Reference

Security

Pagerunner is designed for privacy-by-architecture. All browser sessions, profiles, and stored state stay on your machine. Page content your agent reads is sent to your LLM provider. Every security feature — anonymization, encryption, audit logging — runs locally.

Architecture Overview

  • All data stored locally in ~/.pagerunner/
  • Database encrypted with ReDB
  • Secrets sealed in macOS Keychain-backed storage
  • Audit log with file permissions (mode 0o600, owner-only)
  • Chrome runs with TCP-only CDP (no network exposure)

SSRF Protection

Pagerunner blocks navigation to internal network addresses by default:

  • Loopback: 127.*, 0.0.0.0, [::1]
  • Private IPs: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Link-local: 169.254.0.0/16 (including AWS metadata endpoint)
  • Special: localhost, *.localhost, metadata.google.internal
  • URLs with embedded credentials (user:pass@host)
  • Non-HTTP schemes (file://, ftp://)

Content Sanitization

  • Hidden elements and scripts stripped before content reaches the LLM
  • Prompt injection patterns detected and flagged
  • Configurable per session via sanitize_content and scan_injections

PII Anonymization

  • Local ONNX NER model (no cloud API calls)
  • Two modes: tokenize (reversible via session vault) and redact (permanent)
  • Entity types: EMAIL, PHONE, CREDIT_CARD, IBAN, SSN, IP, PERSON, ORG, SECRET
  • Custom patterns for domain-specific PII
  • SECRET type scrubs 18+ token formats (GitHub, Stripe, AWS, JWT, PEM, etc.)

Domain Allowlisting

  • Per-profile domain restrictions
  • Empty list = allow all (default)
  • Wildcards supported: *.internal.co
  • Navigation outside allowed domains is blocked

Tool Restrictions

  • allowed_tools — whitelist of permitted tools
  • blocked_tools — blacklist of forbidden tools
  • Per-session override available

Audit Log

  • Append-only JSON lines at ~/.pagerunner/audit.log
  • Also stored in encrypted database
  • Events: session open/close, tool calls, security violations, PII detections
  • Never logs: raw content, passwords, secrets, PII values
  • Logs safely: URLs, tool names, session IDs, entity counts
  • Query: pagerunner audit -n 20

Secrets Management

  • extract_secret pulls values from pages into sealed storage
  • use_secret injects via stdin to CLI commands (never in args or env)
  • Secret values never exposed to the LLM
  • Only secret names are visible

Session Isolation

  • Each profile gets its own Chrome user data directory
  • Separate cookies, localStorage, extensions per profile
  • No cross-profile data leakage
  • Stealth mode available for reduced browser fingerprinting

Next: Troubleshooting →