No provider secrets in shells
Commands inside the terminal call Bash27 APIs. The backend signs provider requests and writes usage events.
Security
Provider keys stay behind the gateway.
The terminal should be useful, but not trusted. Containers get scoped runtime access while billing and model credentials stay server-side.
Container limits
CPU, memory, disk, network, idle timeout, and process limits are enforced per workspace.
Audit trail
Workspace starts, commands, model requests, billing events, admin actions, and shutdowns are recorded.
Abuse controls
Rate limits, credit floors, domain allowlists, manual kill switches, and account holds protect cost exposure.