Ellul Control

Your agents are powerful.
Make sure you are in control.

The problem

AI coding agents can execute arbitrary code, read your secrets, push to your repos, and modify your databases. They have the same permissions as the process they run in.

Your agent has your credentials. The only thing between it and a productiongit pushis whether the model decides to run the command.

IAM scopes access at the API boundary. It cannot pause an agent mid-action and ask the human “did you actually want this?” That is what Ellul Control does.

How it works

Three commands. No code changes. No SDK.

Shield classifies traffic by destination and HTTP method. Privileged requests pause for your confirmation. Everything else passes through with no added latency.

1

Install the CLI

One npm package. No configuration files. No Docker. No infrastructure to manage.

2

Log in with your passkey

Browser opens, you authenticate with FIDO2. Your biometric or hardware key is the only way to approve actions.

3

Start the proxy and work as normal

Shield runs locally. Your agents route through it. When they attempt a privileged action, you get a prompt. Approve or deny.

# Install and start

$ npm install -g ellul

$ ellul login

$ ellul

Shield proxy running on localhost:3005

# Push code to remote

$ /git-push

Gate locked. Approve via passkey...

Passkey verified. Pushing to origin/main...

Done. Credential session destroyed.

# Set a secret

$ /set-secret STRIPE_KEY sk_live_...

Gate locked. Approve via passkey...

Secret encrypted and synced to vault.

Works with any agent

Claude CodeCodexCursorDroidAny CLI agent

The gate system

Every privileged action requires your passkey.

Gates are permission boundaries with a default state of locked. Each gate has a TTL that auto-expires. The agent never holds credentials directly.

Agent

Requests action

Shield

Pauses request

You

FIDO2 passkey

Shield

Executes + destroys

/git-push5 min

Commit and push to remote

In-memory credential session

/set-secret30s

Set a secret

Encrypted vault sync

/paste-secrets30s

Paste and upload secrets

Encrypted vault sync

/enable-scopeSession

Enable a permission scope

Scoped policy grant

/set-policySession

Set a security policy

Policy enforcement

/revoke-deviceImmediate

Revoke a trusted device

Device trust removal

Security

Defense Summary

The adversary is not an external attacker. The adversary is the AI agent itself. Traditional security assumes the workload is trusted. Agentic security assumes the workload is potentially adversarial and the infrastructure must constrain it.

Secret exfiltration via env vars

Kernel

Secrets not in agent's environment; injected via gate-controlled stdin pipe

Secret exfiltration via file read

Kernel

Shield data in shield-runner-owned directories (700 perms)

Secret exfiltration via /proc

Kernel

ptrace_scope=1 blocks cross-UID ptrace; hidepid=2 on /proc

Credential theft via crash dump

Kernel

LimitCORE=0 on Shield systemd unit

Unauthorized git push

Kernel + Crypto

9-layer defense: in-memory credentials, session tokens, gate tokens, safeGitCmd

Unauthorized deploy

Kernel

Caddy config dirs caddy:caddy 2770; agent not in caddy group

Database access without approval

Application + DB

Per-app PostgreSQL roles; query proxy classifies SQL and enforces gate

Network exfiltration

Kernel

Per-namespace nftables egress whitelist

Cross-project data access

Kernel

Mount namespace isolation; rsync snapshots with security filter

Side-channel (cross-tenant)

Hardware

Sovereign Host: no co-tenancy. Standard: namespace + seccomp

What we claim

Standard Instances provide stronger logical isolation than container-based sandboxes by using namespace stacking with no escape hatches.

Sovereign Hosts mitigate cross-tenant side-channel attack classes by eliminating co-tenancy. This is a design property, not a patch.

The gate system makes privileged agent actions require a cryptographic ceremony that terminates at a hardware authenticator.

Pricing

Start free. Scale when you're ready.

Every project gets its own isolated sandbox. Upgrade to Pro for a dedicated server with encrypted persistent storage.

Free

Free

Try the platform. Shared instance with namespace isolation.

Shared Runtime
  • Web Terminal + AI Agents
  • Namespace isolation
  • Scale-to-zero (60 min sessions)
  • EU region
1 sandbox
Get Started Free

Hobby

$20/mo

Always-on shared instance for side projects with persistent storage.

Shared Runtime
  • Always on (no hibernation)
  • Persistent storage
  • Web Terminal + AI Agents
  • Namespace isolation
  • Region selection
2 sandboxes
Coming Soon

Pro

$50/mo

Your own dedicated server with encrypted persistent storage and sovereign-grade security.

Sovereign Runtime
  • Dedicated server (always on)
  • LUKS2 encrypted persistent storage
  • Custom domains + direct deploy
  • Full port access + SSH
  • Global regions
5 sandboxes
Coming Soon

Your agents are powerful. Make sure you are in control.

Three commands. No code changes. Hardware-backed approval for every privileged action.

Get Started