Secrets Management¶
Secret Model¶
Secrets are stored in the secretstore app with scoping:
- Organization-wide: visible to all teams
- Team-scoped: visible only to that team
- Workspace-scoped: narrowest scope
Backends¶
| Backend | Use Case | Config |
|---|---|---|
local_encrypted |
Dev/test | FERNET_SECRET_KEY env var |
aws_sm |
Production (AWS) | IAM role with SecretsManager access |
vault |
Production (multi-cloud) | Vault address + token |
At Brief Assembly¶
Secrets referenced in a task's secret_refs are resolved at dispatch time. The actual secret values are injected as env vars in the agent container — never stored in the brief JSON.