Privileged browser channels
A reachable CDP or live-view URL can expose browser actions and state.
Keep worker ports private and put short-lived, revocable grants at the gateway.
SECURITY MODEL
A real browser executes untrusted content and can hold valuable session state. Tabyard starts private and hardens each boundary before it becomes reachable.
TRUST BOUNDARIES
Operator and agent traffic enter through a private access boundary. The control plane owns policy. Workers receive only what their current lease requires.
PRIMARY THREATS
A reachable CDP or live-view URL can expose browser actions and state.
Keep worker ports private and put short-lived, revocable grants at the gateway.
A browser can be driven toward internal services, metadata endpoints, or unsafe downloads.
Separate worker networks, restrict egress, cap resources, and never mount the Docker socket.
Cookies, proxy credentials, form values, and model keys can escape through logs or artifacts.
Redact by default, scope secrets to a lease, encrypt durable state, and limit retention.
CURRENT LIMITS
One root control key authorizes the validation slice.
Raw worker endpoints remain reachable from the host and explicit SSH forwards.
Runtime egress filtering and durable reconciliation are Phase 2 controls.
No sensitive identity is used until an immutable runtime digest passes isolation tests.
PUBLIC-EXPOSURE GATE
The control plane stays private until every item below is implemented and tested.