security: isolate and clean up data used by remote desktop workers #93
Description
Context
As a security-conscious operator, I need remote desktop worker jobs to keep instance data private, secure, and cleaned up after execution so enabling shared local compute does not leak sensitive information onto worker machines.
Acceptance Criteria
- Remote desktop worker jobs run with an explicit security model for authenticated instances only.
- Job payloads define what data may be materialized on a worker machine and for how long.
- Sensitive working data is cleaned up after job completion or failure.
- The worker model documents how privacy, secure transport, local persistence, and cleanup are enforced.
Notes
This issue should prioritize security over convenience. The queue may be available to all authenticated workers, but the execution model must ensure private data is scoped, protected, and removed when the work is done.
Out of Scope
- Generic queue routing design.
- First-run onboarding or connection switching UX.