How can an agent use these tokens then? If it sources the file can't it just read the env?
It also sounds like it is missing the important step of keeping the LLM credentials from the agents themselves. For example my GCP creds have access to far more than Vertex. This is solved by OneCLI and OpenShell via MITM proxies which seems more elegant to me. The tools live in containers and can't see anything but can use everything.
It also allows finer grained access controls, rating limiting, and there's talk of scanning for destructive actions.
Feels like a solution in search of a problem; a reinvention of https://docs.docker.com/ai/sandboxes/
opencode (https://opencode.ai/docs/permissions/#defaults) already forbids access to .env by default.
How can an agent use these tokens then? If it sources the file can't it just read the env?
It also sounds like it is missing the important step of keeping the LLM credentials from the agents themselves. For example my GCP creds have access to far more than Vertex. This is solved by OneCLI and OpenShell via MITM proxies which seems more elegant to me. The tools live in containers and can't see anything but can use everything.
It also allows finer grained access controls, rating limiting, and there's talk of scanning for destructive actions.
[flagged]