HELLCAT

Security Architecture

Defense-in-depth security across all platform layers

Authentication

User Authentication

  • • JWT tokens for session management
  • • API keys with scoped permissions
  • • Automatic token rotation (24 hours)
  • • Refresh tokens for long-lived sessions

User credentials stored in ~/.hellcat/config.json

Admin Authentication

  • • Static admin secret for initial auth
  • • Long-lived refresh tokens (30 days)
  • • Luther CLI for admin operations

Admin credentials stored in ~/.luther/config.json

System Authentication

Deployment credentials in ~/.hellcatenv:

export GOOGLE_APPLICATION_CREDENTIALS="path/to/service-account-key.json"
export GCP_PROJECT="hellcat-ai-prod"

Authorization

RBAC

  • User: Workflow and job execution
  • Admin: Full platform access (Luther CLI)
  • Controller: Internal service-to-service auth

API Key Scopes

  • workflows:read - Read workflows
  • workflows:write - Create/update workflows
  • jobs:execute - Execute jobs
  • billing:read - View credits and transactions

Network Security

  • • Private GKE cluster
  • • Cloud SQL private IP
  • • Memorystore (Redis) private IP
  • • No public database access
  • • Google Cloud Load Balancer with DDoS protection
  • • SSL/TLS termination (minimum TLS 1.2)

Data Security

Encryption at Rest

  • • Cloud SQL encrypted storage
  • • Kubernetes secrets encrypted with KMS
  • • Artifact Registry encrypted images

Encryption in Transit

  • • TLS everywhere (minimum TLS 1.2)
  • • mTLS for service-to-service communication
  • • Encrypted database connections (sslmode=require)

Runtime Security

WASM Sandboxing

HellScript modules run in WASM sandbox with:

  • • Memory limits
  • • CPU limits
  • • No network access (except via stdlib)
  • • No file system access
  • • Fuel metering

Browser Isolation

Each job runs in isolated pod:

  • • Separate browser instance
  • • Cleared cache/cookies
  • • Proxy rotation
  • • Auto-cleanup after execution

Rate Limiting

  • Authenticated: 100 requests/minute
  • Unauthenticated: 10 requests/minute
  • Per-IP: 1000 requests/hour
  • • DDoS protection via Cloud Armor

Best Practices

For Users

  • • Store CLI token securely (~/.hellcat/config.json)
  • • Use API keys with minimal scopes
  • • Rotate API keys regularly
  • • Never commit tokens to git
  • • Use hellcat logout when done

For Admins

  • • Protect admin static secret
  • • Store refresh token securely (~/.luther/config.json)
  • • Use luther logout when done
  • • Monitor audit logs regularly
  • • Rotate service account keys

For Deployment

  • • Load credentials from ~/.hellcatenv
  • • Use Workload Identity in GKE
  • • Keep secrets in Kubernetes Secrets
  • • Use KMS for secret encryption
  • • Restrict secret file permissions (chmod 600)

🔒 Defense in Depth

Hellcat implements multiple layers of security controls across authentication, authorization, network security, data encryption, and runtime sandboxing. Use the appropriate config files for your role: ~/.hellcat (users), ~/.luther (admins), ~/.hellcatenv (deployment).

← Kubernetes DeploymentBack to Documentation →