IronClaw seems to do this natively, I like the idea in general, so it's good too see this pulled out.

I have few questions:

- How can a proxy inject stuff if it's TLS encrypted? (same for IronClaw and others)

- Any adapters for existing secret stores? like maybe my fake credential can be a 1Password entry path (like 1Password:vault-name/entry/field and it would pull from 1P instead of having to have yet another place for me to store secrets?