Skip to main content

Security

The Security group holds the credential vault and the network egress controls for sandboxed agent work. Both pages require org_admin or above; below that the group disappears from the sidebar entirely.

Secrets

/secrets ("Secrets Vault") stores credentials that agents and skills reference at runtime, without ever exposing the raw value in the UI.

What you see:

  • A list of secrets showing name, description, scope, provider, masked value and last-rotated date, filterable by scope.

Key actions:

  • Create a secret with:
    • Scope — org-wide, a specific team, or a specific agent. Team- and agent-scoped secrets are only visible to workloads in that scope.
    • Provider — internal (stored by EnClaw), or an external reference into HashiCorp Vault, AWS Secrets Manager or Azure Key Vault via an external ref.
    • Name, optional description and the secret value.
  • Edit updates name, description and (optionally) the value — leaving the value blank keeps the current secret, so the masked value is never accidentally written back.
  • Delete is confirmed and cannot be undone.

Notable behaviours:

  • Values are write-only: after creation the UI only ever shows a masked value.
  • The last-rotated timestamp gives you a quick audit of stale credentials.

Egress Policies

/egress-policies controls which network destinations sandboxed agent executions may reach.

What you see:

  • A list of policies with name, mode, rule count and an active toggle.

Key actions:

  • Create or edit a policy with:
    • Mode — allowlist (only listed destinations are permitted) or blocklist (listed destinations are blocked).
    • Rules — any number of entries, each a type (domain, IP CIDR or pattern), a value, an action (allow or block) and an optional description. Rules can be added, edited and removed inline.
    • An active flag, so a policy can be staged before enforcement.
  • Toggle a policy active or inactive directly from the list.
  • Delete removes the policy after confirmation.

Notable behaviours:

  • A built-in URL tester takes any URL and reports whether it would be allowed or blocked, why, and which rule in which policy matched — test before you enforce.
  • Policies apply to agent egress from sandboxed tool runs; combine an allowlist policy with approval rules for high-risk tools to lock down exfiltration paths.

For the wider security model (sandboxing, approvals, compliance) see Security and compliance.