Data and secrets
How to get files, repos, environment variables, and SSH credentials into a playroom. It's all opt-in, and nothing leaks by default.
Opt-in by design
Nothing is copied into a playroom unless you explicitly ask. No files, no tokens, no SSH keys; the sandbox starts clean every time.
Storage
Playrooms have two storage modes. Choose based on whether you need data to survive a restart.
Persistent (default)
/home/playroom lives on a PVC and survives stop/start. Use this for ongoing work.
Ephemeral (--ephemeral)
Home lives in pod-local scratch and is wiped on any restart. Faster to start, nothing persists. Pairs naturally with --rm for true one-shot sandboxes.
A stopped ephemeral playroom loses all data on restart. Its SSH host key also changes, which invalidates any pinned known_hosts entry.
Getting data in
There are three opt-in ways to bring things into a playroom:
Prop
Type
--env vars are written into the playroom at creation time, so they persist across SSH reconnects. If you only need a value for one session, set it manually inside the shell instead.
SSH agent forwarding
By default your SSH agent is not forwarded, so your private keys never enter the sandbox. If you need to talk to git over SSH from inside the playroom, add -A / --forward-agent to play or connect. This forwards the agent for that session only, without ever storing a key in the playroom.
acloud playroom play -p playhouse-demo -A -- claudeacloud playroom connect my-room -p playhouse-demo -AAgent forwarding vs --env
Use --forward-agent for SSH keys, so the key never leaves your machine. Use --env for API tokens and other non-key secrets; they're written into the playroom at startup.
SEE ALSO
- Playroom overview: what a playroom is and why to use it
- playroom create: full list of flags including
--copy,--git,--env - playroom play: full list of flags including
--env,--forward-agent(note:playhas no--copyor--git) - playroom connect: full list of flags including
--forward-agent