Record remote mobile host boundary review

[nisavid]

Summary

• Adds docs/maintainers/remote-mobile-host-boundary-review.md as the durable host-state matrix and security-review evidence surface for issue Review experimental remote-control and Codex mobile host boundary #59.
• Links that review note from the docs index, security backlog, and threat model.
• Adds regression coverage for Linux remote-control auto-connect when local host identity is missing and when the first connection snapshot is empty.

Refs #59.

Current Status

Ready to merge for the repo-local evidence and tests in this PR. This does not close #59: issue closure still needs live mobile/account validation that the mobile side sees the intended thread/session and that the first mobile action reaches that live host thread/session.

Security Review

• remote-control-ui is documented as Linux UI/copy exposure only, not authorization or enrollment proof.
• remote-mobile-control evidence records the local boundaries for XDG software device keys, Desktop app-server ownership, standalone daemon fallback, and local-installation-only auto-connect.
• OpenAI-hosted account, enrollment, MFA, mobile-client authorization, and first-action routing remain live evidence requirements before issue closure.
• GitHub secret scanning could not run because GitHub Advanced Security is not enabled for this repository. A narrow local high-confidence pattern scan over the changed files had no matches.

Verification

Local:

• git fetch origin main
• git rebase --autostash origin/main
• node --test port-integrations/remote-mobile-control/test.js passed (49/49)
• node --test port-integrations/remote-control-ui/test.js passed (4/4)
• node --test scripts/patch-linux-window-ui.test.js passed (161/161)
• git diff --check passed
• git diff --cached --check passed before commits
• VM-realm assertion reproduction confirmed direct assert.deepEqual(params, {}) fails for the test harness, while assert.deepEqual(structuredClone(params), {}) passes

GitHub:

• Latest PR head: c8a9f73d0c451a5f24a47eea73645d9f5d0c9837
• All required checks passed: Rust and Smoke Tests, CodeQL Advanced, CodeQL, Clippy SARIF, clippy, Debian/RPM/pacman package builds, Nix package builds, CodeRabbit, and Greptile Review.

Review Notes

• Ralph Review Cycle 1 found that the security backlog did not link to the new durable review note; fixed in this branch.
• Ralph Review Cycle 2 was clean for the initial local diff.
• Greptile then identified missing params assertions in the new tests; fixed and verified.
• CodeRabbit identified the same params coverage gap, then suggested a direct deep equality assertion that was rejected with evidence because the params object is produced in a VM realm. The current normalized assertion is verified locally.
• Latest thread-aware PR state shows CodeRabbit approved, Greptile clean, no unresolved review threads, and merge state clean.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds maintainer documentation that defines a host-state evidence matrix for remote-control and Codex mobile review, updates related docs to reference it, and adds two integration tests validating enablement-bridge auto-connect behavior for missing identity and empty connection-snapshot cases.

Changes

Issue #59: Remote Mobile Host Boundary Review

Layer / File(s)	Summary
Host Boundary Review Documentation Gate docs/maintainers/remote-mobile-host-boundary-review.md, docs/README.md, docs/maintainers/security-backlog.md, docs/maintainers/threat-model.md	New maintainer document defines the review gate and host-state evidence matrix (enrollment/UI, daemon liveness, Linux device-key store, thread/session routing), plus review rules and local validation commands; README, security backlog, and threat model now reference it.
Auto-Connect Behavior Integration Tests port-integrations/remote-mobile-control/test.js	Two new async tests: one asserts auto-connect is disabled for all remote hosts when local installation identity is missing; the other asserts the bridge refreshes connections when the initial snapshot is empty and then enables auto-connect only for the refreshed local host.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• nisavid/codex-app-linux#68: Edits to docs/maintainers/security-backlog.md—both PRs touch the backlog entry for issue #59.
• nisavid/codex-app-linux#12: Related modifications to docs/maintainers/threat-model.md affecting manual security review focus.

Poem

🐰 I nibbled through docs to draw a clear line,

threads and keys and daemon signs align.
Two tests now hop across the bridge to be sure,
when identity’s missing or snapshots are poor.
A crunchy carrot of evidence—neat and fine.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main objective: recording the remote mobile host boundary review documentation and evidence for issue #59.
Linked Issues check	✅ Passed	The PR substantially addresses issue #59 requirements by creating host-state matrix documentation, adding integration tests, linking security evidence, and documenting verification steps and scope.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #59: documentation of host-state matrix, security review evidence, threat model updates, and regression tests for remote-control auto-connect behavior.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nisavid]

@CodeRabbit-ai review

[coderabbitai]

@nisavid Sure, I'll review the changes in this PR!

