main · *_release · release/*
thresholdsseverity ≥ minor · confidence ≥ medium · cap 12
max diff0.4 MB
pollevery 300s
NinjaRemote Peer — remote-desktop peer: screen capture, video streaming (ncstreamer/ncplayer), input injection, clipboard, chat, file transfer. Cross-platform C++/Qt (Windows/Linux/macOS/mobile).
Cross-platform remote-desktop agent in C++/Qt (qmake + vcpkg). Ships two roles that share
one core runtime and speak a custom encrypted binary transport: a streamer
(host/agent, runs elevated / as a service) and a player (viewer). Targets Windows,
Linux, macOS, Android, iOS.
common/ — transport framing + crypto (per-channel nonces, AEAD), IP/ACL, shared types.core/ — the business logic: a set of workers, each on its own QThread, talking viaQt signals/slots. Subsystems: session/channel routing, screen capture + encode, audio,
input injection, reliable bulk/file transfer, TCP tunnelling, TLS bridge, HTTP.
core/desktop/, core/codecs/, core/audio/ — per-OS capture/input, video codecs(VP8/9, H.264 incl. hardware), audio I/O + Opus. Platform-specific code is the norm here.
app/ — process scaffolding, the Glob settings container, IPC (UDP + local socket),crash handling.
ncstreamer/, ncplayer/, *-mob*/ — the role entry points/UI (desktop + mobile).filetransfer/, drivers/ (virtual display), qml/, guicommon/.implementations; a fix on one OS can regress another, and an unguarded platform API breaks
another OS's build. Platform code must be #ifdef/Q_OS_*- or .pri-guarded.
numbering, or nonce handling is protocol- and security-critical: nonce reuse or a skipped
MAC silently voids the guarantee; wire changes need version negotiation (see below).
mapping and confirmation-gating bugs have direct safety/security impact.
shared frame/queue state and guard worker shutdown against in-flight callbacks.
streamer/launcher/agent restarts; stale handles or missed cleanup lock processes out.
Crypto primitives + transport auth; the TLS bridge (cert-validation bypass is high-risk);
input injection (remote-control surface); IP/ACL access control; the confirm-to-connect flow.
Streamer and player run at different versions in the field: gate any change on the protocol
version fields; never remove/reorder a serialized field without negotiation.
ninjarmm:// URL scheme — the player's public invocation interface (backend/launcher).NC_* environment variables** — a documented operator/CI interface.Glob settings keys — persisted + cross-process; renames break upgrades.NC_IGNORE_SSL_ERROR is dev-only but operator-settable; never widen its scope._qt5code is a historical artifact; do NOT flag a change for breaking a Qt5 build or for
dropping Qt5 support. Removing dual-Qt scaffolding is fine.
don't assume parity.
_Orientation only — verify current specifics in the code; this describes durable architecture
and risk areas, not a snapshot._
How the monitored repos relate — so a change in one repo is reviewed with its blast
radius in mind (a change upstream of ncpeer can break ncpeer even if it looks local).
Orientation only; verify specifics in code.
speak the NCRP wire protocol (protocol/format changes must stay compatible across
client and server versions).
URLs, it pairs them and forwards frames verbatim. Signed join URLs are minted by the
Ninja backend — the signature scheme is a backend⇄relay contract, and the frame
semantics are a peer⇄peer contract.
a signed upload leg streams to a signed download leg through memory (never stored).
Two parallel implementations (Python ftsv2/ + Go fts_go/) must stay behaviorally
identical; the URL/signature scheme is shared-family with websocket-switch.
NinjaRemote file-transfer features ride on these relays when peers can't go direct.
or behaviour change here affects both consumers.
build against**. A dependency bump changes what those products link (security/ABI/build).
through the ncpeer_vcpkg overlay.
shares nccommon and ncpeer_vcpkg with ncpeer.
part of the remote-desktop family). Runs as a child process of the NinjaRMM agent (the
parent owns install/upgrade/policy/launch); NinjaFlow owns the CLI contract, config schema,
credential precedence, DB schema/migrations, and exit-code meanings the parent consumes —
those are cross-process contracts. Submits telemetry to the Ninja Backend. Shares no code with
ncpeer/nmsnj; adjacent to nmsnj only in domain (network), not in implementation.
not part of any product's build. It consumes the SBOMs the other products' pipelines emit
(Ninja-Remote/ncpeer, NMS/nmsnj, NinjaFlow all appear in its scope maps), scans them for CVEs
and files Jira issues — a downstream *security-scanning* relationship, not a code dependency.
Shares no code with the others; has its own DB/schema and a toolbox submodule.
authentication component: its pam_ninja.so gates SSH reverse-tunnel access into
Ninja infrastructure with a time-based OTP. Shares no code with the other repos; its
blast radius is operational (who can SSH-tunnel into hosts), not code-level. The client OTP
generators and the module must agree on the OTP scheme + shared secret.
these are *upstream* of ncpeer (and nccommon/vcpkg also of nmsnj) — weigh the consumer
side: API/ABI compatibility, build impact, and cross-platform reach.
contract.