The trust boundary for AI agents

Run agents with real power.

Hardened enclaves where AI agents push code, call APIs, and access services. Every outbound request is intercepted at the trust boundary. Credentials are injected at the edge, never visible inside.

Get early accessSee how it works
Zero secrets exposed
100% egress mediated
<1ms policy overhead
AGENT → PROXY → DESTINATIONlive
enclave-7f3a.celeris.iopolicy: deny-by-default
How it works

From request to response. Every step mediated.

The agent can use tools, call APIs, and interact with services. Every action passes through a policy-enforcing mediation layer.

01

Enclave boots with zero secrets

A hardened, isolated environment starts with no API keys, no tokens, no credentials. The agent process runs with full compute but zero secrets to leak.

02

Agent makes an outbound request

When the agent calls an external API or pushes code, the request is caught at the trust boundary before it leaves the enclave. No direct egress.

03

Policy engine evaluates

The mediation layer checks the destination host, HTTP method, request scope, and rate against declared policy. Deny-by-default. No ambient authority.

04

Scoped credential injected at boundary

If allowed, the narrowest possible credential is injected at the proxy layer. The agent never sees the token. The runtime stays clean.

05

Request forwarded or blocked

Allowed requests proceed to the destination. Disallowed requests are denied. Every decision is written to the audit trail with full context.

Enclave Runtimeisolated
AI
agent process
0 keys · 0 tokens · 0 secrets
Trust Boundary
Mediation Layer
Waiting for outbound request...
1 / 5
Where trust lives

Most runtimes isolate code.Celeris isolates trust.

Every request meets policy before it meets the outside world.

Standard agent environments give untrusted code direct possession of secrets and unmediated network access. Celeris moves trust to an enforceable infrastructure boundary.

nominal
Agent Runtime
◇ Zero credentials
⊞ Compute access
⚙ Tool execution
◆ Mediated egress only
Trust Boundary
⬡ Policy enforced
+ Scoped credential injection
⊙ Audit logged
External World
github.com/api
s3.amazonaws.com
api.stripe.com
Zero credentials in runtime
Policy before egress
Scoped injection at boundary
Infrastructure-level enforcement
Bounded blast radius
Use cases

From one-off tasks to permanent workstations. Same trust boundary.

Coding agents, sandboxes, and persistent dev environments. Every outbound request is mediated regardless of runtime lifetime.

Agent workflows

Any coding agent. Same trust boundary.

Run Claude Code, Codex, Aider, or any coding agent inside a Celeris enclave. Agents get real tools and can spawn child enclaves for testing and orchestration. The boundary controls every outbound request.

  • Agents spawn child enclaves for isolated tasks
  • Push scoped to specific repos and branches
  • Every operation logged to audit trail
  • Credentials injected at boundary, never exposed
$ celeris agent run \
    --agent claude-code \
    --policy coding-agent \
    --auth-pack github:org/frontend

 Enclave booted (enc-7f2a)
 Policy: coding-agent
 Claude Code is running...

> celeris.spawn("node:20", ttl="10m")
 Child enclave: enc-8b3c
# push to feature/add-auth  allowed
# push to main  denied by policy
Agent Desktop

Full desktop. Agent-controlled. Completely isolated.

Give your agents a complete virtual desktop with terminal, browser, and GUI apps. They see and control everything inside the enclave while every action stays contained at the boundary.

enclave-7f3a — Desktop
Initializing
terminal — bash
$
No page loaded
/workspace — persistent volume
Agent active — session 4h 23mUbuntu 24.04 · 4 vCPU

Linux

Ubuntu, Debian, Alpine

Full root access with complete programmatic control. Ready for automation, development, and testing with any runtime or toolchain.

macOS

Ventura, Sonoma

Native macOS desktop for iOS development and testing. Code-controlled instances for mobile app automation and Apple ecosystem tooling.

Windows

Server 2022, Windows 11

Full Windows desktop with programmatic control. PowerShell, .NET, Visual Studio. Enterprise-ready for Windows-specific workflows.

