Security
This page lists the primitives RemoteOS depends on and the compositions we wrote on top of them. Anything not on this page is not in the product.
Salted per-user. Verified via PasswordHash::new + Argon2::verify_password.
Tokens carry sub, email, role, exp, iat, jti, token_type. Refresh issues a fresh access token without re-entering the password.
Locks per email; failed attempts are written to the audit ledger.
Implemented in rust_remote_desktop/src/key_exchange.rs. Per-session ephemeral keys; derivation happens on the endpoints.
WebRTC carries the media plane between peers today. A Media-over-QUIC track is in development; the harness lives in the repo.
Relay is used only when peer-to-peer fails.
Each row carries previous_hash and event_hash. Walking the chain offline detects tampering; the ledger is your account's, or a self-hosted Postgres you control.
Postgres is proven; the chaining sits on top — each row writes the previous row's hash, and a startup-time chain-tip lookup resumes the sequence across restarts so a process bounce doesn't reset the chain. Ed25519 row-signatures are the next composition on top of this.
ird-runtime detects what the host actually has (VideoToolbox today on macOS) and chooses bitrate, keyframe interval, and temporal-base fraction at runtime — instead of asking the operator to pick. The selector's output flows into the encoder; no codec is enabled without a verified capability path.
Postgres, Valkey, and coturn each run in their own container with health checks. The Rust server is a single systemd unit with Restart=on-failure. The whole stack is one docker-compose up away on a fresh box; nothing in the design assumes our hosting.
Report security issues to [email protected]. We respond within 72 hours. We do not run a paid bounty today, but we credit reporters by name (with permission) in the changelog and the audit ledger itself. For machine-readable contact information, see /.well-known/security.txt.