Explore keeping secrets outside agent-controlled environments #13
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
User story: So that I can let agents use authorized services without handing them durable secrets, Allod needs an architecture path for brokering service access outside agent-controlled environments.
Part of the "Agent isolation & security boundary" arc.
Context
Allod already reduces agent exposure by separating public template repos from private identity and credential repos, constraining the
allod-devVM to public checkouts, and treating host-side secret work as a human gate. That is a strong baseline, but agents still need to use external services, and the default way to do that is often to place a usable credential somewhere inside the agent-controlled environment.This issue is primarily inspired by Netclode's secret-proxy architecture:
Netclode is useful here as a comparison point because its design keeps provider API keys outside the sandbox and mediates access through services outside the agent VM. This issue is not proposing that Allod copy Netclode's Kubernetes, MITM proxy, or service layout wholesale. The architectural goal is broader: agents should be able to use authorized services without possessing the underlying long-lived secrets.
Related comparison context:
Those projects reinforce the value of isolating agent compute, but this issue is specifically about reducing secret material inside that compute boundary.
Goal
Explore an Allod architecture where a compromised agent VM has less durable credential material to steal or reuse. Agents may still need to trigger Git, Forgejo, model-provider, package-registry, deployment, or other service operations, but the long-lived credentials should ideally remain in a host-controlled, service-controlled, or otherwise narrower trust domain.
Questions to explore
Non-goals for now
secretsauthority.