Terminal Session Security designed

Browser terminal access is a controlled session path. Users do not receive raw long-lived secrets; the API binds a short-lived terminal token to an allocation, and the terminal gateway mediates the WebSocket stream to the node-agent path.

Session Path

Security Rules

Rule	Meaning
No query-string tokens	Browser WebSockets use approved protocol/header handling, never ?token=
Single-use token	Terminal token is short-lived and deleted on first use
Allocation binding	User, allocation, and session scope are checked before stream establishment
Gateway isolation	Terminal gateway is the WebSocket surface; node-agent is not public
Session TTL	Maximum session lifetime is policy-driven and enforced by gateway and node-agent
Evidence	Replay/session tests and terminal preflight belong in release evidence

Operational Meaning

Terminal failures should be triaged through token minting, gateway health, session binding, internal stream checks, node-agent preflight, and network route posture before node-level shell debugging.

Canonical sources

• doc/architecture/Terminal_WebSocket_Bridge_Architecture_v1.mdraw
• doc/architecture/Terminal_WebSocket_Bridge_Implementation_Plan_v1.mdraw
• doc/architecture/Terminal_Node_Transport_Redesign_v1.mdraw
• doc/architecture/adrs/ADR-005-terminal-gateway-isolation.mdraw
• doc/architecture/adrs/ADR-007-terminal-access-auth-model.mdraw
• doc/architecture/adrs/ADR-011-terminal-node-websocket-bridge.mdraw