Zero-Knowledge Workflows

Every cloud provider makes the same promise: “Your data is secure.” Then they read your data to train AI models, hand it to governments without telling you, or suffer breaches that expose millions of records. The promise is structurally impossible to keep because their architecture requires them to have access to your data in order to serve it.

Hoody’s architecture is different. Not because we are more trustworthy — because the system does not require trust.

You rent bare metal servers. Physical machines. Not virtual instances on shared hardware. Not containers on someone else’s hypervisor. Actual hardware where you control the disk, the memory, the network, and the encryption keys. Your containers run on hardware you control. We cannot read your data because we do not have access to the hardware it lives on.

This is not a privacy feature. It is the architecture.

What Zero-Knowledge Means in Hoody

Zero-knowledge means the platform operator (Hoody) cannot access your data even if compelled to do so. Here is how:

Layer	Traditional Cloud	Hoody
Hardware	Shared with other tenants	Dedicated bare metal you control
Hypervisor	Provider-controlled	None — containers run on your hardware
Disk encryption	Provider holds the keys	You hold the keys
Network	Provider can inspect traffic	Encrypted within your server
Backups	Provider can read snapshots	Snapshots live on your disk
AI training	Your data may be used	Your data never leaves your hardware

The fundamental difference: in traditional cloud, the provider is in the trust chain. In Hoody, the provider is not. Your server is a physical machine. Your containers are processes on that machine. Your data is bytes on that disk. Hoody manages the orchestration layer — container creation, proxy routing, service coordination — but your actual data stays on hardware you control.

Encrypted Filesystems

hoody-files supports encrypted storage through the crypt backend. Files are encrypted before they hit the disk and decrypted on read. The encryption key never leaves your container.

# Configure encrypted storage backend
hoody files backends connect crypt \
  --remote "/secure-data" \
  --password "$ENCRYPTION_KEY"

# Write a file to encrypted storage
hoody files put secrets/api-keys.json \
  --backend "encrypted-vault"

# Read it back -- transparently decrypted
hoody files get secrets/api-keys.json \
  --backend "encrypted-vault"

import { HoodyClient } from '@hoody-ai/hoody-sdk';

const client = new HoodyClient({ baseURL: 'https://api.hoody.icu', token: process.env.HOODY_TOKEN });

const containerClient = await client.withContainer({
  id: CONTAINER_ID,
  project_id: PROJECT_ID,
  server: SERVER,
});

// Configure encrypted backend
const vault = await containerClient.files.backends.connectCrypt({
  remote: '/secure-data',
  password: process.env.ENCRYPTION_KEY,
});

// Write encrypted file -- reference the backend by its returned id
const payload = JSON.stringify({ stripe: 'sk_live_...', github: 'ghp_...' });
await containerClient.files.put('secrets/api-keys.json', new Blob([payload]), {
  backend: vault.data.id,
});

// Read transparently decrypted
const secrets = await containerClient.files.get('secrets/api-keys.json', {
  backend: vault.data.id,
});

# Configure encrypted backend -- returns { data: { id, ... } }; use data.id for subsequent calls
curl -X POST "https://$PROJECT_ID-$CONTAINER_ID-files-1.$SERVER.containers.hoody.icu/api/v1/backends/crypt" \
  -H "Content-Type: application/json" \
  -d '{
    "remote": "/secure-data",
    "password": "'$ENCRYPTION_KEY'"
  }'

# Write to encrypted storage. The request body IS the file content; the
# backend is selected via the ?backend= query parameter (replace $BACKEND_ID
# with the id returned above).
curl -X PUT "https://$PROJECT_ID-$CONTAINER_ID-files-1.$SERVER.containers.hoody.icu/api/v1/files/secrets/api-keys.json?backend=$BACKEND_ID" \
  -H "Content-Type: application/json" \
  -d '{"stripe": "sk_live_...", "github": "ghp_..."}'

# Read from encrypted storage (transparently decrypted)
curl "https://$PROJECT_ID-$CONTAINER_ID-files-1.$SERVER.containers.hoody.icu/api/v1/files/secrets/api-keys.json?backend=$BACKEND_ID"

What happens on disk: The file secrets/api-keys.json is stored as encrypted bytes. If someone physically extracts the disk, they get ciphertext. If someone gains shell access without the encryption key, they get ciphertext. The file is only readable through the hoody-files service with the correct key.

