c16
c16 / wf5.m1 - Agent Control Plane — hi-fi (wf5.m1) / Data Protection·control-plane-v1/data-protection·draft

Security · Data Protection

5 credential & secret path opens — across 3 agents, already in context

5 credential / secret path opens across 3 agents — every row is a secret already pulled into model context. Worst exposure: Claude Code (2 high paths). 2 agents are write-heavy — data being produced and moved, not just read in.

This is the blast radius if any of these agents is compromised — a credential it already touched. Content inspection (what is inside prompts) is the next step.

Credential / secret opens

5

across the fleet

Agents touching secrets

3of 8

with high-severity paths

Write-heavy agents

2producing

4.8 MB streamed · 691 writes

Highest exposure

Claude Code

2 high paths

Credential & secret paths — and the agents reaching them

ranked by severity · opens

The blast radius if any of these agents is compromised: a secret it already pulled into context. Each row links to the agent that touched it.

Severity
Agent
Secret path
Opens
Last seen
highClaude Codemark@qpoint.io./.env306-03 14:02
highsupport-copilotsvc-support@qpoint.io/var/secrets/zendesk.token206-03 13:55
highClaude Codemark@qpoint.io~/.aws/credentials106-03 14:02
highmarketing-gptroot/srv/marketing-gpt/.env106-03 12:10
mediumCodex CLIdev-7f3@duck.com./config/secrets.yaml106-02 19:30

High-severity exposure by agent

derived · Σ high-severity path opens per agent

From each agent's sensitive_files: how many high-severity secret / credential paths it reached. The asymmetry tag reads data_access — when writes are large relative to reads, data is being produced and moved, not just read in.

Agent
Owner
High paths
High opens
Read / write
Claude Codemark@qpoint.io24
320r / 45w
support-copilotsvc-support@qpoint.io12
80r / 12w
marketing-gptroot11
410r / 130w
Cursorjane@qpoint.io00
210r / 88w
data leaving
Codex CLIdev-7f3@duck.com00
140r / 60w
data leaving

reads writes — write-heavy agents move data outward. Reads always exceed writes in this fleet; the ratio surfaces the genuine movers.

Sensitive access by category

9 opens
7high-sev opens
Secret fileshigh6
Shell historylow2
Cloud credentialshigh1

Colored by worst severity — secret_file and cloud_credentials are the high-severity surface this seat cares about.

Sensitive access by user

owner attribution

Each open is attributed to the identity behind the agent. The proxy-only row is unattributable telemetry — exposure with no human owner to lock down.

mark@qpoint.io2 categories · 4 opens
high
(proxy-only, no identity)2 categories · 3 opens
high
svc-support@qpoint.io1 category · 2 opens
high

Top sensitive paths

5 of 6 touched · ranked by severity

The exact files agents opened. High-severity rows are credential and secret stores already pulled into context.

Severity
Path
Category
Opens
Last seen
high./.env
Secret files
306-03 14:00
high/var/secrets/zendesk.token
Secret files
206-03 13:50
high~/.aws/credentials
Cloud credentials
106-03 13:40
medium./config/secrets.yaml
Secret files
106-02 19:20
low~/.zsh_history
Shell history
206-03 12:05

Movement signal — which paths were opened and how many times. This is data touched, not data read for content. The next column (what was inside) is the preview below.

Prompt & response content inspection

preview · not built

Today's signal is data movement — which sensitive paths were opened and how much was written or streamed. It does not yet read what is inside an agent's prompts and responses. Content scanning ships with the DLP engine; the cards below are placeholders, not live numbers.

Secrets in prompts

API keys / tokens pasted into agent context

not inspected today

PII in content

names, emails, customer records in prompts or responses

not inspected today

Source code

proprietary code leaving in prompts or responses

not inspected today

We are deliberately not faking these numbers. When content inspection ships, this surface will scan prompt and response bodies for the categories above and attribute hits back to the same owners shown in this view.

Do next

Lock down the highest-exposure agent and triage the credential opens in Findings. Content inspection is the roadmap step that reads what is inside.

Sourced from app/data/c16-fleet.ts — agents[].sensitive_files · agents[].data_access · dlp.by_category · dlp.by_owner · dlp.top_paths · dlp.volume. Derived: credRows · exposureByAgent (Σ high-severity opens) · read/write asymmetry. Content inspection is an explicit preview (no fields exist for it yet).