB_READ_WRITE_TOKEN is not set and could not be fetched from Infisical ( |
2c0bb48 to
a540ed2
Compare
fraimz — ✅ PASSED1 passed · 0 failed · 0 skipped — run Full frame proof with validated screenshots: ✅ client-connect-link — A network-neutral enterprise install becomes the organization's branded appUser-facing flow demo
(screenshot upload failed: BLOB_READ_WRITE_TOKEN is not set and could not be fetched from Infisical ( |
a540ed2 to
7a31c45
Compare
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Claude <noreply@anthropic.com>
7a31c45 to
ffe1485
Compare
fraimz — ✅ PASSED1 passed · 0 failed · 0 skipped — run Full frame proof with validated screenshots: ✅ client-connect-link — A network-neutral enterprise install becomes the organization's branded appUser-facing flow demo
(screenshot upload failed: BLOB_READ_WRITE_TOKEN is not set and could not be fetched from Infisical ( |
|
Closing this draft after realigning on the existing deterministic enterprise installer. The replacement work will review and strengthen that established path, add convenient organization-bundle tooling, and document managed enterprise deployment rather than introducing a separate signed deep-link installer or application flavor. |
Proposal
This PR proposes a network-neutral OpenWork Enterprise installer plus signed connect links:
The branch contains a gated reference implementation so product, security, and operations can review the complete flow before activation. Den remains remote infrastructure; the enterprise artifact connects to an organization-managed deployment and omits the standard desktop's local execution stack.
What this includes
openworklabs.comand subdomains at the Electron session boundary and explicitly refuses them at the main-process fetch bridge. Customer domains and lookalikes remain allowed.Overall concept and benefits
openworklabs.com; it waits at Ready to connect.How the installer points to the company's server
The installer itself does not contain a customer URL. It registers the
openwork://protocol with macOS/Windows/Linux. An administrator asks the organization's remote Den deployment to mint a short-lived signed configuration link. When the employee clicks it, the operating system opens OpenWork Enterprise and passes the full link to Electron main.Electron main verifies the Ed25519 signature, audience, schema version, expiry, one-time id, and HTTPS URLs. The renderer only receives safe display fields. After the employee confirms the exact branded app and host, main verifies the original bytes again and writes the normalized values to
desktop-bootstrap.json. Normal organization sign-in then begins.Branding: preserve and extend the JSON solution
The existing
openwork-installer.jsonside-file solution already supports organization branding. This proposal deliberately preserves it. The deterministic installer normalizes that side file into the same canonical local bootstrap schema used by MDM and signed links:appNamebrandAppNamebrand.appNamelogoUrlbrandLogoUrlbrand.logoUrliconUrlbrandIconUrlbrand.iconUrlwebUrl,apiUrlbaseUrl,apiBaseUrlden.baseUrl,den.apiBaseUrlrequireSigninrequireSigninrequireSigninThe signed token maps one-for-one into the same fields produced from
openwork-installer.json, and branding is applied immediately after confirmation.What improves over a JSON side file
MDM means Mobile Device Management: tools such as Microsoft Intune or Jamf that let enterprise IT install apps and push configuration files/policies to managed computers. MDM remains the preferred path for tightly controlled fleets. The deterministic installer side file remains the strongest air-gapped/preconfigured path. Signed links add a safe path where neither is available; they replace neither.
Network-neutral state model
The guard blocks the exact vendor domain and its subdomains only. It does not block customer domains or lookalike hostnames, and it re-locks if configuration is cleared.
Reference implementation
brandclaims.Security properties
Dark-launch and adoption path
Out of scope
openwork://den-authremain supported.Testing
Automated and build proof
OpenWork Enterprise.appdirectory packagePackaged-app behaviors proved
enterpriseNetworkLocked: true.enterpriseNetworkLocked: false.applied: true) on the real packaged macOS app.Visual product proof on the final branch: fraimz PR walkthrough.
Docker note
packaging/docker/Dockerfile.denincludes the connect-link workspace manifest and sources, and builds@openwork/connect-linkbefore Den consumers. The authoritative Den API artifact build passes in PR CI.Final CI status
openwork-app,openwork-den, andopenwork-den-worker-proxy). These are repository integration/auth gates, not code failures; the landing preview deployed successfully.Risk and rollback
Issue