Skip to main content

Endpoint Agent Binary Plan

ADR-0019 records the OneProtect endpoint agent boundary. The runtime now lives in the standalone oneconnect-agent repository rather than this monorepo.

Why This Matters

OP-032R and OP-052 give the platform enrollment and telemetry surfaces, but the software that runs on tenant endpoints still needs a clear home. This note keeps that future implementation anchored before runtime work moves further into discovery, SSH, macOS, Intune, or commands.

Planned Implementation

  • Separate Go module under agent/.
  • Entry point in agent/main.go.
  • Enrollment command for one-time token exchange.
  • Run command for the heartbeat loop.
  • Local identity storage for agent_id, certificate, private key, and the runtime-lite heartbeat service_account_token returned by enrollment.
  • Telemetry collector for host inventory and basic metrics.
  • HTTP platform client with future mTLS support.
  • Cross-compilation scripts for Windows/amd64, macOS/arm64, Linux/amd64, and Linux/arm64.

Boundary

This feature note describes the boundary. The agent/ module must not be added to this repo; platform-side contract changes that affect the agent live in OpenAPI, ADRs, and the enrollment/heartbeat services.

The future agent is a lightweight telemetry reporter. It is not remote shell, patch management, software deployment, EDR, or log forwarding.

Status Update

The agent runtime now lives in the standalone oneconnect-agent repository rather than a top-level agent/ directory in oneconnect. ADR-0019 remains the boundary decision; the architect chose to spin out the implementation so cross-repo concerns are explicit and the agent ships on an independent release cadence. This plan note is preserved as the historical anchor for why the boundary exists.

For implementation details, build instructions, and the runtime feature note, see the oneconnect-agent repository directly.

OP-075 adds the platform-issued runtime-lite heartbeat token to the exchange contract so the standalone agent can enroll, remove the bootstrap enrollment token, persist the heartbeat credential under protected config permissions, and post identity-bound heartbeats until enforced mTLS replaces that bearer path.