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[greptile-apps]

Greptile Summary

This PR adds the durable host-state evidence document for issue #59, wires it into the docs index, security backlog, and threat model, and provides two new integration tests covering the missing-local-identity and empty-snapshot auto-connect branches.

• docs/maintainers/remote-mobile-host-boundary-review.md is a new evidence surface that cleanly separates repo-local test coverage from live mobile/account validation requirements still pending before issue closure.
• Two new tests in port-integrations/remote-mobile-control/test.js cover the "no local identity → all hosts disconnected" and "empty snapshot → refresh before selecting host" paths; both tests include the enabled and key-name assertions that previous review cycles flagged as missing.

Confidence Score: 5/5

Safe to merge — all changes are documentation and tests with no production code modifications.

The PR adds a new maintainer doc, cross-references in three existing docs, and two integration tests. No production logic is touched. The new tests address the assertion gaps flagged in prior review cycles, and the 49/49 test suite passes. The boundary review document accurately reflects the split between repo-local evidence and live validation still pending for issue closure.

No files require special attention.

Important Files Changed

Filename	Overview
port-integrations/remote-mobile-control/test.js	Adds two new integration tests covering the "no local identity → leave all hosts disconnected" and "empty snapshot → refresh before auto-connect" branches; previous review gaps (missing enabled and key assertions) are now addressed in these tests.
docs/maintainers/remote-mobile-host-boundary-review.md	New durable evidence surface for issue #59; clearly separates repo-local test coverage from live evidence requirements and scopes security review assertions appropriately.
docs/maintainers/security-backlog.md	Adds a cross-reference from the issue #59 backlog entry to the new host-boundary review doc; no logic changes.
docs/maintainers/threat-model.md	Expands the "Evidence" and "Gaps" paragraphs to reflect the new test coverage and adds a link to the new boundary review doc; prose is accurate and consistent with the test additions.
docs/README.md	Index entry added for the new boundary review doc; no issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[set-remote-control-connections-enabled\nenabled: true] --> B{remoteControlConnections\nempty?}
    B -- No --> C[get-global-state\nkey: electron-local-remote-control-installation-id]
    B -- Yes --> D[refresh-remote-control-connections]
    D --> E[Use local_remote_control_installation_id\nfrom sharedObjects]
    C --> F{localId\npresent?}
    E --> G[Match each connection\ninstallation_id vs localId]
    F -- No --> H[set-remote-connection-auto-connect\nautoConnect: false for ALL hosts]
    F -- Yes --> I[Match each connection\ninstallationId vs localId]
    I --> J{installationId\n== localId?}
    G --> K{installation_id\n== localId?}
    J -- Yes --> L[autoConnect: true]
    J -- No --> M[autoConnect: false]
    K -- Yes --> N[autoConnect: true]
    K -- No --> O[autoConnect: false]

Loading

_{Reviews (4): Last reviewed commit: "test(remote-mobile): normalize refresh p..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@port-integrations/remote-mobile-control/test.js`:
- Around line 1283-1284: Replace the two-line check of calls[1].params with a
single idiomatic assertion that verifies it is exactly an empty object;
specifically, remove the assert.equal(calls[1].params != null, true) and
assert.equal(Object.keys(calls[1].params).length, 0) and use a single
deep/object equality assertion (e.g., assert.deepStrictEqual or
assert.deepEqual) against {} for calls[1].params so the test fails if params is
null, undefined, an array, or any non-empty object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 85f198ac-90d8-4fab-b0a5-28509c0f1021

📥 Commits

Reviewing files that changed from the base of the PR and between 8d96b3d and da2a099.

📒 Files selected for processing (1)

• port-integrations/remote-mobile-control/test.js

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@port-integrations/remote-mobile-control/test.js`:
- Line 1283: The assertion uses an unnecessary structuredClone wrapper; update
the test to call assert.deepEqual directly on the params object (replace
assert.deepEqual(structuredClone(calls[1].params), {}); with
assert.deepEqual(calls[1].params, {});) so the deep comparison is idiomatic and
avoids an unneeded clone of calls[1].params.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ac0fcf7e-1846-4813-9798-e86a6282416c

📥 Commits

Reviewing files that changed from the base of the PR and between da2a099 and c8a9f73.

📒 Files selected for processing (1)

• port-integrations/remote-mobile-control/test.js

Dismissed as invalid after local verification: direct assert.deepEqual(calls[1].params, {}) fails for the VM-realm params object, while the structuredClone-normalized assertion preserves the exact empty-object check and node --test port-integrations/remote-mobile-control/test.js passes 49/49.