- bearer token required for
POST /open - only
httpandhttpsURLs are accepted - default policy is
localhost-only - daemon should bind to loopback unless you intentionally expose it elsewhere
bobdlogs allow/deny decisions- query strings are redacted in logs
- nonce replay protection
- first-use approval
- duplicate suppression
- per-host allowlists beyond loopback mode