What I meant to say was, the agents (like Claude Code) often have a "Allow all instances of this command in the session," and that persists to a whitelist for that session. The mechanic here is actually just a prefix match, so `API_KEY=... diff_command` also matches, allowing the agent to reuse the key without asking me. This file also sticks around, so I had another agent read the whitelist and the conversation transcript and do other things automatically without approval.

> if it's not okay for the agent to know the API key permanently, why is it okay for the agent to have one-off use of something that requires the same key?

Read commands vs. write commands. I'm okay having the agent fetch info for me, but I want to approve any state changes.