Security
Threat Model
Security threat model for the Chelar multi-tenant platform.
Attack Surface
The primary threats for a multi-tenant AI hosting platform:
- Tenant escape — one tenant accessing another's data or container
- Prompt injection — AI tricked into executing unintended actions
- Container breakout — escaping Docker isolation to host
- Data exfiltration — leaking AI provider keys or chat data
- Resource exhaustion — one tenant consuming all server resources
Mitigations
Tenant Isolation
- Docker network isolation per container (no inter-container networking)
- Per-tenant UID + POSIX permissions on JuiceFS directories
- AES-256-GCM client-side encryption for data at rest
- Nomad resource limits (memory, CPU)
Prompt Injection Defense
- ZeroClaw: Landlock sandbox, tool exclusions, content wrapping
- OpenClaw: exec deny, elevated disabled, dangerous commands blocked via config
- Tracking: GitHub issue #44
Container Hardening
See Container Hardening for details.
Full Details
The comprehensive security document is at SECURITY_HARDENING.md in the repo root. GitHub issues tracking security work: #39, #41, #42, #43, #44.