v0.25.4
DocumentationAPI ReferenceCLI Reference
Workspaces

Security

Non-root execution, secret injection lifecycle, setuid removal, cosign signing, and supply chain hardening in workspace images.

View as MarkdownEdit on GitHub

Workspace images follow defense-in-depth principles. Every layer adds a security boundary.

Non-Root Execution

Agents run as the agent user (UID 1000), never as root. The container user is switched in the Dockerfile's final stage:

USER agent

All workspace directories (/workspace, /opt/agentic) are owned by the agent user with minimal permissions.

SetUID/SetGID Removal

All setuid and setgid binaries are stripped during the build (excluding /usr/local where toolchain binaries live):

RUN find / -path /usr/local -prune -o -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true

This prevents privilege escalation even if an agent executes a compromised binary.

Secret Injection Lifecycle (ADR-024)

Secrets (API keys, tokens) are never baked into images. The injection lifecycle:

  1. Setup phase: Orchestrator injects secrets via sidecar proxy or environment variables
  2. Execution phase: Agent runs with access to injected secrets
  3. Cleanup phase: Secrets are revoked/cleared before container destruction

The sidecar proxy (ADR-022) is the preferred injection method: the agent process never sees raw API keys. The proxy intercepts outbound requests and adds authentication headers.

Vendor Telemetry Disabled

All vendor phone-home telemetry is disabled by default:

VariablePurpose
DISABLE_TELEMETRY=1Disable Anthropic's Statsig usage metrics
DISABLE_ERROR_REPORTING=1Disable Anthropic's Sentry error reporting
RTK_TELEMETRY_DISABLED=1Disable RTK analytics

Only the explicitly configured OTel export (to your own collector) sends data out.

Supply Chain Security

Image Signing

Every published image is signed with cosign using keyless OIDC (Sigstore). Verify signatures:

cosign verify ghcr.io/agentparadise/agentic-workspace-claude-cli:latest

SLSA Provenance + SBOM

Images include SLSA provenance attestations and Software Bill of Materials (SBOM) generated by BuildKit. These are attached as OCI artifacts alongside the image.

Action SHA Pinning

All GitHub Actions in the build workflow are pinned to commit SHAs, preventing supply chain attacks via mutable tags.

Read-Only Root Filesystem

In production deployments, the root filesystem is mounted read-only. Writable paths are limited to:

  • /workspace: Agent working directory
  • /tmp: Temporary files
  • /home/agent: Agent home (tmpfs mount)

This prevents agents from modifying system binaries or installing persistent backdoors.

Syntropic137 Docs v0.25.4 · Last updated March 2026

Workspace Hydration

How Syntropic137 pre-clones repositories into workspace containers before the agent starts, with GitHub App token injection, namespace-safe directory naming, and automatic AGENTS.md/CLAUDE.md context injection.

Configuration

How to configure workspace images: custom images, environment variables, OTel endpoints, and plugin configuration.

On this page

Non-Root ExecutionSetUID/SetGID RemovalSecret Injection Lifecycle (ADR-024)Vendor Telemetry DisabledSupply Chain SecurityImage SigningSLSA Provenance + SBOMAction SHA PinningRead-Only Root Filesystem