Alternative, and more robust approach is to give the agent surrogate credentials and replace them on the way out in a proxy. If proxy runs in an environment to which agent has no access to, the real secrets are not available to it directly; it can only make requests to scoped hosts with those.

I’ve built this in Airut and so far seems to handle all the common cases (GitHub, Anthropic / Google API keys, and even AWS, which requires slightly more work due to the request signing approach). Described in more detail here: https://github.com/airutorg/airut/blob/main/doc/network-sand...

▲

sesm 3 hours ago | parent | next [-]

That's great for API credentials but some secrets are ment for local use, like encryption keys.

▲

NitpickLawyer 6 hours ago | parent | prev | next [-]

How does this work with SSL? Do you need to provision certs on the agent VM?

	▲	hardsnow 6 hours ago \| parent [-]
		Yep - requires the client to trust the SSL cert of the proxy. Cooperative clients that support eg HTTP_PROXY may be easier to support, but for Airut I went for full transparent mitmproxy. All DNS A requests resolve to the proxy IP and proxy cert is injected to the container where Claude Code runs as trusted CA. As a bonus this closes DNS as potential exfiltration channel.

▲

petesergeant 2 hours ago | parent | prev [-]

This is cool! Solving the same problem (authority delegation to resources like Github and Gmail) but in a slightly different way at https://agentblocks.ai