Defense in depth
for AI agent workflows.

AI agent code runs in ephemeral sandboxes that are destroyed after each execution. No shared state, no persistent access to host resources. Docker containers run with seccomp profiles and dropped capabilities.

• E2B - Cloud-hosted microVMs with SOC 2 Type II certification
• Docker - CapDrop: ALL, seccomp syscall allowlist, PID limits, CPU quotas, non-root user (UID 1000), bridge networking, auto-remove
• Seccomp profiles - Blocks ptrace, mount, kexec_load, keyctl, reboot, swapon and other dangerous syscalls
• Cloudflare Workers - Edge V8 isolates with per-request timeout
• Local - Subprocess mode for development only (no isolation)
• Runner file validation - blocks path traversal (..) and absolute paths before execution

API key authentication with HMAC-SHA256 hashing, key rotation with grace periods, expiry enforcement, and per-key IP allowlisting.

• HMAC-SHA256 with configurable server-side pepper (API_KEY_PEPPER)
• Keys accepted via X-API-Key header, Authorization: Bearer, or query param (SSE)
• Key rotation - POST /api/api-keys/{id}/rotate generates new key, old key enters configurable grace period
• Key expiry - expires_at enforced in auth middleware, returns 401 KEY_EXPIRED
• IP allowlisting - per-key CIDR allowlist (IPv4 + IPv6), empty list allows all IPs
• sc_ prefix with 32-byte URL-safe random token, first 8 chars stored as key_prefix
• last_used_at timestamp updated on every authenticated request
• Soft deletion via is_active flag - preserves audit trail

Each API key is scoped to a tenant. Tenant-scoped queries filter all data access to prevent cross-tenant leaks.

• tenant_id set from API key on every request via middleware
• Admin keys (no tenant_id) can access all data
• Tenant keys only see their own runs, workflows, schedules
• Per-key cost limits (max_cost_per_run_usd)

Declarative policy rules that evaluate step outputs in real-time. Automatically redact PII, block secrets, and trigger approvals.

• PII patterns - email, phone, SSN, credit card regex detection
• 30+ credential patterns - Slack, GitHub, AWS, Stripe, OpenAI, and more
• Actions - redact, block, inject_approval, alert, log
• Severity levels - critical, high, medium, low
• Safe expression evaluation via simpleeval (no Python eval/exec)
• Auto-generated credential policies when tools are used
• Redacted output stored separately - originals preserved for LLM context

All webhook callback URLs are validated against private network ranges before any HTTP request is made.

• Blocks loopback (127.0.0.0/8, ::1)
• Blocks private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
• Blocks link-local (169.254.0.0/16) and IPv6 ULA (fc00::/7)
• DNS resolution performed before IP check (prevents DNS rebinding via TOCTOU)
• Scheme validation - only http:// and https://

All file operations are sandboxed within base directories. Resolved paths are validated to prevent escape.

• Path.resolve() + is_relative_to() check on all storage operations
• Raises ValueError on traversal attempts (../../etc/passwd)
• Dashboard SPA fallback rejects paths containing ..
• Runner file validation blocks .. and absolute paths

Pluggable rate limiting with in-memory and distributed Redis backends. Sliding window counter per tenant or IP prevents abuse of sandbox endpoints.

• Default: 10 requests per 60 seconds on execution endpoints
• Keyed by tenant:{id} when authenticated, ip:{addr} when anonymous
• In-memory backend - default, zero config, sliding window with stale entry pruning
• Redis backend - distributed sorted set pipeline, auto-selected when REDIS_URL is set
• HTTP 429 response with Retry-After, X-RateLimit-Limit, X-RateLimit-Remaining headers

Tool credentials are encrypted at rest with Fernet symmetric encryption, resolved from environment variables or database-stored named connections. Never logged, never exposed in outputs.

• Encryption at rest - Fernet (AES-128-CBC + HMAC-SHA256) via CREDENTIAL_ENCRYPTION_KEY
• Graceful fallback - no key configured means plaintext passthrough (backwards compatible)
• TOOL_* prefix convention for environment variables
• Named connections (postgresql:analytics) stored in DB with unique constraint
• Credential masking for UI display - shows first 4 + last 4 chars only
• Credentials injected into sandbox env at runtime, not stored in workflow YAML
• Export API (/workflows/{name}/export) sanitizes credentials from YAML

Opt-in error reporting via Sentry with aggressive anonymization. Disabled by default. No user data, no secrets, no hostnames.

• Opt-in only: TELEMETRY_ENABLED=true + SENTRY_DSN
• send_default_pii=False, server_name=None, zero tracing
• Before-send hook strips: API keys, tokens, secrets, file paths, request data, user data, stack frame variables
• 40+ sensitive env var names blocklisted from reporting
• Local fallback: failed sends saved to data/error_reports/

Outgoing webhooks are signed with HMAC-SHA256. Recipients can verify authenticity using the signature header.

• HMAC-SHA256 signature over JSON payload
• Header: X-Sandcastle-Signature
• Timing-safe comparison via hmac.compare_digest()
• 10-second timeout on webhook delivery

Middleware injects hardened HTTP headers on every response. Content Security Policy applied to dashboard routes, with a report-only mode for gradual rollout.

• X-Content-Type-Options: nosniff - prevents MIME sniffing
• X-Frame-Options: DENY - blocks clickjacking
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy - disables camera, microphone, geolocation, payment
• CSP - default-src 'self' with scoped overrides for styles, scripts, images, fonts
• CSP applied to dashboard paths only (not /api) to avoid breaking JSON responses
• CSP_REPORT_ONLY=true uses Content-Security-Policy-Report-Only header for safe testing

Three-state circuit breaker protects against cascading backend failures. Automatically recovers when the backend stabilizes.

• CLOSED - normal operation, requests pass through
• OPEN - after 5 consecutive failures, reject immediately
• HALF_OPEN - after 30s cooldown, allow one test request
• Success in HALF_OPEN resets to CLOSED
• Metrics tracking: total queries, failures, failovers, CB rejections

SHA-256 hash chain audit trail. Every event links to the previous via cryptographic hash - tamper-evident and independently verifiable.

• Hash chain - each AuditEvent stores entry_hash (SHA-256 of payload) and prev_hash linking to previous event
• 7 executor hooks - workflow_started, step_started, step_completed, step_failed, workflow_completed, workflow_failed, approval_requested
• 9 admin hooks - emergency_stop, emergency_reset, api_key_created, api_key_rotated, api_key_revoked, credential_stored, credential_deleted, config_changed, compliance_mode_changed
• GET /audit/runs/{run_id} - full event log for a run
• GET /audit/verify/{run_id} - verify chain integrity, returns broken links
• GET /audit/admin - paginated admin action log
• PolicyViolation - run_id, step_id, policy_id, severity, trigger_details, action_taken
• ApprovalRequest - status, reviewer_id, reviewer_comment, full request/response data