Questions, answered.

An agent workstation is a persistent, isolated computer that exists for an AI agent to work on. It is always on. It has its own filesystem, processes, and network. Privileged actions are gated at the boundary so they require a human passkey approval. The agent lives there, not on your laptop.

Three reasons. First, the agent stops when you close the lid, so anything taking more than a few hours is impractical. Second, the agent has ambient access to your machine: SSH keys, AWS credentials, browser cookies, kubectl context. Third, you can only run one agent at a time without state collisions. An agent workstation fixes all three by moving the agent off the laptop into a place built for it.

No. Ellul runs Cursor or Claude Code (or Codex or OpenCode). The agent stays the same. The computer it lives on changes. Your existing client and prompts work as-is.

Run continuously without you. Survive your laptop closing. Touch real production credentials safely. Coordinate with other agents on adjacent workstations. Ship a PR overnight while you sleep. None of these are possible on a laptop without security tradeoffs you should not be making.

Indefinitely. The workstation stays online whether you are at your laptop or not. Customer agents have run uninterrupted for multiple days through long refactors and migration scripts.

Ellul restarts it and resumes from the last checkpoint. You wake up to a continuing run, not a stopped one.

Open ellul.ai/console on your phone. The agent's chat, files, and logs are accessible from any device. When something needs your approval, you receive a push notification and tap your passkey from the same phone.

Each agent gets its own workstation. They run independently. When you want one agent to read another's output, you grant a read-only snapshot of the source code (secrets and credentials are excluded). The reading agent can analyze, summarize, or generate documentation, but it cannot edit, push, or escalate.

They can both read it. Only one can write. The peering primitive is intentionally read-only. Write coordination between two agents is a recipe for state corruption that humans tend to underestimate. The right pattern is one writing agent plus one or more reviewing/documenting agents in adjacent workstations.

The peering view is a rsync filtered snapshot delivered into the consuming agent's filesystem at a known path. There is no write path back to the source. There are no symlinks. Files that exist only on the source side physically don't exist on the consuming side, so the consuming agent cannot smuggle them out.

Privileged actions (git push, deploy, database writes, secret access) pause mid-execution. The agent's terminal shows a 'waiting for passkey' state. You receive a notification. You tap your passkey (Touch ID, Face ID, security key) to approve or decline. The agent only proceeds if you approve.

No. Credentials live in a server-side vault. They are never written to the agent's process environment, never sent to the agent's chat history, never logged. When a privileged action needs them, the action is paused, you approve via passkey, and the action is brokered through a separate process the agent cannot read or attach to.

You configure backup passkeys (multiple devices). If you lose all of them, account recovery requires a verified secondary email and a 7-day delay. Not instant, because instant recovery would defeat the gate model.

You can configure auto-approval rules per project (for example: 'auto-approve git push to feature/* branches' or 'auto-approve deploys to staging'). Production-class actions cannot be auto-approved.

Codespaces was built for humans writing code in a browser. It has no agent gating, no parallel-agent primitive, no passkey integration. Ellul was built for the agent first, the human second.

Sprites provides stateful sandboxes as infrastructure that other companies build on. Ellul is the assembled product an engineer signs up for: chat, file browser, gates, integrations. Different layer of the stack.

E2B is for ephemeral code execution. Sandboxes typically last minutes to hours, capped at 24 hours on Pro. Ellul is for persistent agent work. A workstation lasts as long as you have an account.

Daytona is a workspace primitive. Its docs target platform engineers building developer environments. Ellul is the assembled, opinionated agent workstation that uses workspace primitives internally.

Replit is a shared cloud runtime that bundles IDE, agent, and hosting. Ellul is a per-user VPS with strict isolation; the app deploys to wherever the user wants: Vercel, Fly, Railway. Different shape, different audience.

Devin is a managed product where Cognition's agent runs in their sandbox. Ellul is the runtime under your own agent (your Claude Code, your Cursor, your Codex) on a persistent workstation that's yours. Different commitments, different prices.

All four are prompt-to-app builders for non-engineers or prototypers. Ellul is a persistent workstation for an engineer's AI agent on a real codebase. They are not in the same product category. They show up in the same searches because both touch the prompt-to-software flow.

Manus is a generalist managed agent. Give it a task, it works in their sandbox. Ellul is bring-your-own-agent on bring-your-own-model on a persistent workstation. Different shapes for different jobs; some users use both for different kinds of work.

