Docs

Security

Sandbox isolation, network controls, and the coSPEC security model

Sandbox Isolation

Every run gets its own gVisor sandbox. gVisor intercepts system calls at the kernel level, preventing the agent from accessing host resources or other tenants.

  • No shared resources between runs or tenants
  • Non-root execution, no privilege escalation
  • Sandbox is destroyed after run completion

Network Egress Control

All outbound traffic is blocked except explicitly allowed domains. The default allowlist covers git providers, the Anthropic API, and package registries.

Custom domains are configurable per template (up to 20). Private IP ranges (10.x, 172.16.x, 192.168.x, link-local) are always blocked.

See Templates — Egress Control for the full default domain list.

Audit Trail

Every run action is logged: sandbox creation, git clone, agent messages, tool calls, and errors.

Authentication

  • API keys — prefixed (csk_live_*), hashed and never stored in plaintext. See API Keys.
  • Dashboard — session-based with email verification and OAuth (Google, GitHub).

Claude Code

How Claude Code works inside coSPEC sandboxes

Usage & Billing

How credits and costs work in coSPEC

On this page

Sandbox IsolationNetwork Egress ControlAudit TrailAuthentication