Credential files
Flag .env files, SSH keys, npm tokens, kubeconfigs, and cloud credentials.
Feature
Secret Protection
Catch secrets before agents read, send, or commit them.
Purpose
Catch secrets before agents read, send, or commit them.
Prompt masking
Mask or hold prompts with keys, tokens, PII, PHI, or credentials.
Commit safety
Require approval before suspicious staged content is committed.
Sensitive context
.env read detected.env read detected
Token-like value maskedToken-like value masked
Credential access heldCredential access held
Where You See It
Start simple. The same idea grows as your setup grows.
Individual localDesktop client
Configure and review locally.
Individual cloudDesktop plus account surface
Cloud sync, no dashboard.
OrganizationDashboard and clients
Admins configure policy; employees follow it.
Private CloudCustomer-hosted dashboard
Same concepts, customer-owned backend.