Security
The Security group holds the credential vault and the network egress controls for sandboxed agent work. Both pages require org_admin or above; below that the group disappears from the sidebar entirely.
Secrets
/secrets ("Secrets Vault") stores credentials that agents and skills reference at runtime, without ever exposing the raw value in the UI.
What you see:
- A list of secrets showing name, description, scope, provider, masked value and last-rotated date, filterable by scope.
Key actions:
- Create a secret with:
- Scope — org-wide, a specific team, or a specific agent. Team- and agent-scoped secrets are only visible to workloads in that scope.
- Provider — internal (stored by EnClaw), or an external reference into HashiCorp Vault, AWS Secrets Manager or Azure Key Vault via an external ref.
- Name, optional description and the secret value.
- Edit updates name, description and (optionally) the value — leaving the value blank keeps the current secret, so the masked value is never accidentally written back.
- Delete is confirmed and cannot be undone.
Notable behaviours:
- Values are write-only: after creation the UI only ever shows a masked value.
- The last-rotated timestamp gives you a quick audit of stale credentials.
Egress Policies
/egress-policies controls which network destinations sandboxed agent executions may reach.
What you see:
- A list of policies with name, mode, rule count and an active toggle.
Key actions:
- Create or edit a policy with:
- Mode — allowlist (only listed destinations are permitted) or blocklist (listed destinations are blocked).
- Rules — any number of entries, each a type (domain, IP CIDR or pattern), a value, an action (allow or block) and an optional description. Rules can be added, edited and removed inline.
- An active flag, so a policy can be staged before enforcement.
- Toggle a policy active or inactive directly from the list.
- Delete removes the policy after confirmation.
Notable behaviours:
- A built-in URL tester takes any URL and reports whether it would be allowed or blocked, why, and which rule in which policy matched — test before you enforce.
- Policies apply to agent egress from sandboxed tool runs; combine an allowlist policy with approval rules for high-risk tools to lock down exfiltration paths.
For the wider security model (sandboxing, approvals, compliance) see Security and compliance.