Infrastructure

Built for agents that don't stop.

Sub-second boot. Persistent state. Global edge. Zero cold starts.

Cold start

Enclave boots before the agent blinks.

From API call to running process in under 100ms. No cold starts, no spin-up delays.

API call
VM alloc
Rootfs mount
Process start
Ready
0ms
Traditional VM
~3,200ms
Statefulness

Sessions that survive reboots.

Filesystems persist across enclave restarts. Months of uptime, not minutes.

📁workspace/2.1 MB
📁node_modules/847 KB
📁.git/1.4 MB
📄agent-state.json124 KB
📁build/3.8 MB
13.4 GB / 50 GB27%
Regions

Run near your agents, not your office.

Deploy enclaves in the region closest to your infrastructure.

US East (Virginia)
12ms
US West (Oregon)
48ms
EU West (Ireland)
89ms
EU Central (Frankfurt)
103ms
Asia Pacific (Tokyo)
142ms
Asia South (Mumbai)
168ms
Snapshots

Save, restore, resume. Instantly.

Capture full enclave state. Fork from any snapshot. Branch your agent's work.

v11h ago
v245m ago
v318m ago
v45m ago
v5nowcurrent
State: 847 MBCompressed: 124 MB
Shared data

Shared data, isolated execution.

Mount volumes across enclaves. Agents share data without breaking isolation.

enclave-a1R/W
enclave-b2R/O
enclave-c3R/W
/data/shared
8.2 GB
Concurrency

Fork, fan-out, converge.

Spawn hundreds of enclaves in parallel. Each isolated. All coordinated.

main
worker-1
booting
worker-2
booting
worker-3
booting
worker-4
booting
waiting...
Developer access

Full access for debugging, oversight, or intervention.

SSH in. Open in VS Code. Drop to a web terminal. Never break autonomy.

Secure shell

SSH into any enclave, instantly.

Ephemeral keys. Auto-rotated. Zero-trust authentication.

Editor

Open in your editor. One click.

Connect VS Code directly to any running enclave. Full IntelliSense, full debugging.

enclave-4f2a — VS Code
Connecting...
index.ts
agent.ts
policy.yaml
test.ts
1import { Enclave } from
2 "@celeris/sdk";
3 
4const agent = await enclave
5 .createAgent({
6 policy: "strict"
7 });
Browser terminal

Full terminal in your browser. No setup.

Zero latency. No SSH client needed. Just open and type.

web-terminal
enclave-4f2a|uptime: 4h 23m
0 errors
Enclave definition

Define once.
Enforce automatically at the boundary.

This section shows how one policy controls runtime shape, outbound destinations, and credential injection. Choose a policy view, trigger a request, then inspect how the boundary allows or blocks it.

Five parts: runtime, destinations, auth, enforcement, lifecycle.

1. Define policy

Describe allowed egress, auth, and lifecycle.

2. Simulate traffic

Run example requests and see allow or block decisions.

3. Observe boundary

Credentials inject at edge, then every action is logged.

Now viewing: Human-readable contract for what the enclave can and cannot do.

enclave.md
This enclave runs as an ephemeral agent sandbox
with a 30-minute TTL.
It can read from the frontend repo and push to
feature branches on the API repo. It may upload
artifacts to S3.
It cannot access internal admin endpoints or use
direct IP egress.
GitHub and AWS credentials are attached at the
boundary only. The runtime never possesses
secrets directly.
All outbound requests are mediated.
Deny by default. Rate limited to 60 req/min.
Audit retained for 90 days.
Live boundary decision theater
decision: waiting

Request queue

Push to GitHuballowable
github.com
Upload to S3allowable
s3.amazonaws.com
Call admin endpointblocked
admin.internal
Direct IP egressblocked
192.168.1.1

Trust boundary

Destination policyidle
match host and method
Boundary authidle
credentials withheld
Policy engineidle
waiting
Runtime lifecycleidle
sealed runtime

Runtime outcome

Runtime
Pick a request to see boundary behavior
auth: not injected
sealed runtime
Destination matrix
github.comallow
s3.amazonaws.comallow
admin.internaldeny
direct IPdeny
active modeplainboundary native

Simulate outbound requests

The moat is not the file. It is the infrastructure that turns this definition into a real, enforceable trust boundary at runtime.

