SECURITY MODEL

Treat the browser as hostile. Treat control channels as privileged.

In validation

A real browser executes untrusted content and can hold valuable session state. Tabyard starts private and hardens each boundary before it becomes reachable.

TRUST BOUNDARIES

The agent gets a session—not your host.

Operator and agent traffic enter through a private access boundary. The control plane owns policy. Workers receive only what their current lease requires.

Agent hostscoped request
Private accessidentity + grant
Control planepolicy + audit
Worker zonehostile content boundary
Public webrestricted egress

PRIMARY THREATS

Controls map to concrete failure modes.

01

Privileged browser channels

A reachable CDP or live-view URL can expose browser actions and state.

Keep worker ports private and put short-lived, revocable grants at the gateway.

02

Hostile web content

A browser can be driven toward internal services, metadata endpoints, or unsafe downloads.

Separate worker networks, restrict egress, cap resources, and never mount the Docker socket.

03

Credential and trace leakage

Cookies, proxy credentials, form values, and model keys can escape through logs or artifacts.

Redact by default, scope secrets to a lease, encrypt durable state, and limit retention.

CURRENT LIMITS

Private validation is not public readiness.

  • 01

    One root control key authorizes the validation slice.

  • 02

    Raw worker endpoints remain reachable from the host and explicit SSH forwards.

  • 03

    Runtime egress filtering and durable reconciliation are Phase 2 controls.

  • 04

    No sensitive identity is used until an immutable runtime digest passes isolation tests.

PUBLIC-EXPOSURE GATE

No raw CDP port. No shortcuts.

The control plane stays private until every item below is implemented and tested.

  1. 01Authenticated dashboard and API identity boundary
  2. 02Signed CDP and live-view gateway with rapid revocation
  3. 03Hashed scoped agent tokens and concurrency policy
  4. 04Destination filtering with redirect and DNS-rebinding checks
  5. 05Pinned runtime images with release and isolation evidence
  6. 06Encrypted sensitive state plus tested backup and restore

DELIVERY ORDER

Security milestones determine what ships next.

View the roadmap