Vault Secrets Management

For secrets that need to be available to applications without storing them in plaintext files, use hoody-sqlite’s KV store as a secrets vault:

# Store secrets in the KV store (--db is required; --create-db-if-missing on first use)
hoody kv set "vault:stripe_key" --db /hoody/databases/app.db --create-db-if-missing \
  --body '"sk_live_abc123..."'

hoody kv set "vault:database_url" --db /hoody/databases/app.db \
  --body '"postgres://user:pass@host:5432/db"'

hoody kv set "vault:jwt_secret" --db /hoody/databases/app.db \
  --body '"your-256-bit-secret"'

# Retrieve secrets programmatically
hoody kv get "vault:stripe_key" --db /hoody/databases/app.db

import { HoodyClient } from '@hoody-ai/hoody-sdk';

const client = new HoodyClient({ baseURL: 'https://api.hoody.icu', token: process.env.HOODY_TOKEN });

const containerClient = await client.withContainer({
  id: CONTAINER_ID,
  project_id: PROJECT_ID,
  server: SERVER,
});

// Store secrets. The value is the raw string; `db` is required.
const kvOpts = { db: '/hoody/databases/app.db', create_db_if_missing: true };
await containerClient.sqlite.kvStore.set('vault:stripe_key', 'sk_live_abc123...', kvOpts);

await containerClient.sqlite.kvStore.set('vault:jwt_secret', 'your-256-bit-secret', kvOpts);

// Retrieve in your application
const stripeKey = await containerClient.sqlite.kvStore.get('vault:stripe_key', { db: '/hoody/databases/app.db' });

# Store a secret. The body IS the value (raw string), and `db` is required.
curl -X PUT "https://$PROJECT_ID-$CONTAINER_ID-sqlite-1.$SERVER.containers.hoody.icu/api/v1/sqlite/kv/vault:stripe_key?db=/hoody/databases/app.db&create_db_if_missing=true" \
  -H "Content-Type: text/plain" \
  -d 'sk_live_abc123...'

# Retrieve a secret (the response body is the raw stored value)
curl "https://$PROJECT_ID-$CONTAINER_ID-sqlite-1.$SERVER.containers.hoody.icu/api/v1/sqlite/kv/vault:stripe_key?db=/hoody/databases/app.db"

The KV store lives in SQLite, which lives on your bare metal disk. Secrets never traverse infrastructure you do not control. Combine with the crypt backend for defense in depth — encrypted filesystem holding an encrypted database holding your secrets.

Container Isolation as the Security Boundary

Each container is a complete, isolated Linux environment. The isolation is not just logical — it is enforced at the operating system level:

┌──────────────────────────────────────────────────┐
│                 YOUR BARE METAL SERVER            │
│                                                  │
│  ┌─────────────┐  ┌─────────────┐  ┌──────────┐ │
│  │ Container A  │  │ Container B  │  │ Cont. C  │ │
│  │             │  │             │  │          │ │
│  │ Own files   │  │ Own files   │  │ Own files│ │
│  │ Own network │  │ Own network │  │ Own net  │ │
│  │ Own procs   │  │ Own procs   │  │ Own procs│ │
│  │ Own users   │  │ Own users   │  │ Own users│ │
│  │             │  │             │  │          │ │
│  │ CANNOT SEE  │  │ CANNOT SEE  │  │ CANNOT   │ │
│  │ B or C      │  │ A or C      │  │ SEE A, B │ │
│  └─────────────┘  └─────────────┘  └──────────┘ │
│                                                  │
│  Shared: CPU, RAM, Disk (but isolated views)     │
└──────────────────────────────────────────────────┘

What container isolation means in practice:

Container A cannot read Container B’s files, even though they share the same physical disk
A process in Container A cannot see or kill processes in Container B
Network traffic is isolated — containers cannot sniff each other’s traffic
A compromised container cannot escape to the host or other containers
An AI agent running in Container A has full root access inside A and zero access outside A

This is why container isolation is the correct security primitive for the AI era. When you give an AI agent root access to a container, the blast radius is exactly one container. Not your server. Not your other projects. Not your data.

