SSRF posture for admin-supplied URLs
Every outbound URL is checked before it is dialed, and the check is stricter in production than on a self-hosted appliance.Scheme and metadata check (always)
Only
http and https URLs are allowed. Cloud-metadata endpoints (169.254.169.254, metadata.google.internal, metadata) are always blocked, in every environment.HTTPS and literal-address check (production)
In production the URL must be HTTPS. Literal IPs are range-checked and rejected if they are loopback, private (RFC 1918), or link-local, including IPv6 loopback, unique-local, link-local, and IPv4-mapped IPv6 forms.
localhost and any .localhost host are blocked.DNS resolution check (production)
For a hostname (not a literal IP), Passport resolves it and rejects the request if any resolved address falls in those private, loopback, link-local, or metadata ranges. This closes the DNS-rebinding and internal-hostname holes a string check cannot see.
On a self-hosted appliance (any non-production run), Passport trusts the operator’s own network, so loopback and private addresses are allowed. The metadata-endpoint block still applies everywhere.
Desktop app and bridge egress
The desktop app and the bridge are built to talk to your own Passport server and almost nothing else.Fonts and icons are bundled
The app’s fonts and connector icons are bundled into the app and loaded from local files, so it renders branded offline with no network font fetch.
Product traffic goes to your server
All of the app’s and bridge’s API calls go to your workspace’s Passport server. Upstream credentials are brokered server-side and never written into an AI client config.
Links the app opens for you, such as the sign-up page or a hosted client’s connector settings, open in your system browser as ordinary navigations. They are not in-app network calls.