Skip to content

Commit c6ef795

Browse files
NathanFlurryNathanFlurry
committed
docs: require close-code rejection for websocket auth/policy failures
1 parent 108b7a0 commit c6ef795

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

CLAUDE.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,10 @@ When the user asks to track something in a note, store it in `.agent/notes/` by
137137
- Validate and authorize all client-originated data at the engine edge before it reaches trusted internal systems.
138138
- Validate and authorize all envoy-originated data at `pegboard-envoy` before it reaches trusted internal systems.
139139

140+
## WebSocket Rejection
141+
142+
- Reject WebSocket connections (auth failures, routing errors, any rejection reason) by accepting the upgrade and sending a close frame with a meaningful close code and `<group>.<code>` reason. Do not reject with an HTTP status before the upgrade. Browser clients cannot surface HTTP status on a failed upgrade; they only see `CloseEvent.code` / `.reason`, so pre-upgrade rejection leaves them with no diagnostic. Use close code `1008` (policy violation) for auth failures, matching the `inspector.unauthorized` convention.
143+
140144
## Fail-By-Default Runtime
141145

142146
- Avoid silent no-ops for required runtime behavior. If a capability is required, validate it and throw an explicit error with actionable context instead of returning early.

0 commit comments

Comments
 (0)