One user per VM.
Hard boundaries.
Each user's workspaces run on their own dedicated VMs — different users never share a node. OS-level firewalls enforce network isolation. VMs are short-lived and destroyed after an idle timeout.
VM-Level User Isolation
Different users never share the same VM. Each user's workspaces run on their own dedicated nodes. There is no shared-infrastructure scenario where one user's agent could access another user's code, credentials, or runtime environment.
A single node can host multiple workspaces for the same user (up to a configurable limit, default 3) — but cross-user node sharing is structurally prevented by the node selection logic.
One Agent Per Workspace
Each workspace hosts exactly one agent session in its own container. No concurrent agents sharing filesystem, memory, or network within a workspace. This eliminates an entire class of inter-agent interference bugs and security risks.
OS-Level Firewalls
Every VM is provisioned with iptables rules baked into cloud-init. Security measures are controlled within the VM provisioning process, not dependent on cloud-provider-specific firewall features. The rules apply before any user code runs.
Short-Lived VMs
VMs are created for work and destroyed after an idle timeout (default 30 minutes). After a task completes, the node enters a warm pool for fast reuse by the same user. If no new work arrives, the node is automatically destroyed. Each task starts from a known-good base image, and there is no long-lived server accumulating state or drift.
Token Architecture
| Token | Lifetime | Purpose |
|---|---|---|
| Session cookie | 7 days | Browser authentication (HttpOnly, Secure, SameSite) |
| Workspace JWT | 1 hour | Terminal WebSocket auth |
| Bootstrap token | 15 minutes, one-time use | VM credential injection |
| Callback token | 24 hours | VM agent → control plane callbacks |
Ready to run multi-agent workflows at scale?
Self-host on Cloudflare's free tier. Bring your own cloud. Your agents, your infrastructure.