vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-04-28 03:20:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
Pulse/docs/AGENT_SECURITY.md
rcourtman 778a2577b6 feat: Pulse v6 release
2026-03-18 16:06:30 +00:00

1.3 KiB
Raw Blame History

Agent Security

Pulse agents incorporate several security mechanisms to ensure that the code running on your infrastructure is authentic and untampered with.

Self-Update Security

The agent's self-update mechanism is critical for security and stability. To prevent supply chain attacks or compromised update servers from distributing malicious or broken agents, Pulse employs a rigorous verification process.

1. Checksum Verification

The agent verifies a SHA-256 checksum of the downloaded binary. The server must provide X-Checksum-Sha256; updates are rejected if the header is missing or mismatched.

2. Signature Verification (Optional)

When present, Ed25519 signatures (X-Signature-Ed25519) add an extra validation layer on top of checksums.

3. Pre-Flight Checks

To prevent "brick-updates"—bad updates that crash immediately and require manual recovery—agents perform pre-flight validation before replacing the running executable.

Unified agent (pulse-agent):

  1. Download new binary.
  2. Verify checksum (required).
  3. Validate binary magic (ELF/Mach-O/PE) and size limits (100MB max).
  4. Make executable and swap atomically.

API Security

  • Token Authentication: All agent-to-server communication requires a valid API token.
  • TLS: Encrypted by default (unless specifically disabled).