Privacy Patterns

Pattern 1: Realm-Restricted Tokens for Tenant Isolation

When building multi-tenant applications, use realms to create isolated API scopes:

# NOTE: There is no hoody realms create CLI command.
# Realms are configured through the Hoody dashboard.
# List existing realms:
hoody realms list

# Create containers within each realm
hoody containers create --project $PROJECT_ID \
  --server-id $SERVER_ID \
  --name "acme-app" \
  --hoody-kit

hoody containers create --project $PROJECT_ID \
  --server-id $SERVER_ID \
  --name "globex-app" \
  --hoody-kit

import { HoodyClient } from '@hoody-ai/hoody-sdk';

const client = new HoodyClient({ baseURL: 'https://api.hoody.icu', token: process.env.HOODY_TOKEN });

// NOTE: There is no createRealm method in the SDK.
// Realms are configured through the Hoody dashboard.
// Realms are returned as an opaque array of 24-hex IDs -- any human
// naming convention is external/out-of-band (e.g. tracked in your own notes).
const realms = await client.api.realms.list();
const realmIds = realms.data.realm_ids; // string[] of 24-hex realm IDs
if (realmIds.length < 2) {
  throw new Error(`Need at least two realms to isolate customers; got ${realmIds.length}. Create them via the Hoody dashboard first.`);
}
const [acmeRealmId, globexRealmId] = realmIds;

// Containers in different realms are completely isolated
const acmeApp = await client.api.containers.create(PROJECT_ID, {
  name: 'acme-app',
  server_id: SERVER_ID,
  realm_ids: [acmeRealmId],
  hoody_kit: true,
});

const globexApp = await client.api.containers.create(PROJECT_ID, {
  name: 'globex-app',
  server_id: SERVER_ID,
  realm_ids: [globexRealmId],
  hoody_kit: true,
});

# NOTE: There is no POST /api/v1/realms endpoint.
# Realms are configured through the Hoody dashboard.
# List available realms:
curl "https://api.hoody.icu/api/v1/realms" \
  -H "Authorization: Bearer $HOODY_TOKEN"

# Create container in realm
curl -X POST "https://api.hoody.icu/api/v1/projects/$PROJECT_ID/containers" \
  -H "Authorization: Bearer $HOODY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "acme-app",
    "server_id": "'$SERVER_ID'",
    "realm_ids": ["'$ACME_REALM_ID'"],
    "hoody_kit": true
  }'

Realm-scoped API tokens can only access containers within their realm. A token for tenant-acme-corp cannot see, list, or access any container in tenant-globex-inc. The isolation is enforced at the API level.

Pattern 2: Encrypt Data at Rest

Layer encryption for sensitive data:

// Layer 1: hoody-files crypt backend encrypts the filesystem
// Layer 2: Application-level encryption for specific fields

// @mode serverless
const SQLITE = "https://PROJECT-CONTAINER-sqlite-1.SERVER.containers.hoody.icu";

// Store with application-level encryption
const crypto = require('crypto');
const key = Buffer.from(process.env.ENCRYPTION_KEY, 'hex');
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);

const sensitiveData = JSON.stringify({ ssn: '123-45-6789', salary: 150000 });
let encrypted = cipher.update(sensitiveData, 'utf8', 'hex');
encrypted += cipher.final('hex');

await fetch(SQLITE + "/api/v1/sqlite/db?db=/hoody/databases/app.db", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    transaction: [{ query: "INSERT INTO employee_records (name, encrypted_data, iv) VALUES (?, ?, ?)", values: ["Alice Chen", encrypted, iv.toString('hex')] }]
  })
});

Two layers: the filesystem is encrypted by the crypt backend, and sensitive fields are encrypted again at the application level. Even if someone bypasses the filesystem encryption, the data inside is still ciphertext.

Pattern 3: Control Network Egress with Firewall

Prevent containers from sending data to unauthorized destinations:

# Lock down outbound traffic
hoody firewall reset -c $CONTAINER_ID

# Resolve the hostnames you want to allow to IPv4/CIDR first — the firewall
# API only accepts numeric destinations (host `dig +short api.stripe.com`).
STRIPE_CIDR=$(dig +short api.stripe.com | awk '{print $1"/32"; exit}')
GITHUB_CIDR=$(dig +short api.github.com  | awk '{print $1"/32"; exit}')

hoody firewall egress create -c $CONTAINER_ID \
  --action allow --protocol tcp --destination-port 443 \
  --destination "$STRIPE_CIDR" --description "Allow Stripe API"

hoody firewall egress create -c $CONTAINER_ID \
  --action allow --protocol tcp --destination-port 443 \
  --destination "$GITHUB_CIDR" --description "Allow GitHub API"

import { HoodyClient } from '@hoody-ai/hoody-sdk';

const client = new HoodyClient({ baseURL: 'https://api.hoody.icu', token: process.env.HOODY_TOKEN });

