How to Secure AI Agents on Fly.io

SafeClaw by Authensor enforces deny-by-default action gating for AI agents deployed on Fly.io. Every file access, shell command, and network request your agent attempts is checked against a YAML policy before it executes. SafeClaw works with Claude, OpenAI, and all supported providers. Install with npx @authensor/safeclaw and deploy a safely gated agent to Fly.io's global edge infrastructure.

Prerequisites

• A Fly.io account with flyctl installed
• Node.js 18+ in your Docker image
• An AI agent codebase

Step 1 — Install SafeClaw

npx @authensor/safeclaw

Generates safeclaw.config.yaml with deny-by-default. Zero dependencies, MIT-licensed, 446 tests.

Step 2 — Define a Fly.io-Specific Policy

version: 1
defaultAction: deny

rules:
  - action: "file:read"
    path: "/app/**"
    effect: allow

- action: "file:write"
    path: "/tmp/**"
    effect: allow

- action: "file:write"
    path: "/data/**"
    effect: allow
    reason: "Persistent Volume mount point"

- action: "network:request"
    host: "api.openai.com"
    effect: allow

- action: "network:request"
    host: "api.anthropic.com"
    effect: allow

- action: "network:request"
    host: "*.internal"
    effect: allow
    reason: "Fly.io private networking (6PN)"

- action: "network:request"
    host: "169.254.169.254"
    effect: deny
    reason: "Block instance metadata access"

- action: "env:read"
    key: "FLY_API_TOKEN"
    effect: deny

- action: "shell:execute"
    effect: deny

Step 3 — Write the Dockerfile

FROM node:20-slim
WORKDIR /app
COPY package*.json ./
RUN npm ci --production
COPY . .
RUN npx @authensor/safeclaw
EXPOSE 8080
CMD ["node", "agent.js"]

Step 4 — Configure fly.toml

app = "ai-agent"
primary_region = "iad"

[build]
  dockerfile = "Dockerfile"

[http_service]
  internal_port = 8080
  force_https = true
  auto_stop_machines = true
  auto_start_machines = true

[env]
  SAFECLAW_AUDIT_SINK = "stdout"

[[vm]]
  cpu_kind = "shared"
  cpus = 1
  memory_mb = 512

Step 5 — Deploy

fly deploy

Fly.io builds the Docker image, starts a Machine, and routes traffic to it. SafeClaw runs inside the Machine and gates every agent action.

Step 6 — Persist Audit Logs with Volumes

Fly Machines are ephemeral by default. To persist SafeClaw's hash-chained audit log across restarts, create a Volume:

fly volumes create agent_data --region iad --size 1

Mount it in fly.toml:

[mounts]
  source = "agent_data"
  destination = "/data"

Configure SafeClaw to write the audit trail to the volume:

audit:
  sink: file
  path: "/data/audit.log"
  format: json

Step 7 — Use Fly.io Private Networking

Fly.io's 6PN private networking lets your services communicate over WireGuard using .internal hostnames. The policy above allows *.internal traffic while blocking everything else by default. This means your agent can call internal APIs but cannot exfiltrate data to the public internet.

To further restrict which internal services the agent can reach:

rules:
  - action: "network:request"
    host: "database.internal"
    effect: allow
  - action: "network:request"
    host: "*.internal"
    effect: deny
    reason: "Only database access allowed"

Step 8 — Multi-Region Safety

Fly.io runs Machines in multiple regions. SafeClaw's policy is bundled in the Docker image, so it is identical across all regions. The audit trail is per-Machine; use a centralized log drain to aggregate:

fly logs --app ai-agent

Or set up a log drain to ship stdout to your SIEM.

Verify the Deployment

fly ssh console -C "npx @authensor/safeclaw audit verify --last 50"

This verifies the hash chain integrity of the audit log on the running Machine.

Related Pages

• Container Isolation for AI Agents
• Network Policies for AI Agents
• Data Exfiltration Prevention
• Hash-Chained Audit Logs Deep Dive