You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/gateway/security/index.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -724,6 +724,12 @@ injected by Tailscale.
724
724
HTTP API endpoints (for example `/v1/*`, `/tools/invoke`, and `/api/channels/*`)
725
725
still require token/password auth.
726
726
727
+
Important boundary note:
728
+
729
+
- Gateway HTTP bearer auth is effectively all-or-nothing operator access.
730
+
- Treat credentials that can call `/v1/chat/completions`, `/v1/responses`, `/tools/invoke`, or `/api/channels/*` as full-access operator secrets for that gateway.
731
+
- Do not share these credentials with untrusted callers; prefer separate gateways per trust boundary.
732
+
727
733
**Trust assumption:** tokenless Serve auth assumes the gateway host is trusted.
728
734
Do not treat this as protection against hostile same-host processes. If untrusted
729
735
local code may run on the gateway host, disable `gateway.auth.allowTailscale`
Copy file name to clipboardExpand all lines: docs/nodes/index.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -277,6 +277,7 @@ Notes:
277
277
278
278
-`system.run` returns stdout/stderr/exit code in the payload.
279
279
-`system.notify` respects notification permission state on the macOS app.
280
+
- Unrecognized node `platform` / `deviceFamily` metadata uses a conservative default allowlist that excludes `system.run` and `system.which`. If you intentionally need those commands for an unknown platform, add them explicitly via `gateway.nodes.allowCommands`.
280
281
-`system.run` supports `--cwd`, `--env KEY=VAL`, `--command-timeout`, and `--needs-screen-recording`.
281
282
- For shell wrappers (`bash|sh|zsh ... -c/-lc`), request-scoped `--env` values are reduced to an explicit allowlist (`TERM`, `LANG`, `LC_*`, `COLORTERM`, `NO_COLOR`, `FORCE_COLOR`).
282
283
- For allow-always decisions in allowlist mode, known dispatch wrappers (`env`, `nice`, `nohup`, `stdbuf`, `timeout`) persist inner executable paths instead of wrapper paths. If unwrapping is not safe, no allowlist entry is persisted automatically.
0 commit comments