Windsurf is a VS Code fork with a Cascade agent on your laptop. Ellul is the runtime an agent lives on regardless of which editor you use. They compose: keep Windsurf as your editor; move the agent's runtime to Ellul.

Claude Code, Codex, Cursor's CLI, OpenCode, and Cascade CLI are all supported out of the box. Any agent that runs on Linux from a terminal can run on a workstation; the five listed are the ones we test continuously and ship with pre-installed images.

Yes. BYOK is the default for every supported agent. Your model contract is between you and the model provider (Anthropic, OpenAI, Google, OpenRouter, etc.); your runtime contract is between you and Ellul. We never proxy or store your model keys outside the workstation's encrypted vault.

Yes for Claude Code. Claude Code on Ellul supports both Claude Pro / Max sign-in and Anthropic API key BYOK. The choice depends on your usage shape and pricing preference.

If it runs on Linux and isn't on the list, you can still install and run it yourself on the workstation. The supported list reflects which agents we ship pre-installed and offer turnkey gating for. Anything else works as a self-served install.

Yes. The agent runs on the workstation; you can point it at OpenRouter, Together, your own inference server, or a locally hosted model on the same workstation if you have the resources. Bigger workstation tiers are appropriate when you're running inference locally.

Yes. MCP servers run as long-lived processes alongside the agent on the workstation. Credentials for MCP servers (PATs, DB connections, API keys) flow through the Sovereign Shield rather than living in plaintext in the MCP server's environment.

GitHub, Database (Postgres / MySQL / SQLite), Playwright, and a filesystem MCP are pre-built and configurable from the console. Other MCP servers (custom or open-source) install the same way they would on any Linux host.

No. MCP is one of several ways to extend an agent. If your agent doesn't need external tools beyond the workstation's filesystem and shell, you can skip MCP entirely. Most engineers add MCP servers as their agent's needs grow.

Long-lived secrets stay in the shield's vault, not in the MCP server's environment. The MCP server requests short-lived scoped credentials per call. Even a fully compromised MCP server cannot leak the underlying PAT or connection string. It can only abuse what's in flight.

Yes. Most migrations are 'point your existing agent CLI at a new workstation'. The agent doesn't change, the runtime does. For users coming from prompt-to-app builders (Bolt, Lovable, Base44), export to GitHub first, then continue on Ellul with your preferred agent CLI.

Hobby and Pro plans are billed monthly. If you cancel within seven days of your first paid month, we refund the charge. After that, your subscription stops at the end of the current billing period and your data persists for thirty days while you decide.

Your workstation's encrypted volume persists for thirty days after cancellation. You can sign back in to download your data or reactivate. After thirty days, the volume is wiped from disk; we keep no backups beyond your own.

Multiple registered passkeys are the primary recovery mechanism. If you lose all of them, recovery requires a verified secondary email and a seven-day delay. The delay is intentional. Without it, the gate model collapses.

Yes. Your code is in your repos (your own git host or GitHub). Your secrets and config are exportable as an encrypted bundle. The workstation itself isn't exportable as a VM image, but everything that lives on it can be snapshotted and rebuilt.

The marketing site and console are translated into Japanese, Korean, German, Brazilian Portuguese, and French. The agent's behavior depends on the model. Most modern coding agents work fluently in those languages and many more.

EU by default. Other regions are available on request. Regions are bound to your account at provisioning time.

Yes. Workstations in EU regions stay in EU regions; their LUKS-encrypted volumes never replicate outside the chosen region. Backups (when configured) honor the same boundary. If your work is governed by data-handling rules, this is structurally easier to defend than a managed third-party sandbox.

Hobby is $20/month for up to two parallel workstations. Pro is $50/month for up to five workstations, persistent state, and integrations. A Free tier exists for evaluation (one workstation, 60-minute sessions, hibernation after 30 minutes idle, fresh reset every 24 hours); it isn't a substitute for the paid tiers if you actually want the agent to keep working while you sleep.

Not yet. We will add SSO, SOC 2, and audit exports once we have 200+ paying customers. Until then, mid-market and indie engineers are the priority ICP.

Anywhere you want: Vercel, Fly.io, Railway, Cloudflare Pages, your own infra. Ellul is upstream of hosting; it is where the agent works, not where the app runs.

No usage credits. Your subscription is flat. The only rate-limit-shaped concern is your model API quota, which is yours to manage with your model provider, not metered by Ellul.