Skip to main content

File space & storage

File space is EnClaw's virtual file system (VFS) — the governed storage layer where agents and users read, write and share files. Instead of every agent scattering output across email attachments and personal drives, files land in one browsable, quota-controlled, audited place. Admins manage it at /file-space.


Storage backends

File space is an abstraction over pluggable storage. The directory tree your users see stays the same regardless of what's underneath:

BackendTypical use
Azure Blob StorageThe default for Azure-hosted deployments, including the managed SaaS.
Amazon S3AWS-centric deployments, or an existing S3 bucket you already govern.
Local filesystemSelf-hosted and development environments.

Backend configuration (connection details, container/bucket) is done once by an admin in the File space settings; users and agents never see or care which backend a directory lives on.

Mount points — SharePoint and OneDrive

Beyond native backends, mount points connect external drives into the VFS tree. Mounting a SharePoint site or OneDrive location makes its content appear as a directory in File space, so agents can work with documents that live where your organisation already keeps them — no copying content into EnClaw first. Access through a mount still flows through EnClaw's permission and audit layer.

Directory hierarchy and scoping

File space is a nested directory tree, and every directory carries a scope that controls visibility:

ScopeWho sees it
OrgEveryone in the tenant. Shared reference material, templates, published outputs.
TeamMembers of one team and its agents. Working files for that team.
AgentA single agent's own workspace — scratch space and generated artefacts.
UserOne user's private area. Other users can't browse it.

Scoping is enforced, not cosmetic: a user browsing File space sees only directories their org, team and personal scopes entitle them to, and agents are bound by the same rules when reading and writing through their file tools.

A workable starting layout: one org-scoped directory for shared templates and published deliverables, a team-scoped directory per team for work in progress, and agent-scoped directories left to accumulate generated artefacts (with a retention policy trimming them — see below).

Per-directory policies

Each directory can carry its own policy, giving you different rules for different areas rather than one blunt global setting:

  • Quotas — cap total size per directory, so an enthusiastic report-generating agent can't quietly consume the tenant's storage.
  • Allowed file types — restrict a directory to an allowlist of types (e.g. documents and spreadsheets only in the deliverables folder; no executables anywhere users share files).
  • PII scanning — scan uploads for personally identifiable information on the way in, flagging sensitive content at the point of entry. See Security & compliance for what's detected.
  • Retention — how long files live before auto-delete. Ideal for agent scratch directories where artefacts have a shelf life; pair with the tenant-wide retention policies.

Policies apply to agents and humans alike — an agent writing through its file tools hits the same quota and type checks a user hits in the browser.

Files can be shared via share links rather than by copying files around:

  • Permission-controlled — a link grants a specific access level (e.g. view vs download), not blanket access to the directory it came from.
  • Time-limited — links can expire, so access to a shared report doesn't outlive its purpose.

Because sharing happens through the VFS, shared access is visible and revocable — unlike a file that's been emailed out.

Integrity and audit

  • Checksums — every file is checksummed with SHA-256 on write, so integrity can be verified and silent corruption or tampering detected.
  • Access logging — file operations (uploads, downloads, deletions, share access) are recorded and feed the platform audit log, giving you an answer to "who touched this file, and when" without extra tooling.

How agents use File space

Agents interact with File space through built-in file tools — listing directories, reading, writing and deleting files — subject to their directory scopes, per-agent skill toggles and permission rules. A typical pattern: an agent gathers data, writes the finished report into its team's directory, and replies in chat with the file's location or a share link.


Next