Avisi cloud logo
PlayroomHow it works

Data and secrets

How to get files, repos, environment variables, and SSH credentials into a playroom. It's all opt-in, and nothing leaks by default.

Opt-in by design

Nothing is copied into a playroom unless you explicitly ask. No files, no tokens, no SSH keys; the sandbox starts clean every time.

Storage

Playrooms have two storage modes. Choose based on whether you need data to survive a restart.

Persistent (default)

/home/playroom lives on a PVC and survives stop/start. Use this for ongoing work.

Ephemeral (--ephemeral)

Home lives in pod-local scratch and is wiped on any restart. Faster to start, nothing persists. Pairs naturally with --rm for true one-shot sandboxes.

A stopped ephemeral playroom loses all data on restart. Its SSH host key also changes, which invalidates any pinned known_hosts entry.

Getting data in

There are three opt-in ways to bring things into a playroom:

Prop

Type

--env vars are written into the playroom at creation time, so they persist across SSH reconnects. If you only need a value for one session, set it manually inside the shell instead.

SSH agent forwarding

By default your SSH agent is not forwarded, so your private keys never enter the sandbox. If you need to talk to git over SSH from inside the playroom, add -A / --forward-agent to play or connect. This forwards the agent for that session only, without ever storing a key in the playroom.

acloud playroom play -p playhouse-demo -A -- claude
acloud playroom connect my-room -p playhouse-demo -A

Agent forwarding vs --env

Use --forward-agent for SSH keys, so the key never leaves your machine. Use --env for API tokens and other non-key secrets; they're written into the playroom at startup.

SEE ALSO

On this page