From 2d51149c604b23cc97769b8f11ddaaa66100debc Mon Sep 17 00:00:00 2001 From: jester Date: Sun, 18 Jan 2026 23:58:28 +0000 Subject: [PATCH] docs: add network architecture constraints to prevent agent bypass --- CONSTRAINTS.md | 58 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/CONSTRAINTS.md b/CONSTRAINTS.md index 5b32d97..7d25f54 100644 --- a/CONSTRAINTS.md +++ b/CONSTRAINTS.md @@ -1,4 +1,4 @@ -# ZeroLagHub – Frontend Constraints (ZLH Grind) +# ZeroLagHub — Frontend Constraints (ZLH Grind) These constraints are **non-negotiable**. They exist to prevent architectural drift, instability, and "demo-ware" UI patterns. @@ -50,3 +50,59 @@ They exist to prevent architectural drift, instability, and "demo-ware" UI patte - No cookies are allowed for auth - Portal stores tokens client-side (sessionStorage) - APIv1 and Pterodactyl auth patterns are forbidden + +--- + +## Network & Agent Architecture (CRITICAL) + +### Frontend Cannot Reach Agents + +**The Rule** +- Frontend must never call agents directly +- All agent access flows through API +- Container IPs are internal-only (10.x network) +- No CORS headers exist on agents + +**Why This Is Enforced** +- Agents are not web services +- They have no public network path +- Direct calls would fail (no route) +- API enforces auth, logging, rate limits + +**Correct Pattern** +``` +Frontend → API → Agent +``` + +**Forbidden Pattern** +``` +Frontend → Agent (FAILS) +``` + +### Common Violations + +**Adding CORS to Agents** +- Never add CORS headers to agents +- Agents are not HTTP APIs +- This breaks security model + +**Exposing Agent Ports** +- Do not proxy agent ports through Caddy +- Do not expose container IPs +- API is the only gateway + +**Frontend Shortcuts** +- No direct WebSocket to agent +- No fetch() to container IPs +- No "quick fixes" that bypass API + +--- + +## Enforcement + +If a change violates these constraints: +- The change must be reverted +- The documentation takes precedence +- AI tools must be corrected + +These constraints override convenience.