Skip to content

Terminal & Screen Streaming

The CookieSigner issues and verifies HMAC-signed cookies (e.g., scribe_admin) that authenticate subsequent admin browser traffic . These cookies contain an issued timestamp, a session ID, and an HMAC signature 1. Invalidation is handled through three mechanisms: factory_reset rotates the signing key by bumping the auth_version, logout adds the session ID to a revocation list, and natural expiry occurs after max_age_seconds (default 7 days). A distinct CookieSigner instance handles the scribe_kiosk cookie, which is bound to the Role.KIOSK principal for cage chromium sessions on GB10 hardware, ensuring domain separation between admin and kiosk cookies.

The TicketStore mints short-lived, single-use nonces required for the terminal WebSocket handshake . Tickets are formatted as <rand64>.<hmac64> and are consumed immediately upon use to prevent replay 2. A background sweep task removes expired tickets every 30 seconds.

diagram

The terminal server exposes a tmux-first PTY over a WebSocket, utilizing a vendored xterm.js client for the in-browser panel 3. The WebSocket handshake requires both a valid scribe_admin cookie and a valid single-use HMAC ticket from the TicketStore .

Admin WebSocket connections are tracked by session ID in state._admin_ws_by_session 2. The register_admin_ws context manager manages the lifecycle of these connections, adding the WebSocket to the session’s set upon entry and removing it on exit. If a session is revoked (e.g., via logout), the system iterates through all WebSockets associated with that session ID and closes them with code 1008 (revoked). This ensures that re-authentication on the same browser invalidates the previous session’s terminal access.

The architecture supports screen streaming for admin and kiosk displays, utilizing WebRTC for the streaming mechanism 3. Kiosk displays are authenticated via the scribe_kiosk cookie, which is issued by the /kiosk-bootstrap endpoint to the cage chromium session running on the GB10 hardware . This cookie binds the session to the Role.KIOSK principal, restricting access to kiosk-allowlisted endpoints while preventing write operations (PUT/POST/DELETE) on the admin surface .