Tessera is the ten-minute version of remote access: let a teammate reach a service on your machine for one debugging session, then leave nothing behind. No VPN, no static credential, no port left open.
It's consent-gated. The tunnel doesn't exist until you type "y" at your terminal, and the coordinator in the middle is a dumb pipe. A second, end-to-end TLS handshake runs between the two ends, and the CA's private key never leaves the host, so the broker can't impersonate either side or read the payload. Every approval and denial lands in an append-only audit log.
It's pre-1.0 with no independent security review yet, so I wouldn't guard anything sensitive with it. Happy to dig into the design in the comments, especially the trust model and the metadata it does still leak.
It's consent-gated. The tunnel doesn't exist until you type "y" at your terminal, and the coordinator in the middle is a dumb pipe. A second, end-to-end TLS handshake runs between the two ends, and the CA's private key never leaves the host, so the broker can't impersonate either side or read the payload. Every approval and denial lands in an append-only audit log.
It's pre-1.0 with no independent security review yet, so I wouldn't guard anything sensitive with it. Happy to dig into the design in the comments, especially the trust model and the metadata it does still leak.