Security Model
Defense in depth: authentication, authorization, instance isolation, and network security.
SkyKoi implements defense in depth with multiple security layers protecting your agent and data.
Security Layers
text
Layer 1: Clerk Authentication
├── Email/password + social login
├── Multi-factor authentication (MFA)
└── Session management
Layer 2: Role-Based Access Control (RBAC)
├── Owner → Admin → Member → Viewer
├── Per-organization scoping
└── API key permission inheritance
Layer 3: Dedicated EC2 Isolation
├── One EC2 instance per user
├── Separate process, filesystem, network
├── Own security group and IP address
└── No shared resources between users
Layer 4: Gateway Token Auth
├── Token-based WebSocket authentication
├── gateway.auth.mode: "token"
└── Unique token per instance
Layer 5: IAM Instance Profile
├── skykoi-tenant-agent-profile
├── Scoped AWS permissions (Bedrock access)
└── No cross-user access
Layer 6: Network Security
├── Security group (ports 22, 80, 443, 8080, 18789)
├── nginx reverse proxy with self-signed TLS
├── Gateway on localhost only (18789)
└── WSS for all client connections
Layer 7: Webhook Verification
├── Clerk: Svix signature verification
└── Stripe: constructEvent() signature verificationInstance Isolation
The strongest security feature of SkyKoi is dedicated EC2 instances. Unlike container-based multi-tenant architectures, each user gets:
- •Their own server — Separate EC2 instance with dedicated CPU, memory, disk, and network
- •Their own filesystem — Workspace, sessions, and config are on a private EBS volume
- •Their own network — Separate security group rules, no shared network namespace
- •Their own IAM scope — Instance profile controls what AWS services the agent can access
- •No cross-talk — Zero shared state between user instances
Gateway Security
The Agent Gateway has its own security model:
- •Token-based auth — Required for all WebSocket connections (
gateway.auth.mode: "token") - •TLS — nginx provides TLS termination (self-signed cert) on port 443
- •Localhost binding — Gateway listens on localhost:18789 only, not exposed directly to the internet
- •Tool policies — Per-agent allow/deny lists for tools
- •Elevated commands — Shell commands run with the ubuntu user's permissions
Security Audit
The agent runtime includes a built-in security audit tool for scanning and hardening your instance.
🚨Running an AI agent with full shell access is inherently powerful. The agent can execute any command the ubuntu user can. SkyKoi configures sensible defaults, but you should understand the implications of full shell access.