← Case Studies/Case #004/C4-006
C4-006DecidedSystem ArchitectureDerived2026-04-05

Maintain a Portable Secure Work Node as the Primary Remote Execution Surface

One portable endpoint serves as the primary remote execution surface. Reachable from variable networks, supports heavier local workloads when required, and maintains continuity between office and travel contexts without moving sensitive work onto personal devices or cloud services. This is the endpoint the window opens onto.

Freshness
Active

Active. Reverify if the portable endpoint stops being the practical remote anchor or if policy changes remove its suitability.

Dependencies
C4-005: Assign Distinct Roles to Distinct Machines — No Unified Pattern

Used by

C4-007: Keep the Office Automation Node Awake Only When Automation Is ActiveC4-016: Publish the Reasoning Chain — Obfuscate the Deployment
#portable-node#remote-execution#travel-continuity#heavy-inference

Capture

One portable work endpoint must remain reachable from outside the office and capable of hosting sensitive, heavier local workloads when required.

This is the endpoint the window opens onto. When the operator is away, this is where the work stays.

Why

A portable secure work node preserves continuity between office and travel contexts without forcing sensitive activity onto personal devices or cloud services.

Without a designated portable execution surface, the operator faces a false choice: either leave sensitive work behind entirely when traveling, or move it onto personal devices or cloud services — both of which violate the trust boundary established in C4-001.

The portable node resolves this by being present in both contexts. In the office, it can be used locally. Away from the office, it is the remote execution anchor reachable through the private overlay. The trust model stays intact in both modes because the work never had to move.

Portability is a property of the device's physical form, not of the data on it. The device travels with the operator; the sensitive execution context stays on the device but does not escape it.

Why-Not

Why not use the office-bound node for all remote work? Office dependency weakens resilience and mobility. A stationary node that cannot be taken to a different location or accessed under varied network conditions is a single point of operational failure. When the operator travels, the work must remain accessible — not dependent on physical presence at the office.

Why not perform heavier work directly on personal client devices? This breaks the control/execution separation established in C4-002. A personal device that hosts sensitive execution state has crossed from a control surface to an execution surface — with all the custody and exposure implications that follow.

Constraints

Commit

Decision: Maintain a portable secure work node as the designated remote execution anchor. It remains reachable through the private overlay, capable of heavier local inference under admission control (C4-010), and operable in both remote and local contexts.

Confidence: High. This is the execution surface the entire remote operation model depends on.

Timestamp

2026-04-05

C4-005C4-007