Skip to content

ADR 0022 — OBP (Operator Bridge Proxy) — Semi-Air-Gap Internet Egress

  • Status: Accepted (formalized 2026-05-12 with v3.7.0 — scaffolds shipping in v3.7.0)
  • Date: 2026-05-10
  • Deciders: TLSStress.Art project
  • Targets: v5.x (Phase 1 Materialization scaffolds: OBP-1..4 already merged Wave 5)
  • Patent claim family: claim #14 (OBP semi-air-gap bridge)

Context

Most bench deployments are air-gapped (lab environments without Internet). But several MÓDULO functions need Internet:

  • CLONER fn #1 — clone real public websites for Persona content
  • CLONER fn #4 — monthly catalog refresh (DUT specs from vendor sites)
  • CLONER fn #6 — patch + Top-URL fetch (Tranco/Umbrella/Majestic)
  • CLONER fn #7 — Self-Upgrade channel poll (upgrade.tlsstress.art)
  • PVI Stage 1-3 (per ADR 0021) — internet-direct probes for URL validation during PURE Discovery

Forcing the bench itself to have Internet weakens the air-gap posture. Operators commonly have dual-NIC notebooks — one NIC on the OOBI mgmt segment, one NIC on the corporate WiFi / hotel Wi-Fi with Internet.

Decision

Introduce OBP (Operator Bridge Proxy) — a Go daemon that runs on the operator's notebook, accepts a time-boxed reverse tunnel from MÓDULO GATEWAY.Art, and forwards approved egress to a hard-coded allowlist of upstream destinations.

How it works

┌─ Operator notebook ─────────────────────────────────────┐
│                                                         │
│   ┌───────────────────────┐                            │
│   │ OBP daemon (Go bin)   │                            │
│   │ - allowlist hard-coded│                            │
│   │ - TLS passthrough     │                            │
│   │ - time-boxed sessions │                            │
│   │ - cosign-signed binary│                            │
│   └───────────────────────┘                            │
│         │                                              │
│         │ WSS reverse tunnel (cosign-pinned)           │
│         │ initiated by operator with "Authorize"       │
│         ▼                                              │
└──────── │ ─────────────────────────────────────────────┘
          │
          ▼ OOBI mgmt NIC
┌─ Bench K8s cluster ─────────────────────────────────────┐
│                                                         │
│   MÓDULO GATEWAY.Art (slot .250)                       │
│      │ (OBP acceptor endpoint)                         │
│      │                                                 │
│      ▼ vxlan0                                          │
│   MÓDULO CLONER.Art ◄─── egress preference order ─────│
│      ├ Direct internet (default — air-gapped: blocked) │
│      └ OBP fallback (operator-authorized session)      │
└─────────────────────────────────────────────────────────┘
                              │
                              ▼ corporate WiFi
                          Internet
                          ├ tlsstress.art (allowlisted)
                          ├ tranco-list.eu (allowlisted)
                          ├ <vendor docsites> (allowlisted)
                          └ everything else → BLOCKED

Hard rules

  1. Hard-coded allowlist, signed at build time.
  2. Build artifact: obp-allowlist.json signed with cosign, embedded in the binary
  3. Operator cannot edit at runtime
  4. TLS passthrough only — OBP never decrypts upstream traffic. No client-side cert injection; no SNI rewriting.
  5. Time-boxed sessions — default 30 minutes; operator initiates via dashboard /admin/obp/authorize. Auto-expires.
  6. Cosign-signed binary — installer verifies signature against pinned key before install.
  7. Audit trail — every byte forwarded is summarized (count, destination, timestamp) in the bench audit log.

CLONER egress preference order

  1. Direct Internet from bench (if available)
  2. OBP fallback (if active session)
  3. Block (no fallback — operator sees clear error message)

Air-gapped benches typically have only path 2 available.

Allowlist composition

Destination Why
upgrade.tlsstress.art Self-Upgrade channel poll
tranco-list.eu Curated URL list refresh
umbrella.cisco.com DNS list (auth-required)
majestic.com Million list
Vendor docsites (FortiOS / PAN-OS / Cisco / etc.) Catalog refresh
*.routeviews.org BGP saturation real Internet snapshots
ntp.tlsstress.art NTP source for time-skewed PVI runs

Anything else → blocked + audit-logged.

Consequences

Pros

  • Air-gap posture maintained — Internet egress only via operator- driven session, never autonomous
  • Allowlist hard-coded — can't be tampered at runtime
  • Patent moat: OBP = claim #14 (unique semi-air-gap pattern)
  • Compliance: every byte audit-logged for SOC 2 / ISO 27001 evidence

Cons / risks

  • Operator notebook is single point of failure during session (acceptable — sessions are short and intentional)
  • Allowlist changes require new signed binary release
  • OBP daemon must run with elevated privileges to bind reverse tunnel (mitigated: daemon drops to user obp after bind)

Distribution

  • OBP daemon shipped as cosign-signed installer (Mac / Win / Linux)
  • Installer fetched from https://download.tlsstress.art/obp/
  • Auto-update opt-in (per OBP-4 scaffold)

References

  • Memory: discuss_obp_scope_freeze_execution_plan_2026_05_10.md
  • Code: pkg/obp-daemon/ (Go daemon, OBP-1..4 scaffolds, Wave 5)
  • ADR cross-ref: 0013 (Self-Upgrade Meraki-style — OBP delivers upgrade channel polls), 0019 (OOBI trust zones), 0021 (PURE — PVI internet egress via CLONER fn #8 → OBP)
  • Patent claim: #14