Secure by default. Built for
isolated execution.
DevsHub isolates all execution tasks into dynamic VM environments. Your local credentials and sensitive workspace configs never leave your system.
Ephemeral Sandbox VM Isolation
Every single agent execution session runs inside a dynamically provisioned, isolated sandbox VM or container (e.g., standard Docker nodes, AWS EC2, or GCP Compute Engine instances). We apply rigid CPU/Memory limits, strict local disk policies, and egress firewall rules to restrict internet routing.
Zero Plaintext Secrets Storage
API tokens, database credentials, and other deployment secrets are injected securely on the fly. The supervisor prevents agents from displaying credentials in stdout terminal streams, writing them into git histories, or transmitting them outside the boundary.
Granular VCS Access Control
Control where the agent can navigate using narrow-scope OAuth tokens on GitHub, GitLab, or Bitbucket. Enforce branch protection rules requiring human review before any agent-generated pull request is merged into main code paths.
Human-in-the-Loop Reviews
Agents operate in planning and analysis stages autonomously but halt before applying changes to live environments. You review proposed file changes, command lines, and tool invocations, approving them directly through Slack Connect, Linear, or Git.
Direct Workspace Tunnels
Unlike traditional SaaS tools that clone your repository onto third-party servers, **DevsHub CodeSync** utilizes a direct, encrypted peer-to-peer data transport layer.
Your local code files remain fully encrypted with private keys on your machine. The CLI establishes a direct P2P tunnel to an isolated execution VM (Docker, Local VMs, or AWS/GCP), syncs changes on the fly, and deletes the environment instantly when the session completes.
- No third-party storage or data cloning
- P2P tunnels with AES-GCM-256 encryption
- Runs entirely within your cloud VPC perimeter
Fine-Grained Sandbox Security
Local Secrets Injection
Private SSH keys, cloud profiles, and repository access configurations remain strictly on your local machine. The CodeSync CLI daemon securely accesses them via transient local environment injections.
Encrypted P2P Streaming
All communication between CodeSync CLI and VM Sandboxes is encrypted end-to-end using AES-GCM-256 over secure WebSockets. Workspace assets are ephemeral and cleared on exit.
Shell Guardrails
Configure strict step-by-step execution approval limits. Blacklist dangerous CLI commands, restrict directory traversal, and require interactive prompt verification for privileged actions.