Seen three teams this month with agents dumping database secrets into environment variables or flat files. Everyone talks about "secure credential handling" until you check their deployments.
For NemoClaw, NanoClaw, and IronClaw runtimes, what's the actual, implemented method for an agent to get database credentials without leaking them? I need specifics:
* Where does the runtime store/retrieve the secret (e.g., integrated vault, platform secret manager)?
* How is it passed to the agent process (env var, file descriptor, IPC)?
* How does each model handle secret rotation without agent restart?
* Which ones actually enforce this versus leaving it as an "exercise for the user"?
Skip the "secure by design" slides. Show me the plumbing.