Security
Agent API key
The agent generates a random agentApiKey on first run, stored at ~/.boff/vibecontrols/agents/<id>/config.json (mode 0600). Every REST call to the agent requires this key in the x-agent-api-key header.
Rotate:
vibecontrols agents rotate-api-key <agent-id>
The CLI/web app auto-update their copy of the key after rotation.
Plugin storage encryption
Per-agent plugin data is stored in an encrypted local database database (~/.boff/vibecontrols/agents/<id>/agent.db) using strong at-rest encryption. The encryption key is fetched from the backend per-workspace and never persisted to disk in plaintext.
This means: if someone copies your agent.db file off your machine, they cannot decrypt it without an active workspace token from a member of that workspace.
Tunnel auth
Quick Cloudflare tunnels are unguessable but public by default. For private tunnels:
- Token auth — issue a bearer token; tunnel rejects requests without it
- Cloudflare Access — gate the tunnel hostname with Cloudflare Access (Google/Microsoft OAuth, email allowlist, etc.)
VibeTunnels (frp) inherits whatever auth you've configured on your frps server.
Configuration secrets
Configurations marked isSecret: true are encrypted at rest with AES-256-GCM using a per-tenant key (the same key used for plugin storage). They're not returned in standard config list calls — you must explicitly request --include-secrets and have the CONFIG_READ_SECRETS permission.
Audit
Every action that creates / modifies / deletes a resource produces an audit log entry. Includes the actor, action, resource type + id, IP, user agent, timestamp, and (for changes) before/after snapshots.
vibecontrols audit list --since 24h
vibecontrols audit list --action DELETE --resource-type SESSION
Audit log exported to your SIEM via webhook (audit.* events).
Encryption summary
| Data | At rest | In transit |
|---|---|---|
| Backend Postgres | AES-256 | TLS 1.2+ |
| Plugin storage (agent) | encrypted local database | TLS 1.2+ on REST |
| Configurations marked secret | AES-256-GCM | TLS 1.2+ |
| Tunnel traffic | (in-flight only) | TLS 1.2+ end-to-end |
Compliance
Inherits the Burdenoff Workspaces platform posture. See Platform compliance → for SOC 2, GDPR, ISO 27001 status.