I originally set up the git filters, but later disabled them.

1. allow an agent to run wild in some kind of isolated environment, giving the "tight loop" coding agent experience so you don't have to approve everything it does.

2. let it execute the code it's creating using some credentials to access an API or a server or whatever, without allowing it to exfil those creds.

If 1 is working correctly I don't see how 2 could be possible. Maybe there's some fancy homomorphic encryption / TEE magic to achieve this but like ... if the process under development has access to the creds, and the agent has unfettered access to the development environment, it is not obvious to me how both of these goals could be met simultaneously.

Very interested in being wrong about this. Please correct me!

You setup a simple proxy server on localhost:1234 that forwards all incoming requests to the real API and the crucial part is that the proxy adds the "Auth" header with the real auth token.

This way, the agent never sees the actual auth token, and doesn't have access to it.

If the agent has full internet access then there are still risks. For example, a malicious website could convince the agent itself to perform malicious requests against the API (like delete everything, or download all data and then upload it all to some hacker server).

But in terms of the security of the auth token itself, this system is 100% secure.

Did you make this account to tell me this? Thank you!

Where I’m at with #2 is the agent builds a prototype with its own private session credentials.

I have orchestration created that can replicate the prototyping session.

From there I can keep final build keys secret from the agent.

My build loop is meant to build an experiment first, and then an enduring build based on what it figures out.

You can easily script it to decode passwords on demand.

If you bind-mount the directory, the sandbox can see the commands, but executing them won’t work since it can’t access the secret service.