alt Hacker News> for static API keys, the backend injects the credential directly into the agent's runtime environment.
What prevents the agent from presisering or leaking the API key - or reading it from the environment?
> for static API keys, the backend injects the credential directly into the agent's runtime environment.
What prevents the agent from presisering or leaking the API key - or reading it from the environment?
yes, atm there's nothing that keeps the agent from reading the key from the environment. If a static API key is injected into the agent’s env, the agent can in principle read it. The value of our threat model is better custody, short-lived creds where possible, and auditability, not “the process can’t see its own env.” You can make the hooks a lot stricter and check that the agent can basically never do anything with the credential, the agent is still inside the trust boundary in this case.