Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.yourhq.ai/llms.txt

Use this file to discover all available pages before exploring further.

HQ is single-operator admin software. The security model is designed for one trusted user running their own infrastructure — not for multi-tenant SaaS.

Trust boundaries

Supabase project

Stores all shared state. The service role key grants full database access — treat it like a database admin password.

Docker host

The gateway container runs agents with full access to the shared volume, Chrome, and the service role key.

Runner Docker socket

The runner mounts /var/run/docker.sock — root-equivalent access to the host. Any RCE in the runner owns the host.

noVNC endpoint

Remote desktop into the gateway container. Protected by VNC password, but do not expose directly to the public internet.
Use Tailscale or another private access layer for remote use. Do not expose noVNC or the files API directly to the public internet without a reverse proxy and auth layer.
Read the full security policy for detailed threat analysis, responsible disclosure, and hardening guidance.