// Reset firewall to deny-all default
await client.api.firewall.reset(CONTAINER_ID);

// Whitelist specific destinations. The egress `destination` must be an
// IPv4 address or CIDR range — resolve the hostname to an IP first.
await client.api.firewall.addEgressRule(CONTAINER_ID, {
  destination: '203.0.113.10/32', // resolved IP for api.stripe.com
  destination_port: '443',
  action: 'allow',
  protocol: 'tcp',
  description: 'Allow Stripe API',
});

# Reset firewall (deny-all default)
curl -X POST "https://api.hoody.icu/api/v1/containers/$CONTAINER_ID/firewall/reset" \
  -H "Authorization: Bearer $HOODY_TOKEN"

# Whitelist specific destination. `destination` must be an IPv4 address or
# CIDR range — resolve the hostname to an IP first (e.g. dig +short api.stripe.com).
curl -X POST "https://api.hoody.icu/api/v1/containers/$CONTAINER_ID/firewall/egress" \
  -H "Authorization: Bearer $HOODY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "destination": "203.0.113.10/32",
    "destination_port": "443",
    "action": "allow",
    "protocol": "tcp",
    "description": "Allow Stripe API"
  }'

With egress deny-all, the container cannot phone home, cannot exfiltrate data, cannot communicate with any server you have not explicitly approved. This is essential when running untrusted code or AI agents that might attempt to send data externally.

Compliance and Data Sovereignty

Physical servers mean physical locations. This is the simplest compliance argument there is:

Data residency: Your server is in Frankfurt. Your data is in Frankfurt. Not “primarily” in Frankfurt. Not “replicated from” Frankfurt. Physically, magnetically, on a disk in Frankfurt.

GDPR: European personal data lives on European hardware. Period. No transatlantic transfer to worry about, no data processing agreements with cloud sub-processors, no “our servers might be anywhere” hedging.

HIPAA: Protected health information on dedicated hardware with encrypted filesystems, firewall-controlled network access, and container isolation between patient datasets.

SOC 2: Audit trail through HTTP request logs. Access control through proxy permissions. Encryption through crypt backend. Isolation through containers. Every compliance requirement maps to an HTTP-observable, configurable control.

┌────────────────────────────────────────────────┐
│  YOUR SERVER: Frankfurt, Germany               │
│  Physical address: DataCenter GmbH, Room 4B    │
│                                                │
│  Container: patient-records                    │
│  ├── Encrypted filesystem (crypt backend)      │
│  ├── Firewall: egress deny-all                 │
│  ├── Proxy: IP whitelist (clinic IPs only)     │
│  ├── Realm: healthcare-prod                    │
│  └── Snapshots: daily, 90-day retention        │
│                                                │
│  Data location: This building. This rack.      │
│  Data access: Clinic IPs only.                 │
│  Data encryption: AES-256, keys on-server.     │
│  Data retention: 90-day snapshot history.       │
│  Audit trail: Every HTTP request logged.        │
└────────────────────────────────────────────────┘

Try expressing that compliance posture with a shared cloud VM. You cannot. The architecture prevents it.

The AI Safety Angle

Here is the argument that makes zero-knowledge workflows urgent rather than merely prudent:

AI agents running in your infrastructure can see everything. When you give an AI agent access to a container — terminal, files, database, browser — it has the same access as a developer. It can read credentials, query databases, browse the filesystem.

On shared infrastructure, a compromised or misbehaving AI agent could:

Exfiltrate data through network requests
Access other tenants’ resources through hypervisor vulnerabilities
Persist malicious code that survives container restarts
Send your data to the AI provider’s training pipeline

On Hoody’s bare metal + container architecture:

Container isolation prevents the agent from escaping its sandbox
Firewall rules prevent unauthorized network communication
Snapshots let you roll back any changes the agent made
Bare metal means no hypervisor attack surface
Encrypted filesystems mean even disk-level access yields ciphertext

# The AI safety workflow:

# 1. Create an isolated container for the experiment and capture its ID
EXPERIMENT_ID=$(hoody containers create --project $PROJECT_ID \
  --server-id $SERVER_ID \
  --name "ai-experiment" \
  --hoody-kit | jq -r '.data.id')

