FlareCodeflarecode

Security model

Where your code runs, how it's isolated, and what we never touch.

The short version: your workspace is encrypted and private, agents are isolated, network egress is allowlisted, and we never train on your code. Here's the detail.

Workspace lifecycle

  1. Agent starts. A sandbox boots and either clones your repo or scaffolds a new project at /workspace.
  2. Agent works. Edits, test runs, and intermediate state live on the sandbox's local disk.
  3. Idle pause. When you stop using it, the agent's /workspace is snapshotted — encrypted — to private storage and the container sleeps to save you money. Active agents are checkpointed periodically too.
  4. Resume. Your next request restores the workspace exactly as you left it, even after a restart or eviction — including a project you started from scratch and haven't pushed to GitHub.
  5. Destroy. When you destroy the agent, the sandbox is torn down and its workspace snapshots are deleted from our storage.

Your code is durably backed up so you never lose work — and it's encrypted, private, and never used for training. GitHub stays your source of truth; publish whenever you're ready.

Isolation

  • One sandbox per agent. No shared state across agents or across customers.
  • Agents can't see each other. A sandbox has no access to another agent's files or workspace.
  • The control plane never runs your code. Your code only ever executes inside the isolated sandbox, never in the systems that manage agents.

Network egress

Each sandbox sits behind an allowlist-based egress proxy. The agent can reach:

  • package registries (npm, pnpm, yarn, pypi, crates.io, rubygems, Go proxy) to install dependencies,
  • github.com and api.github.com to clone, push, and open PRs,
  • the inference provider you selected (Anthropic, OpenAI, Google, OpenRouter, or a custom OpenAI-compatible endpoint).

It cannot reach arbitrary internet hosts, your internal services, or your databases. If a task needs an outbound call to a custom domain, the agent fails loudly rather than silently bypassing the allowlist.

Secret handling

Secrets your tests need (database URLs, third-party keys for integration tests) are injected at request time through the egress proxy. They are never written to the agent's process environment, never visible in the agent's reasoning, never logged, and never retained after the task ends. Customer-side .env files are not read into the model's context.

What we never do

  • We do not train models on your code. Full stop.
  • We do not read your repo for any purpose other than the task you submitted.
  • We do not aggregate cross-customer telemetry on code content. We count tasks and tokens for billing, and that's it.
  • We do not share your code with subprocessors beyond the inference provider you chose — and only the diffs the agent is actively reasoning over.

Vulnerability disclosure

Found a security issue? Email security@flarecode.sh with details and a repro. We respond within 48 hours. A public bug bounty kicks in at paid GA.

costs and limits

How projects, concurrency, monthly allowances, and per-goal cost caps protect you.

GitHub permissions

Exactly which GitHub OAuth and App permissions FlareCode requests, and what it never asks for.

On this page

Workspace lifecycleIsolationNetwork egressSecret handlingWhat we never doRelatedVulnerability disclosure