Enterprise

A sandbox fleet your auditors will actually like.

Hundreds of agents running untrusted code is either a governance story or an incident report. Shells gives you the first one: tenant-scoped fleets, entitlement-gated automation, and an activity history built for the post-mortem you hopefully never write.

Keystone SSO / OIDC

Your identity provider fronts the console through Keystone Auth v4. Sessions, roles, and offboarding follow your directory — not a second user database.

Tenancy that holds

Every list, action, and credential mint is scoped to your tenant at the IAM layer. There is no cross-tenant query to misconfigure, because none exists.

Per-agent entitlements

Grant shells.agent.invoke to exactly the agents that need it. Each invocation still clears the underlying instance permission — entitlement plus permission, never either alone.

Audit-grade activity history

Every lifecycle action — human or agent — lands in the activity terminal with a timestamp and actor. Credential mints are recorded as events; the material itself is never stored.

Approval gates

Put stop and wipe_state behind typed confirmation for everyone, or behind named approvers for production tenants. Destructive intent becomes a recorded decision.

Dedicated regions & capacity

Pin shells to specific regions for data placement, or reserve dedicated capacity so a noisy quarter never queues your fleet.

One fleet, many teams

Tenancy is the unit of trust.

Departments, products, and agent swarms each get their own tenant boundary in Keystone IAM. The fleet table you see is the fleet you own — provable from the permission model, not from promises.

Shells console fleet view — every row tenant-scoped

Governance

Control surfaces, not control theater.

Three places enterprises usually get burned by sandbox products — and how each one is bounded here.

Spend

Per-second metering flows through Garden v4 with per-project caps. Finance sees seconds and rates, not a surprise.

Scope

The console's OAuth scope set is enumerated and product-shaped — no admin scopes, no wildcards. The security page lists every one.

Blast radius

Isolation class is chosen per shell. Untrusted agent code goes in a microVM; a quick eval goes in wasm. Policy can pin the floor per org.

keystone — agent invocation check
→ POST /api/agent/invoke shells_action { capability: "wipe_state" }
entitlement shells.agent.invoke · org: acme-research
permission shells:instances:control · instance: sh-4f2a
approval gate: destructive · approver: on-call SRE
executed · recorded in activity history

Scale

From two shells to a swarm.

The same create call that spins up a scratch sandbox provisions a thousand-agent CI fleet — per-second metered, region-pinned, and torn down to zero when the job ends. Capacity is an Omega scheduling problem, not a procurement cycle.

  • Unlimited concurrent shells on Enterprise plans
  • Custom isolation policy — set the minimum runtime class per org
  • Custom credential TTLs for term sessions
  • Dedicated support engineer with a real pager

Talk to an engineer, not a deck.

Enterprise conversations start with your threat model and your agent fleet — pricing comes after the architecture fits.

Talk to usSee pricing