You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+11-3Lines changed: 11 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,6 +43,9 @@ PinchTab is designed first for local, single-user control on a machine you manag
43
43
44
44
If you run PinchTab on a different machine, do it only when you understand the security model. Keep it on a private or otherwise closed network, avoid exposing it directly to the public internet, and keep high-risk endpoint families disabled unless you explicitly need them. If you do enable them, lock them down so only the systems that need them can reach them.
45
45
46
+
> [!WARNING]
47
+
> The dashboard, HTTP API, MCP server, and remote CLI integrations are privileged operator control surfaces. They are not designed for untrusted users, multi-tenant exposure, or direct public-internet access. If you are unsure how to secure a non-local deployment, review [docs/guides/security.md](docs/guides/security.md) and use the private security contact path in [SECURITY.md](SECURITY.md) before exposing the service.
48
+
46
49
47
50
If you prefer not to run a daemon, or if you're on Windows, you can instead run:
48
51
@@ -248,10 +251,15 @@ pinchtab text
248
251
249
252
Or use the HTTP API directly:
250
253
```bash
251
-
# Create an instance (returns instance id)
252
-
INST=$(curl -s -X POST http://localhost:9867/instances/launch \
254
+
# Create a profile first (returns profile id)
255
+
PROF=$(curl -s -X POST http://localhost:9867/profiles \
256
+
-H "Content-Type: application/json" \
257
+
-d '{"name":"work"}'| jq -r '.id')
258
+
259
+
# Start an instance for that profile (returns instance id)
260
+
INST=$(curl -s -X POST http://localhost:9867/instances/start \
value, err:=promptInput("Set server.bind (127.0.0.1 keeps it local):", cfg.Bind)
185
189
iferr!=nil {
186
190
returnnil, false, err
187
191
}
192
+
if!isLoopbackBindValue(value) {
193
+
fmt.Println()
194
+
fmt.Println(" "+cli.StyleStdout(cli.WarningStyle, "Warning: server.bind is non-loopback"))
195
+
fmt.Println(" "+cli.StyleStdout(cli.MutedStyle, "effect") +": "+cli.StyleStdout(cli.ValueStyle, "may expose the server beyond the local machine unless an outer network boundary still restricts access"))
fmt.Println(" "+cli.StyleStdout(cli.MutedStyle, "hint") +": "+cli.StyleStdout(cli.ValueStyle, "keep a token set and review reverse proxy or port-publishing behavior explicitly"))
fmt.Println(" "+cli.StyleStdout(cli.WarningStyle, "Warning: security.attach.allowHosts includes '*'"))
251
+
fmt.Println(" "+cli.StyleStdout(cli.MutedStyle, "effect") +": "+cli.StyleStdout(cli.ValueStyle, "disables host allowlisting and allows any reachable attach host with an allowed scheme"))
fmt.Println(cli.StyleStdout(cli.WarningStyle, fmt.Sprintf("Guards down preset applied in %s", configPath)))
294
-
fmt.Println(cli.StyleStdout(cli.MutedStyle, "Loopback bind and API auth remain enabled; sensitive endpoints and attach are enabled, IDPI is disabled."))
330
+
fmt.Println(cli.StyleStdout(cli.WarningStyle, "This is a documented, non-default, security-reducing preset."))
331
+
fmt.Println(cli.StyleStdout(cli.MutedStyle, "Loopback bind and API auth remain enabled; sensitive endpoints and attach are enabled, and IDPI protections are disabled."))
332
+
fmt.Println(cli.StyleStdout(cli.MutedStyle, "Attach host allowlisting remains local-only. Widening allowHosts or enabling bridge schemes later is an additional explicit weakening."))
333
+
fmt.Println(cli.StyleStdout(cli.MutedStyle, "Changing server.bind away from 127.0.0.1 later is also an additional explicit weakening unless another network boundary still constrains access."))
Copy file name to clipboardExpand all lines: docs/dashboard.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,6 +12,9 @@ You can open the dashboard at:
12
12
-`http://localhost:9867`
13
13
-`http://localhost:9867/dashboard`
14
14
15
+
> [!WARNING]
16
+
> The dashboard is an operator/admin control surface, not a public or multi-user application. Do not expose it to untrusted users. Anyone who can use the dashboard can manage profiles, instances, configuration, and other browser-control capabilities that are enabled on that server.
Copy file name to clipboardExpand all lines: docs/endpoints.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -308,6 +308,8 @@ POST /instances/{id}/tab
308
308
Notes:
309
309
310
310
-`/instances/start` and `/instances/launch` use `mode`, not `headless`
311
+
-`/instances/launch` is a compatibility alias over `/instances/start`
312
+
- create profiles explicitly with `POST /profiles`; `name` is no longer supported on `/instances/launch`
311
313
-`/profiles/{id}/start` uses `headless`
312
314
- attach routes are gated by `security.attach`
313
315
@@ -348,6 +350,8 @@ Scheduler routes are only present when `scheduler.enabled` is true.
348
350
349
351
Some endpoints are intentionally disabled unless the matching config allows them:
350
352
353
+
These gates are not ordinary feature toggles. Enabling them is a documented, non-default, security-reducing choice that widens the control surface available to callers.
354
+
351
355
-`/evaluate` and `/tabs/{id}/evaluate` -> `security.allowEvaluate`
352
356
-`/download` and `/tabs/{id}/download` -> `security.allowDownload`
353
357
-`/upload` and `/tabs/{id}/upload` -> `security.allowUpload`
Copy file name to clipboardExpand all lines: docs/guides/attach-chrome.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -200,6 +200,8 @@ Recommended rules:
200
200
- set `PINCHTAB_TOKEN` when the server is reachable outside localhost
201
201
- only attach to CDP endpoints you trust
202
202
203
+
If you set `allowHosts` to `["*"]`, PinchTab accepts any reachable attach host with an allowed scheme. That is a documented, non-default, security-reducing override: it removes host allowlisting entirely and should only be used on isolated, operator-controlled networks.
Copy file name to clipboardExpand all lines: docs/guides/mcp-agents.md
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,6 +2,9 @@
2
2
3
3
This guide walks through setting up PinchTab as an MCP tool server for AI coding assistants and agent frameworks.
4
4
5
+
> [!WARNING]
6
+
> When you connect an MCP client to PinchTab, that client is exercising the same privileged control plane as the dashboard, API, and remote CLI. Only trusted operators and trusted agent systems should be allowed to use it. If you are unsure whether a non-local or partially exposed deployment is safe, stop and review [Security](security.md) before proceeding.
7
+
5
8
## What is MCP?
6
9
7
10
The [Model Context Protocol](https://modelcontextprotocol.io/) is an open standard for connecting AI models to external tools. PinchTab implements an MCP server that exposes 21 browser-control tools — navigation, interaction, screenshot, PDF export, and more — over a simple stdio interface that every major AI client supports.
@@ -152,7 +155,7 @@ security:
152
155
153
156
Restart PinchTab after changing this setting.
154
157
155
-
> **Warning:** Enabling evaluate allows the agent (and any page it visits) to run arbitrary JavaScript in the browser. Only enable this on trusted networks with a token set.
158
+
> **Warning:** Enabling evaluate is a documented, non-default, security-reducing configuration change. It allows the agent (and any page it visits) to run arbitrary JavaScript in the browser. Only enable it on trusted networks with a token set.
0 commit comments