This skill should be used when working with WebSpec subdomain isolation, cookie/token scoping, origin security, the local.gimme.tools bridge, or local service architecture. Trigger phrases include "subdomain isolation", "cookie scope", "local.gimme.tools", "token audience", "origin security", "same-origin policy", "local bridge".
Domain Note: This skill uses
gimme.toolsas the default WebSpec domain. For self-hosted or enterprise deployments, substitute your configured domain.
WebSpec inherits the browser's same-origin policy to create natural security boundaries. Each subdomain operates as an isolated security context, with cookies and tokens scoped to prevent cross-service access.
┌─────────────────────────────────────────────────────────────────┐
│ gimme.tools │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐│
│ │ auth. │ │ api. │ │ slack. │ │ notion. ││
│ │ │ │ │ │ │ │ ││
│ │ Session │ │ Gateway │ │ Slack API │ │ Notion API ││
│ │ management │ │ LLM routing │ │ proxy │ │ proxy ││
│ │ │ │ │ │ │ │ ││
│ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘│
│ ↑ ↑ ↑ ↑ │
│ │ │ │ │ │
│ ┌────┴───────────────┴───────────────┴───────────────┴────┐ │
│ │ Same-Origin Policy │ │
│ │ Cookies and tokens scoped to each subdomain │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────┐│
│ │ local.gimme.tools ││
│ │ WebSocket tunnel to localhost services ││
│ └─────────────────────────────────────────────────────────────┘│
└─────────────────────────────────────────────────────────────────┘
| Subdomain | Purpose | Trust Level |
|---|---|---|
auth.gimme.tools | Session management, OAuth flows | Highest (root of trust) |
api.gimme.tools | Gateway, LLM routing, service discovery | High |
local.gimme.tools | Bridge to localhost services | Local trust |
{service}.gimme.tools | Service-specific API proxy | Scoped to service |
slack.gimme.tools cannot be read by notion.gimme.toolsgimme.toolsaud claim must match subdomainSet-Cookie: session_token=xxx;
Domain=auth.gimme.tools;
Path=/;
HttpOnly;
Secure;
SameSite=Strict;
Max-Age=604800
Critical cookie attributes:
| Attribute | Value | Purpose |
|---|---|---|
Domain | Specific subdomain | Prevents cross-service access |
HttpOnly | true | Prevents JavaScript access |
Secure | true | HTTPS only |
SameSite | Strict | Prevents CSRF |
Path | / | Full subdomain scope |
❌ WRONG: Cookies on root domain
Set-Cookie: token=xxx; Domain=gimme.tools
✅ CORRECT: Cookies on specific subdomain
Set-Cookie: token=xxx; Domain=auth.gimme.tools
Every JWT must include an aud (audience) claim matching the subdomain:
{
"iss": "auth.gimme.tools",
"sub": "user_12345",
"aud": "slack.gimme.tools",
"exp": 1704067200,
"scope": "GET:channels/*,POST:channels/*/messages",
"session_id": "sess_abc123",
"device_id": "dev_xyz789"
}
function validateToken(token, request) {
const payload = decodeJWT(token);
const requestSubdomain = new URL(request.url).hostname;
// Audience must match request subdomain
if (payload.aud !== requestSubdomain) {
return { valid: false, error: 'Token audience mismatch' };
}
// Check expiration
if (Date.now() > payload.exp * 1000) {
return { valid: false, error: 'Token expired' };
}
// Check scope covers requested action
if (!scopeCovers(payload.scope, request)) {
return { valid: false, error: 'Insufficient scope' };
}
return { valid: true, payload };
}
The local bridge provides secure access to localhost services through a WebSocket tunnel:
┌───────────────────────────────────────────────────────────────┐
│ Browser/Agent │
│ │ │
│ HTTPS request to │
│ local.gimme.tools/... │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ local.gimme.tools (Cloud) │ │
│ │ │ │
│ │ 1. Validates session token │ │
│ │ 2. Checks device binding │ │
│ │ 3. Routes through WebSocket tunnel │ │
│ │ │ │
│ └────────────────────────┬────────────────────────────────┘ │
│ │ │
│ WebSocket tunnel │
│ (authenticated) │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Local Bridge Agent │ │
│ │ (runs on user's machine) │ │
│ │ │ │
│ │ 1. Validates tunnel authentication │ │
│ │ 2. Maps to local Unix socket │ │
│ │ 3. Returns response through tunnel │ │
│ │ │ │
│ └────────────────────────┬────────────────────────────────┘ │
│ │ │
│ Unix socket │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Local Service │ │
│ │ (filesystem, clipboard, etc.) │ │
│ └─────────────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────┘
// Client → Server: Request
{
"type": "request",
"id": "req_123",
"method": "GET",
"path": "/clipboard",
"headers": { "Authorization": "Bearer ..." }
}
// Server → Client: Response
{
"type": "response",
"id": "req_123",
"status": 200,
"headers": { "Content-Type": "text/plain" },
"body": "clipboard contents..."
}
Local bridge requires device binding verification:
{
"aud": "local.gimme.tools",
"device_id": "dev_xyz789",
"device_verified": true,
"local_scopes": ["clipboard:read", "filesystem:read"]
}
Local services communicate through Unix domain sockets for security:
/var/run/gimme/
├── clipboard.sock # Clipboard access
├── filesystem.sock # File operations
├── terminal.sock # Terminal access
└── browser.sock # Browser automation
Benefits of Unix sockets:
# /etc/gimme/services.d/clipboard.yaml