master · main · *_release · release/*
thresholdsseverity ≥ minor · confidence ≥ medium · cap 12
max diff0.4 MB
pollevery 300s
QC Launcher — Quick Connect launcher client that bootstraps and runs the NinjaRemote quick-connect session. Qt/C++.
Customer-facing Qt6/C++ desktop app (Windows and macOS) that bootstraps a NinjaRemote
Quick Connect session: it registers/authenticates the device with the NinjaOne backend over
WAMP/WebSocket + TLS, then on backend command fetches, integrity-verifies, installs,
and launches the ncstreamer process (also handles RMM agent install + self-cleanup). qmake.
downloader/ — standalone bootstrapper that runs first: fetches the launcher binary(invitation-code flow), verifies its hash, unpacks, launches it, reports, self-cleans.
launcher/ — main binary: login/registration, WAMP session, system-tray UI, and theRPC action handlers the backend calls to start / start-as-user / install-agent /
uninstall; launcher/internal/ process + bootstrap helpers (elevation, run-as-user, IPC).
wrk/ — WAMP worker (Autobahn over WS+TLS, proxy-aware) + a retrying HTTP worker.common/ — run-as/sudo wrapper, zip, retry; fingerprint/, njlog/, shared security lib.derived from downloads/config — shell-injection and TOCTOU surface; server-supplied
content must never be shell-interpolated.
written to a session file and passed to ncstreamer — verify nothing is shell-interpolated
and the temp file isn't world-readable/writable.
check must be un-skippable on every error / early-quit path.
is deleted on a timer, not immediately — wrong perms, leaks, or a missed timer expose it.
needed and never expose credentials in argv or logs.
check on a new handler is high-severity.
The macOS shell-out paths; credential handling in the start-as-user flow and the sudo wrapper;
bootstrap-arg parsing from an elevated process; proxy credentials.
result/error tuples are a contract with the backend.
ncstreamer — field changes break the streamer.with a filename-based fallback) — packaging/signing changes can break param extraction.
paths (hangs).
_Orientation only — verify current specifics in the code; this describes durable architecture
and risk areas, not a snapshot._
How the monitored repos relate — so a change in one repo is reviewed with its blast
radius in mind (a change upstream of ncpeer can break ncpeer even if it looks local).
Orientation only; verify specifics in code.
speak the NCRP wire protocol (protocol/format changes must stay compatible across
client and server versions).
URLs, it pairs them and forwards frames verbatim. Signed join URLs are minted by the
Ninja backend — the signature scheme is a backend⇄relay contract, and the frame
semantics are a peer⇄peer contract.
a signed upload leg streams to a signed download leg through memory (never stored).
Two parallel implementations (Python ftsv2/ + Go fts_go/) must stay behaviorally
identical; the URL/signature scheme is shared-family with websocket-switch.
NinjaRemote file-transfer features ride on these relays when peers can't go direct.
or behaviour change here affects both consumers.
build against**. A dependency bump changes what those products link (security/ABI/build).
through the ncpeer_vcpkg overlay.
shares nccommon and ncpeer_vcpkg with ncpeer.
part of the remote-desktop family). Runs as a child process of the NinjaRMM agent (the
parent owns install/upgrade/policy/launch); NinjaFlow owns the CLI contract, config schema,
credential precedence, DB schema/migrations, and exit-code meanings the parent consumes —
those are cross-process contracts. Submits telemetry to the Ninja Backend. Shares no code with
ncpeer/nmsnj; adjacent to nmsnj only in domain (network), not in implementation.
not part of any product's build. It consumes the SBOMs the other products' pipelines emit
(Ninja-Remote/ncpeer, NMS/nmsnj, NinjaFlow all appear in its scope maps), scans them for CVEs
and files Jira issues — a downstream *security-scanning* relationship, not a code dependency.
Shares no code with the others; has its own DB/schema and a toolbox submodule.
authentication component: its pam_ninja.so gates SSH reverse-tunnel access into
Ninja infrastructure with a time-based OTP. Shares no code with the other repos; its
blast radius is operational (who can SSH-tunnel into hosts), not code-level. The client OTP
generators and the module must agree on the OTP scheme + shared secret.
these are *upstream* of ncpeer (and nccommon/vcpkg also of nmsnj) — weigh the consumer
side: API/ABI compatibility, build impact, and cross-platform reach.
contract.