Skip to content

Commit 6ac729a

Browse files
NathanFlurryNathanFlurry
committed
docs: require close-code rejection for websocket auth/policy failures
1 parent 30e8ba6 commit 6ac729a

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

CLAUDE.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -313,6 +313,10 @@ When the user asks to track something in a note, store it in `.agent/notes/` by
313313
- Validate and authorize all client-originated data at the engine edge before it reaches trusted internal systems.
314314
- Validate and authorize all envoy-originated data at `pegboard-envoy` before it reaches trusted internal systems.
315315

316+
## WebSocket Rejection
317+
318+
- Reject WebSocket connections (auth failures, routing errors, any rejection reason) by accepting the upgrade and sending a close frame with a meaningful close code and `<group>.<code>` reason. Do not reject with an HTTP status before the upgrade. Browser clients cannot surface HTTP status on a failed upgrade; they only see `CloseEvent.code` / `.reason`, so pre-upgrade rejection leaves them with no diagnostic. Use close code `1008` (policy violation) for auth failures, matching the `inspector.unauthorized` convention.
319+
316320
## Fail-By-Default Runtime
317321

318322
- Avoid silent no-ops for required runtime behavior. If a capability is required, validate it and throw an explicit error with actionable context instead of returning early.

0 commit comments

Comments
 (0)