yes, atm there's nothing that keeps the agent from reading the key from the environment. If a static API key is injected into the agent’s env, the agent can in principle read it. The value of our threat model is better custody, short-lived creds where possible, and auditability, not “the process can’t see its own env.” You can make the hooks a lot stricter and check that the agent can basically never do anything with the credential, the agent is still inside the trust boundary in this case.