Paste a secret once. Scope it once. Resolve it where work happens.
ScopeHold gives small teams one place to manage shared secrets for humans and agents, with clear scopes, predictable overrides, and an audit trail that stays readable.
Tree
workspace > project > agent
Resolution
agent > project > workspace
Access
humans and agents share one model
Scope map
One tree. Clear inheritance.
Workspace
shared provider defaults
Project
product-specific secrets
Agent
runtime-specific overrides
Effective access
release-agent resolves the project value
Audit
Trust signals
Why it exists
Designed to be easier than the workaround.
The product only works if it beats env files, chat threads, and laptop-only setup on both speed and clarity.
One place
Keep shared secrets out of docs, laptops, and one-off machine state.
One tree
Workspace, project, and agent scopes stay easy to explain.
Clear wins
The system shows which value resolves, from where, and why.
Workspace
Shared defaults
OpenAI, GitHub, and base credentials that many projects inherit.
Project
Product-specific access
Each product can override only what needs to change.
Agent
Runtime-specific values
Local overrides stay explicit and narrow instead of leaking everywhere.
Model
A narrow model on purpose.
Providers and secrets attach into a simple downward tree. Overrides are deterministic. That is the product.
Downward only
Access flows from workspace to project to agent, never the other way around.
Same namespace
Overrides only compete inside the same provider namespace.
Move instead of recreate
If a secret was scoped wrong, it should move cleanly later.
Workflow
The happy path should stay short.
ScopeHold should feel closer to 1Password than IAM. The common path needs to be fast enough that teams actually use it.
Paste
Store it once
Add a provider, save the secret, and attach it to the right scope.
Scope
Keep overrides predictable
Agent overrides project. Project overrides workspace. Nothing more exotic.
Resolve
Use it where work happens
Humans and agents read through the same model instead of separate trust paths.
Create secret
Fast, legible forms
Provider
GitHub
Name
deploy_token
Scope
Project / ScopeHold App
Notes
Production deploy token
Before confirm
Scope changes should explain themselves.
Access impact
Trust
Trust comes from legibility.
The important security features are the ones that help a team understand what happened, what is reachable, and how to change it safely.
Effective access
Inspect a human or agent and see the exact winning value in context.
Version history
Rotate, revert, and move secrets without losing the thread of change.
Audit trail
Log auth, secret changes, resolution events, and access inspection by default.
Audit view
A readable trail across auth, changes, and resolution.
Audit should not be a dumping ground. It should answer the real questions a small team actually asks.
deploy_token rotated
project / ScopeHold App
release-agent resolved
github / deploy_token
effective access inspected
release-agent
agent token created
deploy-bot
failed resolution denied
workspace / production
Canonical docs
BookStack stays the source of truth.
The site should explain ScopeHold clearly. The thesis, MVP foundation, and build spec still belong in BookStack.