Secure Production-Ready AI Agent
Ag3ntum is a self-hosted AI automation platform — secure, multi-user, and under your control. Deploy on your infrastructure, give your team AI-powered server management through a web browser, with 6 layers of security including OS-enforced user isolation.
The Problem with AI on Servers
AI coding assistants are powerful, but they were designed for developer laptops — not production servers.
Too Risky for Production
General-purpose AI agents give unrestricted shell access. One hallucinated rm -rf / or DROP DATABASE and your server is gone. No sysadmin would run that on production.
Single User, No Team Access
CLI tools require local installation and run as a single user. You can't give your team safe, audited access to AI-assisted server management through a browser.
No Visibility or Audit Trail
When AI agents run commands on your server, you get a chat log at best. No structured audit trail, no drill-down into tool calls, no way to replay what happened. Compliance teams and incident responders are left in the dark.
Why Not Just Use Claude Code on a Server?
Claude Code secures a single developer's workstation. Ag3ntum extends that to multi-tenant server deployments with OS-level user isolation and complete execution transparency.
| Capability | Claude Code / OpenClaw | Ag3ntum |
|---|---|---|
| Designed for | Developer workstation | Multi-tenant server platform |
| Access | CLI terminal only | Web browser from anywhere |
| User isolation | Single user per instance | Per-user UID — OS-enforced by kernel |
| File tool sandboxing | Permission rules (best-effort) | OS-level PathValidator enforcement |
| Destructive command protection | No — can rm -rf /, drop databases | 129 patterns across 18 categories |
| Secret redaction | No | Automatic in all output and file previews |
| Audit trail | JSONL transcripts | Drill-down UI: commands + output + AI reasoning |
| Document processing | Code files only | PDF, Office, Excel, archives, images |
| File workflow | CLI file commands | Visual explorer + drag-and-drop + preview |
| Human-in-the-loop | Immediate CLI prompt | Async — answer hours/days later via web |
| REST API | Headless mode only | Full API with real-time SSE streaming |
| Safe for production | Not designed for it | Purpose-built for it |
Platform Capabilities
Everything an ops engineer does, automated with AI reasoning and defense-in-depth safety guarantees.
6-Layer Security Sandbox
Docker isolation, Bubblewrap sandboxing, per-user UID dropping with seccomp profiles, PathValidator, 129 command filter patterns, and automatic secrets redaction. Root access is impossible — enforced by the OS, not prompts.
Multi-Tenant User Isolation
Each user runs under their own Linux UID with isolated workspace, home directory, Python venv, and sandboxed environment variables. User A cannot access User B's data — enforced by the kernel.
Document Processing
Process business documents, not just code: PDF with auto-OCR, Office formats (DOCX/XLSX/PPTX), CSV/Parquet, ZIP/TAR archives, images, and audio. Drag in an invoice, get structured data out.
Visual File Workflow
Side-by-side chat and file explorer. Drag-and-drop upload, real-time file tree updates, click-to-preview with syntax highlighting, one-click download. No CLI knowledge needed.
11 Secure MCP Tools
Purpose-built tools replace all native Claude Code tools. Every operation — Bash, Read, Write, Edit, Glob, Grep, WebFetch — goes through security-enforced custom tools. No bypasses possible.
Async Human-in-the-Loop
Agent pauses for human approval on critical operations. Answer via web UI hours or days later — the session resumes automatically with your answer in context. Controlled automation without blocking.
Full Execution Transparency
Drill-down into every tool call, command, output, and subagent decision. Tree-view of parallel subagents with real-time status. Complete audit trail for compliance. No black box.
SSH Key Vault
Securely store SSH keys for multiple servers. 5-tier privilege model (L0 read-only through L4 full access) controls what the agent can do on each machine. Connect to remote servers safely.
Persistent Sessions
Sessions survive server restarts. Checkpoint system with rewind. Resume after disconnection. Concurrent subagents with tree-view monitoring. Task queue with fair scheduling and auto-resume.
6-Layer Security Sandbox
Defense-in-depth with OS-enforced isolation. Even if one layer fails, the others contain the damage. This is what makes Ag3ntum safe for production servers.
Docker Container
Host filesystem boundary. Source code mounted read-only. The agent cannot modify application code at runtime.
Bubblewrap + UID Isolation
Per-user UID dropping (50000–60000 range). Seccomp profiles block privilege escalation at kernel level. Root access is impossible.
PathValidator
OS-enforced workspace boundary for all file operations. Read-only mounts enforced at filesystem level, not just prompts.
Command Security Filter
129 dangerous patterns across 18 categories: rm -rf, privilege escalation, container escape, data exfiltration. Blocked before execution.
