Documentation
Ellul is the security infrastructure for autonomous agents. We provide the isolation spectrum (OCI namespaces to dedicated bare-metal) and the FIDO2 gate system that ensures agents cannot act without explicit, hardware-backed permission.
Whether you are securing a single AI coding agent or embedding hardware-backed governance into a multi-tenant platform, Ellul provides the compute, the proxy, and the cryptographic ceremonies to make it work.
Getting Started
Go from zero to a running, gate-protected environment in under 60 seconds.
Create an account
Sign up with a FIDO2 passkey. Your biometric or hardware key is the root of every approval. No passwords to leak.
Launch a sandbox
Pick a plan (Hobby or Pro). Your encrypted sandbox provisions automatically in EU. LUKS2 volume, namespace isolation, managed Postgres.
Build with AI in the browser
Open the web terminal and run Claude Code, Codex, Cursor, or OpenCode. Every privileged action like git push, database write, or secret access pauses for your passkey.
Use Cases
Agent security
Gate-protect any AI coding agent (Claude Code, Codex, Cursor, OpenCode). Prevent unauthorized git pushes, database writes, and secret exfiltration.
Financial agent isolation
Run agents that hold wallet keys or API credentials on dedicated bare-metal. No co-tenancy, no side-channel exposure.
Platform embedding
Use the Headless Trust API to add hardware-backed authorization to your own agent platform. Zero-knowledge secret provisioning included.
Compliance workloads
Hash-chained audit logs, FIDO2 ceremonies for every privileged action, single-tenant kernels. SOC 2-ready by design.
Security features
Capabilities your server advertises on every heartbeat.
Capability reporting
The mechanism that powers every capability gate in the dashboard. Each release declares its feature set in the central registry and reports it via liveness ping.
com.ellul.ai.enforcer.capability.capability-report.v1
Liveness ping
Unconditional 60s heartbeat channel. Drives the online/stale/offline indicator and surfaces server presence even when nothing is changing.
com.ellul.ai.enforcer.capability.liveness-ping.v1
Manual update mode
Lets the operator hold the server on a verified version and approve each update manually via the Update Now button. Implemented via signed apply-pending-update commands on the existing command queue.
com.ellul.ai.enforcer.capability.manual-mode.v1
Runtime self-hash attestation
The running enforcer computes its own binary sha256 on every ping and stamps the first 12 hex chars into the agentVersion field. Unforgeable proof that the code actually executing matches the build that was signed and shipped.
com.ellul.ai.enforcer.capability.self-hash-attest.v1
Pre-flight self-test
Before the self-updating enforcer flips its own symlink it runs the staged binary in --self-test mode and requires exit code 0. Catches broken binaries before they can replace the live enforcer.
com.ellul.ai.enforcer.capability.self-test.v1
sha256 drift detection
On every sync tick the on-disk binary sha256 is checked against the manifest. A mismatch forces re-download, so a code change republished under the same version is detected and re-applied automatically.
com.ellul.ai.enforcer.capability.sha256-drift-check.v1
Signed manifest + hash chain
Every platform manifest is ML-DSA-65 post-quantum signed and verified on the VPS before any bytes are applied. Hash-chain anti-replay refuses manifests whose previousVersion doesn't match the local state.
com.ellul.ai.enforcer.capability.signed-manifest.v1
Architecture Overview
Ellul is built on three pillars:
Ellul Foundry (Execution)
Compute across a spectrum of isolation: OCI namespaces (Standard), Firecracker MicroVMs (Secure), and dedicated bare-metal (Sovereign). On wholesale hardware, not hyperscaler resale.
Ellul Control (Governance)
Sovereign Shield reverse proxy sits between agent and all privileged operations. Every gate requires FIDO2 passkey confirmation. Credentials exist only in Shield's process memory.
Ellul Studio (Application)
Browser-native workspace with web terminal, code browser, agent chat, and gate dashboard. Upgrade from Standard to Sovereign from the dashboard with zero code changes.
Core Invariant
Agents cannot act without explicit, hardware-backed permission. This is enforced at the kernel level (DAC, namespaces, ptrace), not the application level.
Ready to start?
Create a free account and have a gate-protected environment in under a minute.