Appearance
Security
EleAgent is designed for deployment in an internal test environment. While it provides robust isolation between the AI agent and project data, the network-level security (HTTPS, firewall) is expected to be handled by the host infrastructure.
Security Model
Read-Only Data Access
Project documentation is mounted as a read-only volume (/data:ro). The AI agent can read files for analysis but cannot modify, delete, or create files in this directory.
yaml
# From docker-compose.yml
volumes:
- "${DATA_PATH:-../data}:/data:ro"Recommended: Use an rsync Copy
Mount an rsync copy of the project files rather than the originals. Even in the unlikely event of a software bug that bypasses the read-only mount, the original files remain safe.
Writable Artefacts Directory
The only directory with write permission is /artefacts, which stores:
| Path | Purpose |
|---|---|
/artefacts/sessions/<key>/ | Per-session agent outputs (CSV, summaries, exports) |
/artefacts/state/auth.db | User authentication database |
/artefacts/state/session_registry.db | Session slot tracking |
/artefacts/state/home/.claude/ | Agent credentials and conversation state |
/artefacts/conversations/ | Exported conversations |
/artefacts/logs/ | JSONL transcript logs |
This directory contains exclusively products of agent operation — no source data.
Non-Privileged Execution
All containers run as a non-root user (UID 10001) with strict security options:
yaml
user: "10001:10001"
read_only: true
cap_drop: [ALL]
security_opt: ["no-new-privileges:true"]
pids_limit: 512
tmpfs:
- /tmp:size=512m,noexec,nosuid,nodev
- /run:size=64m,noexec,nosuid,nodev| Setting | Effect |
|---|---|
user: 10001 | Process runs as unprivileged user, not root |
read_only: true | Filesystem is read-only (except explicit mounts and tmpfs) |
cap_drop: [ALL] | All Linux capabilities removed |
no-new-privileges | Prevents privilege escalation via setuid/setgid |
pids_limit: 512 | Limits fork bombs and runaway processes |
tmpfs noexec | Temporary directories cannot execute binaries |
Egress Firewall
All outbound traffic from worker containers is routed through a Squid HTTP proxy. Only HTTPS connections to Anthropic endpoints are permitted:
acl anthropic_all dstdomain .anthropic.com
acl claude_platform dstdomain .claude.com
http_access allow CONNECT anthropic_all SSL_ports
http_access allow CONNECT claude_platform SSL_ports
http_access deny allThis ensures:
- No data exfiltration — the agent cannot send project data to external services
- No unauthorized API calls — only Anthropic's API is reachable
- Full audit trail — proxy access logs record all outbound connection attempts
Network Segmentation
| Network | Access | Members |
|---|---|---|
internal | No external routing | Controller, Workers, Egress Proxy |
external | Bridge to host | Controller (port 3001), Egress Proxy |
Workers exist only on the internal network and have no direct internet access. The controller is on both networks — it serves the web UI to users and communicates with workers internally.
Authentication
- Web UI: Username/password authentication with bcrypt-hashed passwords stored in SQLite. JWT tokens for session management.
- AI Model: Either Anthropic Max credentials (stored in the container's HOME) or an API key (environment variable).
WARNING
Change the default JWT_SECRET in production. The default value change-me-in-production is intentionally insecure to prompt configuration.
MCP Disabled
Model Context Protocol (MCP) server integration is fully disabled in Phase 1:
bash
DISABLE_MCP=true # Backend: prevents MCP server connections
VITE_DISABLE_MCP=true # Frontend: hides MCP UI elementsThis eliminates an entire class of potential attack surface.
Self-Update Disabled
The upstream ClaudeCodeUI includes a self-update mechanism. This is disabled:
bash
ENABLE_SYSTEM_UPDATE=false