Security & Governance

Role-based access control, Docker isolation, and granular permission management for AI agents

The Problem: Unrestricted AI Agent Access

AI agents with unrestricted access create security risks:

❌ Without Security Controls:

• All agents have full read/write/execute permissions
• No distinction between testing agents and production agents
• Agents run on host system with unrestricted file access
• No audit trail of what agents did or which tools they used
• MCP tools available to all agents regardless of task needs

✅ Agiflow Security Solution: Agiflow addresses these risks with role-based permissions, Docker sandbox isolation, and API key scoping.

Implemented Security Features

Role-Based Access Control (RBAC)

Organization members and API keys are assigned roles with specific permission sets. Roles control access to projects, agents, sessions, billing, and organization settings.

Available Roles

Owner(Full Control)

All permissions including organization deletion, member management, billing, and security settings

Admin(Administrative Access)

Manage projects, agents, sessions, API keys. Limited billing access. Cannot delete organization.

Member(Standard User)

Create/update projects, execute agents, manage own sessions and API keys. Read-only org and billing.

Agent(AI Agent Member)

Minimal permissions: Read projects, execute agents, manage sessions. For AI agent members only.

Docker Sandbox Isolation

Agents run in isolated Docker containers with restricted file system access, resource limits, and optional network isolation. The agent-cli automatically launches agents in autonomous mode with sandbox when executing tasks or work units.

💡 Sandbox Features:

Isolated File System: Working directory mounted at /workspace, host files inaccessible
Credential Mounting: SSH keys (read-only), Claude credentials, git config
Package Manager Caching: Named volumes for pnpm, npm, node-gyp to improve performance
Network Modes: Configurable via VITE_AGENT_CLI_DOCKER_NETWORK
Automatic Cleanup: Containers terminated gracefully on exit (SIGTERM → SIGKILL after 3s)

API Key Permission Scoping

API keys can be scoped to specific permission sets for CI/CD, agent execution, or read-only access. Predefined permission groups available for common use cases.

Upcoming Features
Future

Per-Agent MCP Tool Proxying

Configure which MCP tools each agent can access. Backend will proxy tool calls and enforce restrictions. Example: Backend agent gets database tools, frontend agent gets only UI component tools.

Resource Quotas for Docker Containers

Configurable CPU and memory limits per agent session. Prevent resource exhaustion and ensure fair resource allocation across multiple agents.

Audit Logging for Agent Actions

Comprehensive audit trail of all agent tool usage, file modifications, and command executions. Queryable via API for compliance and debugging.

Network Isolation Policies

Whitelist/blacklist network access per agent. Restrict agents to internal services only or allow external API calls based on task requirements.

Secure AI agent execution

RBAC, Docker isolation, and API key scoping for controlled agent access.

Get Started Try Agiflow Free

The Problem: Unrestricted AI Agent Access

AI agents with unrestricted access create security risks:

❌ Without Security Controls:

• All agents have full read/write/execute permissions
• No distinction between testing agents and production agents
• Agents run on host system with unrestricted file access
• No audit trail of what agents did or which tools they used
• MCP tools available to all agents regardless of task needs

✅ Agiflow Security Solution: Agiflow addresses these risks with role-based permissions, Docker sandbox isolation, and API key scoping.

Implemented Security Features

Role-Based Access Control (RBAC)

Organization members and API keys are assigned roles with specific permission sets. Roles control access to projects, agents, sessions, billing, and organization settings.

Available Roles

Owner(Full Control)

All permissions including organization deletion, member management, billing, and security settings

Admin(Administrative Access)

Manage projects, agents, sessions, API keys. Limited billing access. Cannot delete organization.

Member(Standard User)

Create/update projects, execute agents, manage own sessions and API keys. Read-only org and billing.

Agent(AI Agent Member)

Minimal permissions: Read projects, execute agents, manage sessions. For AI agent members only.

Docker Sandbox Isolation

💡 Sandbox Features:

Isolated File System: Working directory mounted at /workspace, host files inaccessible
Credential Mounting: SSH keys (read-only), Claude credentials, git config
Package Manager Caching: Named volumes for pnpm, npm, node-gyp to improve performance
Network Modes: Configurable via VITE_AGENT_CLI_DOCKER_NETWORK
Automatic Cleanup: Containers terminated gracefully on exit (SIGTERM → SIGKILL after 3s)

API Key Permission Scoping

API keys can be scoped to specific permission sets for CI/CD, agent execution, or read-only access. Predefined permission groups available for common use cases.

Upcoming Features

Future

Per-Agent MCP Tool Proxying

Configure which MCP tools each agent can access. Backend will proxy tool calls and enforce restrictions. Example: Backend agent gets database tools, frontend agent gets only UI component tools.

Resource Quotas for Docker Containers

Configurable CPU and memory limits per agent session. Prevent resource exhaustion and ensure fair resource allocation across multiple agents.

Audit Logging for Agent Actions

Comprehensive audit trail of all agent tool usage, file modifications, and command executions. Queryable via API for compliance and debugging.

Network Isolation Policies

Whitelist/blacklist network access per agent. Restrict agents to internal services only or allow external API calls based on task requirements.

Security & Governance

The Problem: Unrestricted AI Agent Access

Implemented Security Features

Role-Based Access Control (RBAC)

Available Roles

Docker Sandbox Isolation

API Key Permission Scoping

Upcoming Features
Future

Per-Agent MCP Tool Proxying

Resource Quotas for Docker Containers

Audit Logging for Agent Actions

Network Isolation Policies

Related Documentation

Reliable Agent Execution

Multi-Agent & MCP Integration

Secure AI agent execution

Security & Governance

The Problem: Unrestricted AI Agent Access

Implemented Security Features

Role-Based Access Control (RBAC)

Available Roles

Docker Sandbox Isolation

API Key Permission Scoping

Upcoming Features
Future

Per-Agent MCP Tool Proxying

Resource Quotas for Docker Containers

Audit Logging for Agent Actions

Network Isolation Policies

Related Documentation

Reliable Agent Execution

Multi-Agent & MCP Integration

Secure AI agent execution

Security & Governance

The Problem: Unrestricted AI Agent Access

Implemented Security Features

Role-Based Access Control (RBAC)

Available Roles

Docker Sandbox Isolation

API Key Permission Scoping

Upcoming FeaturesFuture

Per-Agent MCP Tool Proxying

Resource Quotas for Docker Containers

Audit Logging for Agent Actions

Network Isolation Policies

Related Documentation

Reliable Agent Execution

Multi-Agent & MCP Integration

Secure AI agent execution

Security & Governance

The Problem: Unrestricted AI Agent Access

Implemented Security Features

Role-Based Access Control (RBAC)

Available Roles

Docker Sandbox Isolation

API Key Permission Scoping

Upcoming FeaturesFuture

Per-Agent MCP Tool Proxying

Resource Quotas for Docker Containers

Audit Logging for Agent Actions

Network Isolation Policies

Related Documentation

Reliable Agent Execution

Multi-Agent & MCP Integration

Secure AI agent execution

Upcoming Features
Future

Upcoming Features
Future