← c16c16 / wf1 - Agent Control Plane (persona-partitioned) / Data Protection·control-plane-v1-v1 · 2026-06-03 · draft
Qpoint
QP
Data Protectionagent-as-actor · what agents touched & moved

Compliance · Data Protection

Which sensitive files agents reached into — and how much data they moved.

Today this is data movement: which sensitive paths an agent opened, and the volume of files written and bytes streamed. Prompt & response content is not yet inspected — see the preview below.

8

agents monitored

reporting telemetry

6

sensitive paths touched

distinct files opened

691

files written

across the fleet

4.8MB

bytes streamed

data moved by agents

Sensitive access by category

opens · by severity
secret_file3 paths
6
cloud_credentials1 path
1
shell_history1 path
2

Sensitive access by user

owner attribution
mark@qpoint.io2 categories · 4 openshigh
svc-support@qpoint.io1 category · 2 openshigh
(proxy-only, no identity)2 categories · 3 openshigh

Top sensitive paths

5 paths · 6 distinct touched
PathCategoryOpensSeverityLast seen
./.envsecret_file3high06-03 14:00
/var/secrets/zendesk.tokensecret_file2high06-03 13:50
~/.aws/credentialscloud_credentials1high06-03 13:40
~/.zsh_historyshell_history2low06-03 12:05
./config/secrets.yamlsecret_file1medium06-02 19:20

Prompt & response content inspection

preview · not built

Today's signal is data movement — which sensitive paths were opened and how much was written or streamed. It does not yet read what is inside an agent's prompts and responses. Content scanning ships with the DLP engine.

Secrets in prompts

API keys / tokens pasted into context

not inspected today

PII in content

names, emails, customer records

not inspected today

Source code

proprietary code in prompts or responses

not inspected today

Fields: dlp.by_category · dlp.by_owner · dlp.top_paths · dlp.volume.file_writes · dlp.volume.stream_bytes · dlp.sensitive_paths · agents.length — from app/data/c16-fleet.ts (qcontrol /api/dlp shape).