Security Middleware
HTTP security headers, CSP, WAF rules. Automatic secrets scanning detects API keys, tokens, and passwords — redacted in file previews and logs.
Prompt Guardrails
LLM-level behavioral guidance. Security prompts are not overridable. Combined with OS enforcement, this provides defense-in-depth from AI to kernel.
What Teams Use It For
From server management to document processing — 50+ use cases across five categories. Here are the most common.
WordPress & CMS Management
Diagnose white screens, fix plugin conflicts, optimize database tables, update PHP versions, restore from backups, resolve permission issues, and recover hacked sites.
VPS Server Management
Configure nginx/Apache, manage SSL certificates, set up cron jobs, monitor disk usage, optimize MySQL/PostgreSQL, manage firewall rules, and keep servers updated.
Security Audits & Hardening
Run security checks, harden SSH, configure firewalls and fail2ban, scan for vulnerabilities, review access logs for suspicious activity, audit user accounts and permissions.
Invoice & Document Processing
Drag PDF invoices into the browser — extract vendor, amounts, dates, line items. Process contracts, expense reports, Excel data. Output structured CSV or reports.
Website Recovery & Fixing
Diagnose 502/503 errors, fix broken redirects, recover from compromises, restore databases, troubleshoot DNS and SSL issues, analyze error logs, get sites back online fast.
Log Analysis & Monitoring
AI-powered analysis of system, access, and error logs. Detect anomalies, identify root causes, aggregate errors from multiple sources, generate actionable reports.
Tech Stack
Built with modern, production-grade technologies. Open source under AGPL-3.0.
| AI Engine | Claude by Anthropic (Claude Agent SDK) |
| Backend | Python 3.13, FastAPI, SQLAlchemy, Alembic |
| Frontend | React 19, TypeScript, Vite, xterm.js |
| Database | PostgreSQL 17 with pgvector |
| Streaming | SSE over HTTP, Redis Streams (~1ms latency) |
| Sandbox | Docker, Bubblewrap, seccomp, per-user UID/GID |
| Security | bcrypt API keys, CIDR access control, HMAC-SHA256 webhooks, WAF |
| Deployment | Docker Compose, nginx reverse proxy |
| License | AGPL-3.0 (commercial license available) |
Frequently Asked Questions
What is Ag3ntum?
Ag3ntum is a self-hosted AI automation platform that transforms Claude Code into a secure, multi-tenant server agent. It runs every operation inside a 6-layer security sandbox with OS-enforced user isolation. Your team gets AI-powered server management, document processing, and workflow automation through a web browser — deploy on your infrastructure with Docker Compose in 15 minutes.
How is it different from Claude Code or OpenClaw?
Claude Code secures a single developer's workstation. Ag3ntum extends that to multi-tenant server deployments with OS-level user isolation (per-user UID enforced by the kernel), a full REST API, web UI with visual file explorer, drill-down execution transparency, document processing (PDF, Office, archives), and async human-in-the-loop approval. File tool restrictions are OS-enforced via PathValidator, not "best-effort." Native Claude Code tools are completely blocked — all operations go through 11 security-enforced custom MCP tools.
Is it safe for production servers?
Yes — Ag3ntum is purpose-built for production. The CommandSecurityFilter blocks 129 dangerous patterns across 18 categories before execution. Each user runs under their own Linux UID with seccomp profiles blocking privilege escalation at kernel level. Root access is impossible. Secrets are automatically redacted. Every action is audit-logged. Multi-tenant hosting providers use it to manage hundreds of client servers.
What file formats can it process?
PDF with auto-OCR for scanned pages, Office documents (DOCX, XLSX, PPTX), CSV/TSV, Excel, Parquet, ZIP/TAR/7z archives (with zip bomb protection), images (with EXIF metadata), and audio files. Drag files into the browser, ask the AI to process them, watch results appear in the file explorer.
Is my data safe?
Fully self-hosted — your data never leaves your infrastructure. The only external connection is to the Anthropic API for AI reasoning. API keys are stored locally with bcrypt hashing and CIDR-based access control. File previews automatically redact secrets (API keys, tokens, passwords). Read-only mounts are enforced at the OS level (Docker :ro flag), not just by prompts.
Does it support multi-user teams?
Yes. JWT authentication, per-user home directory and Python venv, isolated workspaces, sandboxed per-user environment variables, and session history per user. User A cannot access User B's data even if the sandbox is compromised — isolation enforced by the Linux kernel. Supports reseller/multi-tenant hierarchy for hosting providers.
How do I install it?
15 minutes with Docker Compose. Requirements: Docker with Compose v2, a Claude API key, and a Linux host (Ubuntu 22.04+ recommended). Clone the repo, run docker compose up -d, open port 50080 in your browser. See the Quick Start Guide for full instructions.