Role-based access with an encrypted credential & key vault
Built-in roles from viewer to org admin, scoped per project, plus an encrypted vault for credentials and SSH keys — scoped per tenant, project, or individual host, and revealed only to those authorized.
Least privilegeViewer, operator, infra admin, org admin — assignable per project.
02
Per-host secretsScope credentials to a tenant, project, or a single host; host secrets are admin-reveal only.
03
SSH key vaultStore and inspect SSH keys with fingerprint and passphrase detection, never exposed in plain text.
04
Just-in-time injectionRuns fetch the right secret per host on demand at execution time — never bundled into job payloads, never written to disk, and shredded the moment the run finishes.