Aegis Orchestrator
Zaru

The Vault

Store and manage credentials that your agents use at runtime. Agents never see credential values directly — the platform injects them securely at execution time.

The Vault

The Vault is where you store credentials that your agents use at runtime. Agents never see credential values directly — the platform retrieves the credential and injects it securely when the agent needs it during execution.

Supported Providers and Credential Types

ProviderCredential TypesExample Value
OpenAISecretsk-...
AnthropicSecretsk-ant-...
Google (Gemini)Secret, Service AccountAPI key or service account JSON
GitHubSecretghp_...
CustomSecret, VariableAny value

Secrets vs Variables

The Vault has two credential types:

Secret — a sensitive value. Masked after creation and never shown again. Use Secret for API keys, passwords, access tokens, and any value you would not want displayed in logs or the UI.

Variable — a non-sensitive configuration value. Readable after creation. Use Variable for base URLs, feature flags, region names, or any non-sensitive identifier your agents need at runtime.

When in doubt, use Secret.

The Vault is for credentials. For Zaru's evolving notes about your preferences and work style, see Memory — a sibling user-scoped settings page.

Adding a Credential

  1. Navigate to The Vault in the sidebar.
  2. Click New Credential.
  3. Select a provider from the list (or choose Custom for any other service).
  4. Enter a name for the credential — this is how it will appear in grant lists and agent configuration.
  5. Enter the credential value.
  6. Click Save.

Secret values are masked immediately after saving and cannot be retrieved again. If you lose a secret value, you will need to rotate it from the source service and save the new value.

Credential Grants

Saving a credential does not automatically make it available to your agents. You must explicitly grant access.

After saving a credential, open it and click Add Grant. You can grant access to:

  • A specific agent by name
  • A workflow by name
  • Your entire current session (useful for interactive use)

Without an active grant, no agent can read or use the credential, even if they request it.

OAuth Connections

GitHub and Google support OAuth connections, which let agents act on your behalf for those services — such as reading repositories, creating issues, or calling Google APIs — without you having to copy and paste tokens manually.

OAuth connections are managed from the Connections tab, not the Vault. From there, click Connect next to the provider and complete the authorization flow in your browser. Once connected, agents granted access to that connection can make authenticated requests on your behalf.

OAuth connections automatically refresh when tokens expire. You can disconnect a connection at any time from the Connections tab.

Edge Hosts

The Vault houses your Edge Hosts — AEGIS daemons running on your own hardware (laptops, home servers, work VMs) bound to your tenant. The section is organized into three sub-views.

Hosts

A card per enrolled daemon. Each card shows:

  • Display name (editable inline).
  • Status badge: Connected / Disconnected / Unhealthy / Revoked.
  • OS / arch (auto-detected at enrollment).
  • Last seen timestamp.
  • Labels (read-only — these are advertised by the daemon).
  • Tags (editable inline — operator-managed classifiers like prod, db-host).
  • Action menu: Rename, Edit Tags, Revoke, Inspect.

The Host Detail view adds capabilities, advertised labels, operator tags, and a recent command history streamed from the platform's event log.

Add Edge Host

Click Add Edge Host. The dialog issues an enrollment token bound to your effective_tenant, displays a copyable aegis edge enroll <token> command, a QR code for mobile-to-laptop transfer, and a countdown to expiry (default 15 minutes). On enrollment the new edge appears in the list within ~1 heartbeat.

For team tenants, the picker shows accessible tenants (personal + teams you're a member of). The token's tid is set accordingly and the resulting daemon is visible to all team members per the team-membership claim.

Groups

Saved selectors with named, reusable scopes. The group editor exposes a selector form (tags, labels, tools, OS, arch) with a live Selector Preview Panel ("matches 7 of your 12 connected edges") and a pinned-members section for explicit overrides.

Group membership is dynamic — re-evaluated at every dispatch. New hosts that match the selector automatically join.

Fleet Runs

Paginated history of fleet operations. Each row shows the tool, target, policy summary, outcome, and a per-node breakdown. The live run view for an in-flight operation shows a per-node grid with streaming output and a Cancel button.

For the underlying model, see edge mode overview; for the operations playbook, see edge fleet operations.

The Workshop

Create and manage persistent storage volumes for your agent workloads.

Edge Host Setup

Add an edge host to your Zaru tenant via the Vault → Edge Hosts UI, install and enroll the AEGIS edge daemon on Linux, macOS, or Windows, and confirm connectivity.

On this page

The VaultSupported Providers and Credential TypesSecrets vs VariablesAdding a CredentialCredential GrantsOAuth ConnectionsEdge HostsHostsAdd Edge HostGroupsFleet Runs