Browser signup is disconnected
Credentials get invented in a browser tab, then vanish into ad hoc notes, copied prompts, or half-remembered state.
The handoff problem
Modern agent workflows usually fail at secret handoff, not secret generation.
Chat paste feels transient
Operators paste keys into chat as if the secret disappears. It does not. It spreads into transcripts, logs, task state, and copied terminal history.
Pipelines lose structure
The same credential has to be re-explained to the browser, the shell, and the downstream API as if each step were unrelated.
Get started
Four steps from hosted vault to live agent demo.
The control plane should exist as a real backend service you can try, not just a diagram. This path shows hosted encrypted Keepass Database sync, the bundled audit dashboard, Stripe-backed signup, the public demo agent, and the exact control-plane flow in the same sequence. TON remains a supporting proof and integration story elsewhere on the page. If you want a human walkthrough, book time on Calendly.
Create a hosted vault
Start with a fresh agent-owned Keepass Database, hosted as the boring encrypted sync problem this product solves instead of a loose file in chat or a personal vault.
Start Stripe signup for hosted access
Use the Stripe test checkout as the primary signup and payment path for the hosted vault plus audit dashboard bundle, then unlock the vault boundary so the same credential handle can be reused across the demo.
Connect the agent
Point OpenClaw at the hosted control plane, map the public demo agent to Drosophila, and let it resolve secrets by policy, permissions, and risk controls instead of by ad hoc paste.
See the audit dashboard and chat
Watch tamper-evident JSONL audit entries with reason-aware intent surface in the audit dashboard, then try the live chat demo to see the same backend, dashboard, and browser story working together.
How it works
OpenClaw, Unix boundaries, and synced vaults work together.
This diagram is the real operational shape: the browser and operator create the hosted signup, the encrypted Keepass Database syncs with backups across machines, Drosophila stays behind a daemon and policy gate, and the audit dashboard records every secret touch and operator brake.
flowchart LR
A["Browser signup / human operator"] --> B["Hosted encrypted Keepass Database\n3 Keepass Databases per user + versioned backups"]
B --> C["ocvault control plane\nPolicy + audit dashboard"]
C --> D["Unix daemon boundary\nSecret gate"]
D --> E["OpenClaw / Drosophila\nAgent runtime"]
E --> F["SecretRefs / shell / API use"]
B <-->|"sync"| G["Second machine\nSame vault, same policy"]
G --> E
C --> H["Suspend / resume\nOperator brake"]
H -. "freeze or restore" .-> D
C -. "intent-aware logs" .-> I["Audit dashboard\nAllow / deny + reason"]
Security boundary
ocvault is not your personal password manager with an agent strapped to it.
Use a dedicated agent-managed Keepass Database.
Gate reads and writes through a daemon boundary that you can actually run.
Keep operators in charge of policy, profile setup, permissions, and risk controls.
Let the agent stay inside a narrow, replaceable capability surface.
What it unlocks
Built for agent workflows that have to survive contact with reality.
Agent-only vaults
Create a fresh Keepass Database for API keys, generated passwords, and login bundles that are meant for the agent, not for your full human vault.
Sync-friendly delivery
Keep that encrypted vault in Nextcloud, Dropbox, or another synced folder so the handoff channel stays structured across machines.
Shell and SecretRef composability
Resolve one stable path into `curl`, OpenClaw SecretRefs, or follow-on automation without re-prompting for the credential.
TON use case
One real TON action, supporting the hosted-vault story.
Store a TonAPI token
Keep the token in an agent-only Keepass Database and resolve it by logical id instead of copying it through prompts or terminal history.
Inspect a live wallet
Use that token for a read-only TonAPI wallet lookup against a fixed demo address so the flow is real, but low risk.
Prove operator control
Show the audit trail, suspend the profile, and rerun the exact same flow to prove the operator still owns the final boundary.
Operator controls
Useful agents still need visible brakes.
Alias-first policy
Fresh setup defaults to logical ids and explicit allowlists, not broad direct-path vault traversal.
Reason-aware audit trail
Every broker-side operation records timestamp, caller, target, allow or deny, and the supplied reason or intent without logging secret values.
Suspend and resume
Operators can freeze secret operations instantly, clear the in-memory passphrase cache, and resume only when the profile is safe to use again.
Audit dashboard
Every Drosophila action lands in the control plane.
The public demo chat mirrors activity into the hosted dashboard, so you can inspect the same request, reason, and response chain that the agent saw.
Public demo view
Open the dashboard to inspect the live audit trail, then compare it with the browser conversation. The hosted vault keeps the encrypted Keepass Database, while the control plane keeps the evidence.
Log in to demo accountPricing
Choose the level of control you need.
$10/month/user
Standalone audit visibility for secret access, allow or deny decisions, and reason-aware logs for each agent action. Separate purchase route.
Start audit dashboard signup Log in to demo account$25/month/user
Includes the audit dashboard, 3 Keepass Databases per user, versioned backups, and hosted encrypted Keepass Database sync across machines.
Contact
Private deployment planning, custom permissions, migration help, and dedicated support for production agent fleets.
Book a walkthroughContact
Want the human version of the demo?
Book a walkthrough on Calendly for a guided pass through the hosted vault, audit dashboard, TON support, agent hookup, and audit trail.
Live demo
Talk to Drosophila.
This public demo streams replies through a same-machine bridge and a constrained demo agent. The browser never gets raw OpenClaw credentials, and the same control plane can surface audit logs, an audit dashboard, and read-only TON proof.