Skip to main content

Infrastructure Security

Container Isolation

Each instance runs in its own Kubernetes namespace with strict isolation:
  • Network policies prevent cross-tenant traffic — instances cannot communicate with each other
  • Resource quotas ensure one tenant cannot consume another’s resources
  • Seccomp profile (RuntimeDefault) blocks dangerous syscalls
  • Dropped capabilities: SYS_ADMIN, NET_RAW, SYS_PTRACE, MKNOD, SYS_MODULE, and others
  • No privilege escalation: allowPrivilegeEscalation: false

Network Security

  • External DNS only — instances use Cloudflare DNS (1.1.1.1), not internal cluster DNS
  • No Kubernetes service discovery — instances cannot access *.svc.cluster.local
  • Cloud metadata blocked169.254.0.0/16 is unreachable
  • HTTPS egress only — outbound traffic restricted to HTTPS
  • Service account token disabledautomountServiceAccountToken: false

Auth Guard

Each instance has a sidecar auth-guard proxy that:
  • Validates authentication tokens on incoming requests
  • Runs with a read-only root filesystem
  • Drops all Linux capabilities
  • The direct gateway port (18789) is not exposed via NetworkPolicy, preventing auth-guard bypass

Data Security

Encryption

  • In transit: All traffic uses TLS (HTTPS). SSL certificates are provisioned and renewed automatically.
  • At rest: Persistent storage volumes are encrypted. Platform credentials are encrypted in the database using AES-256-GCM.

Credential Storage

Platform credentials (bot tokens, API keys) are:
  1. Encrypted with AES-256-GCM before being stored in the database
  2. Synced to Kubernetes secrets (which are encrypted at rest by K8s)
  3. Never logged or exposed in API responses (masked to •••• + last 4 characters)

AI API Keys

Your AI provider API key is:
  • Encrypted before storage
  • Injected into the instance as a Kubernetes secret
  • Never accessible via the API (the GET endpoints exclude encrypted secrets)

Application Security

API Security

  • Session-based authentication with HTTP-only, secure cookies
  • Rate limiting on sensitive endpoints (Redis sliding window)
  • Input validation with Zod schemas on all endpoints
  • Stripped error details — validation errors return VALIDATION_ERROR without exposing schema details
  • Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, CSP

Password Security

  • Passwords are hashed with Argon2 (memory-hard algorithm)
  • Minimum 8 characters enforced
  • Password reset invalidates all existing sessions
  • Reset tokens are SHA-256 hashed and expire after 1 hour

Agent Capabilities

The AI agent inside each instance runs as root to enable full development capabilities (apt-get install, npm install -g, etc.). Security is enforced at the Kubernetes layer, not within the container:
  • The agent can: install packages, write files, create git repos, run development tools
  • The agent cannot: escalate privileges, create raw sockets, access other tenants, modify kernel modules, or access the Kubernetes API

Reporting Security Issues

If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond promptly.