Use when CTOX needs credentials, access rights, or approval boundaries for ticket work and must handle them through encrypted local storage plus explicit access requests.
Use this skill when ticket handling is blocked on missing credentials, missing permissions, or unclear approval boundaries.
SQLite in CTOX may hold encrypted secret values through the dedicated secret store.
Ticket work and ticket knowledge may only hold references, scopes, channels, and rationale. They must never hold raw secret values.
Inspect available secret metadata:
ctox secret list [--scope "<scope>"]
ctox secret show --scope "<scope>" --name "<name>"
Store a secret locally:
ctox secret put --scope "<scope>" --name "<name>" --value "<secret>" --description "<text>" --metadata-json '<json>'
Store a secret locally and immediately rewrite leaked memory references in one step:
ctox secret intake --scope "<scope>" --name "<name>" --value "<secret>" --description "<text>" --metadata-json '<json>' --db "<path-to-ctox_lcm.db>" --conversation-id "<id>" --match-text "<secret>" [--label "<human label>"]
Retrieve a secret only for explicit local execution:
ctox secret get --scope "<scope>" --name "<name>"
If a secret already leaked into the CTOX conversation memory, rewrite the LCM/continuity history to a stable keychain handle after storing the secret:
ctox secret memory-rewrite --db "<path-to-ctox_lcm.db>" --conversation-id "<id>" --scope "<scope>" --name "<name>" --match-text "<secret>" [--label "<human label>"]
Create an operator-visible access request in the ticket surface:
ctox ticket access-request-put --system "<system>" --title "<title>" --body "<text>" --required-scopes "<csv>" --secret-refs "<csv>" --channels "mail,jami" --publish
ctox secret intake or ctox secret put.ctox secret intake so storage and memory rewrite happen as one visible operation.