• local
  • Host must be loopback.
  • Auth optional.
  • Intended for single-machine use.
• lan
  • Requires explicit host allowlist (--allowed-hosts or config/env equivalent).
  • Auth required.
• relay
  • Requires explicit host allowlist.
  • Auth required.
  • Relay transport and key exchange are next-phase work.

• Host header allowlist enforcement.
• Origin allowlist enforcement.
• Token auth (~/.viewport/auth-token) for protected API/WS.
• WS auth supports ?token= query fallback only in local profile by default.
  • In lan/relay, query-token auth is disabled unless VIEWPORT_ALLOW_QUERY_TOKEN_NON_LOCAL=1.
  • Tradeoff: query tokens can leak via logs/history, so use Authorization: Bearer ... whenever possible.
  • Preferred path is Authorization: Bearer ....
• WebSocket payload limits, backpressure handling, and rate limiting.
• Path traversal protection for file APIs.

• vpd pair creates short-lived offers (default 10 minutes, max 60 minutes).
• Offer URL contains offerId, one-time proof, trust-anchor fingerprint, and connection metadata, not the auth token.
• Offers are persisted and can be listed/revoked:
  • vpd pair list
  • vpd pair revoke <offer-id>
• Daemon trust anchor can be inspected:
  • vpd pair anchor
• Offer redemption is one-time:
  • POST /api/pair/redeem with offerId + proof + trustAnchor
  • Local loopback profile can bypass bearer auth for redeem; LAN/relay profiles cannot.
• Pairing events are written to ~/.viewport/pairing-audit.jsonl.

The next phase should add:

• Explicit device identity binding.
• Revocation propagation across relay sessions.
• Short-lived capability tokens scoped by command/permission class.