Password Protection
- All HTTP routes show a login page instead of the UI
- WebSocket connections are rejected without valid auth cookie
- /health endpoint remains open (for load balancers)
- Cookie: HttpOnly, SameSite=Strict, 24-hour expiry
- Token is SHA-256 hash (password never stored in cookie)
- GITAGENT_USERNAME sets the login username (defaults to “admin”)
Best Practices
| Practice | Detail |
|---|---|
| Use HTTPS in production | Via nginx, Caddy, or Cloudflare Tunnel |
| Set GITAGENT_PASSWORD | When exposing to a network |
| Use —sandbox for untrusted code | Runs the agent in an isolated E2B cloud VM |
| Enable audit logging | For compliance and incident review |
HTTPS Setup
nginx reverse proxyE2B Cloud Sandbox
Run the agent in an isolated E2B cloud VM via the--sandbox flag.
- Cloud VM isolation — Agent runs inside an E2B cloud sandbox — fully isolated from your local machine.
- Filesystem isolation — The sandbox has its own filesystem. Your host files are not accessible unless explicitly mounted.
- Remote repo support — Use —sandbox-repo to clone a repository directly into the sandbox environment.
- API token required — Set E2B_API_KEY in your environment — the E2B SDK reads it directly. —sandbox-token is a Git token for cloning the repository (falls back to GITHUB_TOKEN / GIT_TOKEN).
Compliance & Audit
Risk levels, regulatory frameworks, and audit logging
Hooks
Block dangerous tool calls with pre_tool_use hooks
Interfaces
CLI, web, voice, and messaging access to GitAgent
Environment Variables
GITAGENT_PASSWORD, GITAGENT_USERNAME, and E2B_API_KEY reference