Defines runtime profile
Governs egress at boundary
Attaches scoped auth at edge
Enforces deny-by-default
Audits every outbound action
Instant revocation

One switch. Every connection severed.

Revoke all agent access instantly. Active sessions terminate, credentials invalidate, egress drops to zero. One toggle.

Enclave Control
ALL SYSTEMS OPERATIONAL
ServiceLatencyStatus
github.com42ms
active
api.openai.com180ms
active
registry.npmjs.org28ms
active
s3.amazonaws.com95ms
active
api.stripe.com63ms
active
5Active sessions
5Credentials
48 req/sEgress rate
Revoking...
Security model

Full power inside. Total control at the boundary.

Agents get full machine access: read and write files, execute code, install packages. The only thing restricted is what leaves the enclave.

microVM isolation
microVM Boundary
Agent Process

Hardware-level isolation. Not containers. Not namespaces.

Immutable rootfs
$sudo apt installPermission denied

Agents cannot modify the runtime. No privilege escalation.

Network enforcement
Agent
iptables
Proxy

All egress forced through proxy. No bypass path.

Inside the enclave
Full machine access
File system
Read, write, create, delete. Full workspace control.
Code execution
Any language, any runtime. No execution restrictions.
Package installation
Dependencies, build tools, system packages.
Process management
Spawn processes, run services, background tasks.
Local networking
Bind ports, run servers, inter-process communication.
At the boundary
Every outbound request controlled
Deny by default
All outbound blocked unless explicitly allowed.
Zero credential exposure
No secrets inside. Credentials injected per-request.
Scoped access
Narrowed to specific services, repos, methods, actions.
Exfiltration prevention
Allowlists prevent data extraction to uncontrolled endpoints.
Infrastructure enforcement
Policy at the network boundary, not in prompts.
Observability

Every request. Every decision. Every byte.

Real-time monitoring, audit logging, and rate limiting across every enclave.

Request volume
642req/min
Live
24m agonow
Rate limit
23/60per min
Healthy
38%capacity
Audit trail
4events
90d retention
ALLOWgithub.com0.2s
INJECTgithub.com1.1s
ALLOWs3.amazonaws.com2.4s
DENYwebhook.site3.8s
Why this is different

Isolation is not enough. Mediation is the difference.

Other sandboxes isolate processes. Enclaves mediate every interaction between the agent and the outside world.

SolutionProcess isolationOutbound mediationCredential injectionDeny-by-defaultScoped authAudit trailAgent-aware
Docker containers
Codespaces / Dev boxes
VM sandboxes
Browser sandboxes
Prompt guardrails
Celeris Enclaves
Only Celeris provides full egress mediation with scoped credential injection
SupportedNot available
For teams

Ship agents your security team will approve.

Why security teams, platform teams, and engineering leaders can all say yes.

Review policy, not agent internals.

Bounded blast radius by design
Full audit trail for compliance
SOC 2 and HIPAA readiness
Security review in minutes, not weeks
Infrastructure enforcement, not prompt trust
Pricing

Pay only for what you use.

Spin up enclaves in milliseconds, shut them down just as fast. No commitments, no minimums.

$100 FREE COMPUTE INCLUDED
Compute
vCPU
$0.0480/h
Memory
GiB
$0.0120/h
Storage
GiB
$0.0001/h
First 5 GiB included free
Quick estimate
Standard enclave running cost
$0.1455/hestimated
Billed per-second with no minimum. Prices may vary by region.Get early access →
Get started

The trust boundary your agents need.

Let agents act without giving them the keys. Secure execution for the next generation of software.