# 2. Lock down network
hoody firewall reset -c $EXPERIMENT_ID

# 3. Snapshot clean state
hoody snapshots create --container $EXPERIMENT_ID \
  --alias "clean-slate"

# 4. Let the AI agent run via the prompt endpoint
curl -X POST "https://$PROJECT_ID-$EXPERIMENT_ID-workspaces-1.$SERVER.containers.hoody.icu/api/v1/agent/prompt/sync" \
  -H "Content-Type: application/json" \
  -d '{"parts": [{"type": "text", "text": "Analyze this dataset and build a classification model"}], "autoApprove": true}'

# 5. Inspect results
# 6. Restore clean state if needed
hoody snapshots restore -c $EXPERIMENT_ID --name "clean-slate"

import { HoodyClient } from '@hoody-ai/hoody-sdk';

const client = new HoodyClient({ baseURL: 'https://api.hoody.icu', token: process.env.HOODY_TOKEN });

// 1. Isolated container
const experiment = await client.api.containers.create(PROJECT_ID, {
  name: 'ai-experiment',
  server_id: SERVER_ID,
  hoody_kit: true,
});

// 2. Lock down network
await client.api.firewall.reset(experiment.data.id);

// 3. Snapshot clean state
await client.api.containers.createSnapshot(experiment.data.id, {
  alias: 'clean-slate',
});

// 4. Let the AI work in isolation
// Using raw fetch to show the HTTP surface directly.
const agentBase = `https://${PROJECT_ID}-${experiment.data.id}-workspaces-1.${SERVER}.containers.hoody.icu`;
await fetch(`${agentBase}/api/v1/agent/prompt/sync`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    parts: [{ type: 'text', text: 'Analyze this dataset and build a classification model' }],
    autoApprove: true,
  }),
});

// 5. Inspect results via files, terminal, sqlite
// 6. Restore if needed
await client.api.containers.restoreSnapshot(experiment.data.id, 'clean-slate');

# 1. Create isolated container
curl -X POST "https://api.hoody.icu/api/v1/projects/$PROJECT_ID/containers" \
  -H "Authorization: Bearer $HOODY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "ai-experiment", "server_id": "'$SERVER_ID'", "hoody_kit": true}'

# 2. Lock down network
curl -X POST "https://api.hoody.icu/api/v1/containers/$EXPERIMENT_ID/firewall/reset" \
  -H "Authorization: Bearer $HOODY_TOKEN"

# 3. Snapshot clean state
curl -X POST "https://api.hoody.icu/api/v1/containers/$EXPERIMENT_ID/snapshots" \
  -H "Authorization: Bearer $HOODY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"alias": "clean-slate"}'

# 4. Let AI work
curl -X POST "https://$PROJECT_ID-$EXPERIMENT_ID-workspaces-1.$SERVER.containers.hoody.icu/api/v1/agent/prompt/sync" \
  -H "Content-Type: application/json" \
  -d '{"parts": [{"type": "text", "text": "Analyze this dataset and build a classification model"}], "autoApprove": true}'

# 5-6. Inspect and restore if needed (restore = PATCH the snapshot by name)
curl -X PATCH "https://api.hoody.icu/api/v1/containers/$EXPERIMENT_ID/snapshots/clean-slate" \
  -H "Authorization: Bearer $HOODY_TOKEN"

The AI agent has full autonomy inside an air-gapped container. It can read data, write code, run experiments — but it cannot exfiltrate anything because the firewall blocks all outbound traffic. When the experiment is done, inspect the results. If anything looks wrong, restore the clean snapshot. The data never left your hardware.

Defense in Depth

The strongest security posture layers multiple controls:

Layer 1: Bare Metal        → No shared hardware, no hypervisor attack surface
Layer 2: Container          → Process isolation, filesystem isolation
Layer 3: Firewall           → Network egress control, deny-all default
Layer 4: Proxy Permissions  → Authentication before HTTP reaches the container
Layer 5: Encrypted FS       → Data encrypted at rest (crypt backend)
Layer 6: Application        → Field-level encryption, input validation
Layer 7: Snapshots          → Rollback capability, audit via diff
Layer 8: Realms             → API-level tenant isolation

Each layer is independently configurable through HTTP. Each layer can be audited through HTTP. Each layer is a security boundary that an attacker must breach independently. Compromise one layer and the others still hold.

This is not defense in depth as a marketing term. It is eight distinct, HTTP-configurable security boundaries between an attacker and your data.

What’s Next

Building a Full-Stack Application — Build with security from the start
Deploying Autonomous AI Agents — AI agents in isolated containers
Proxy Permissions — Fine-grained access control
Firewall Configuration — Network-level security
Encrypted Cloud Storage — Multi-backend encrypted storage