// Security & data handling function Security() { const shell = useShell(); const tocItems = [ { id: 'overview', label: 'Overview' }, { id: 'isolation', label: 'Tenant isolation' }, { id: 'auth', label: 'Authentication & keys' }, { id: 'sandbox', label: 'Sandbox execution' }, { id: 'data', label: 'Data at rest' }, { id: 'data-transit', label: 'Data in transit' }, { id: 'secrets', label: 'Secret handling' }, { id: 'audit', label: 'Audit trail' }, { id: 'retention', label: 'Retention & deletion' }, { id: 'disclosure', label: 'Responsible disclosure' }, ]; return (
shell.setSearchOpen(true)} onMenuToggle={() => shell.setMobileMenuOpen(true)} />
shell.setMobileMenuOpen(false)} />
Docs / Security
Trust · data handling

Security & data handling.

How ClawAgen isolates tenants, handles credentials, runs untrusted LLM output, and what you control when you self-host. The short version: one folder per tenant, one Docker sandbox per shell call, no cross-tenant code paths.

Overview

Security posture depends on who hosts: self-hosted (you own the VM and disk) or our managed cloud (Azure VM operated by us with the same codebase). In both, the isolation model is identical — differences are operational (who holds the keys, who monitors the VM, who applies patches).

Tenant isolation

Every tenant is a folder at /data/tenants/{accountId}/ with its own SQLite file, its own Markdown context, and its own channel credentials. There is no cross-tenant query path because the DB handle itself is different — a bug that forgot to filter by accountId would reach the wrong database file, not a shared table with a missed predicate.

  • Per-tenant DB handlegetTenantDb(accountId) opens /data/tenants/{id}/data.db; no shared-tables pool.
  • Path checks — every filesystem op routes through resolveTenantPath(); escape attempts (../..) throw before disk I/O.
  • Key scope — each API key is bound to a single accountId in platform.db; an admin UI rotates or revokes per-tenant.

Authentication & keys

Every request carries X-API-Key: ck_live_.... The auth middleware hashes it and looks it up in platform.db, resolves accountId, and injects it into the request context. The key is never logged, never returned in responses, and is hashed at rest with SHA-256.

  • Rotate by minting a new key in the admin UI and deleting the old one. In-flight requests under the old key complete; new requests fail.
  • Revoke sets revoked_at on the row; auth returns 401 on the next use.
  • Scope today is tenant-wide. Per-agent and per-tool scopes are on the roadmap.

Sandbox execution

The bash and exec tools run shell commands inside an ephemeral Docker container, not on the host. Each invocation spawns a fresh ai-agents-sandbox:latest container with:

  • Tenant workspace only. Only /data/tenants/{id}/ is mounted, read/write, at /workspace.
  • No network by default. --network=none unless the tool explicitly opts in.
  • Read-only root. Container filesystem outside /workspace is immutable.
  • Timebox. A hard timeout kills the container; output above a cap is truncated.
  • Role-gated. Only the admin agent sees bash and exec; CS never gets shell access.
A malicious prompt can still ask the LLM to try destructive commands — the sandbox contains the blast radius to that one tenant's workspace. Treat the sandbox as a safety net, not a silver bullet; review skills before installing ones you didn't write.

Data at rest

  • Primary storage — the tenant's folder on disk. Markdown files + SQLite + sqlite-vec.
  • Disk encryption — depends on host. Self-host: your choice (LUKS, Azure/AWS/GCP disk encryption). Our cloud: Azure managed-disk encryption at rest.
  • No plaintext keys in DB — tenant API keys are SHA-256 hashed.
  • Backups — see self-host backups. Default is tar + off-box copy; encrypt the archive if the destination isn't trusted.

Data in transit

  • HTTPS everywhere — the bundled Caddy container fetches Let's Encrypt certs; no plaintext inbound.
  • LLM calls — go to your configured provider over HTTPS. Azure OpenAI, Anthropic, OpenAI, etc. each have their own data-handling policy; pick one whose posture matches your requirements.
  • Channel webhooks — signature-verified before routing (Meta: X-Hub-Signature-256; Telegram: X-Telegram-Bot-Api-Secret-Token).

Secret handling

  • Env vars — Azure/OpenAI/embedding keys live in agents/.env, gitignored. Loaded once at process start.
  • Per-tenant channel creds — stored under /data/tenants/{id}/config/channels/*.yaml; not in the main database.
  • Logs — redact known secret shapes (Bearer ..., sk-..., ck_live_...) before pino-pretty writes them.

Audit trail

  • Session history — every message, tool call, and tool result is persisted to sessions/{id}.json per tenant. Filesystem-readable forever.
  • Tool metricsGET /api/metrics/tools shows count, duration, and error rate per (tenant, tool).
  • Platform auth log — successful/failed API-key lookups are recorded in platform.db.

Retention & deletion

There is no automatic retention policy — tenant data lives forever until you delete it. Delete by removing the folder or dropping the tenant row in platform.db.

# Delete a tenant's data + revoke their keys $ TENANT_ID=5 $ docker compose exec agents bun run scripts/delete-tenant.ts $TENANT_ID # Or, raw: $ rm -rf /var/lib/docker/volumes/ai-agents_agents_data/_data/tenants/$TENANT_ID/` }]} />

Responsible disclosure

Security issues: email security@clawagen.com (or open a private security advisory on the GitHub repo). Please do not file public issues for vulnerabilities. We aim to acknowledge within 72 hours.

shell.setSearchOpen(false)} />
); } ReactDOM.createRoot(document.getElementById('root')).render();