{"slug": "frontier-coding-agents-haven-t-stopped-lying-about-their-work-i-measured-it", "title": "Frontier coding agents haven't stopped lying about their work – I measured it", "summary": "A developer built a tool that lets AI coding agents automatically sign up for third-party services, handle email verification, and securely store API keys in an encrypted vault, eliminating the last manual chore in AI-assisted coding. The tool uses a scoped browser driven by the coding agent and ensures secrets never reach the agent's context window or the code repository.", "body_md": "[← Blog](/blog)\n\n# Your coding agent can build your whole app — except sign up for the services it needs\n\nAI writes most of my code now. The agent builds the integration, the migration, the test — I stay on product decisions. But every new dependency still breaks the flow the exact same way: the agent writes the integration in thirty seconds, then stops and says:\n\nAdd your`RESEND_API_KEY`\n\nto`.env`\n\n.\n\nSo I alt-tab out of the editor, find the dashboard, sign up, click through onboarding, verify an email, create a key, paste it into `.env`\n\n— and now there’s a live secret sitting in plaintext that I have to remember not to commit, that the agent forgets about and asks me for again next session. Every service. Every project.\n\nIt’s the last manual chore in AI-assisted coding, and it’s the one thing the agent couldn’t do for me. So I built the thing that does it.\n\n## What it does\n\nYou ask once — *“sign me up for Resend and wire it in,”* or *“stand up my whole stack.”* Your coding agent (Claude Code, Cursor, Codex, Goose) drives a scoped browser that signs up for the service, handles the email verification, grabs the API key, and drops it into an encrypted vault.\n\nProvision a whole backend — email, database, analytics, error tracking, deploy — in one ask, without opening a single dashboard. If your stack leans on a pile of third-party services, this collapses the setup-and-configuration slog from an afternoon into a couple of minutes.\n\nI tried OpenAI’s Operator and browser-use for this first. They can drive a browser, but they’re general-purpose bots built to be watched, and they punt the moment there’s a login, a captcha, or an API key to handle — which is the entire task. The insight that made this work: the coding agent you already have is a great *planner*; what it’s missing is a *driver* — a scoped browser and a safe place to put what it finds.\n\n## Where the key goes (the part I actually care about)\n\nGetting the key is the easy half. The interesting question is where it lands — because the default answer, a `.env`\n\nfile, is genuinely bad and everyone reading this has felt it. `.env`\n\nfiles get committed to GitHub. They get lost. They get pasted into three services and rotated in none of them. And in the AI-coding era there’s a new worst case: the key ends up in the *agent’s context window*, the single least contained place a secret can be.\n\nSo the design principle is: **the raw secret is never handed back to the agent, and never lands in your repo.**\n\n- The vault is\n**write-only.** The key goes straight in; the agent can’t read it back out. There’s deliberately no “give me the plaintext” API — if you want the value for a`.env`\n\n, you read it from the web vault yourself. - When your code needs the key, it doesn’t get the value — it calls\n*through*a proxy. You write`${SECRET}`\n\nin the request; the proxy injects the real key server-side and returns only the response. The secret goes to the provider, never to you. - For a deployed app you mint an\n**egress grant**: a scoped, rate-limited, instantly-revocable token. The app holds*that*, not the real key. So the vault becomes a control plane — rotate once and every grant picks it up; something leaks, you revoke the grant and the next call fails closed. No re-rotation scramble.\n\nThe piece I’m quietly proud of is multi-console setup — wiring up Google OAuth, say, where you create a client in the GCP console and paste its secret into a *different*console. The driver captures the secret in console A, seals it in-session (a handle, not the value), and types it into console B — and the plaintext never materializes in the agent’s context or the chat transcript at any point.\n\n## Getting past the signup gates\n\nModern signup forms are aggressively bot-gated now (Cloudflare Turnstile, Clerk, DataDome) — which is exactly where the general-purpose browser agents stall. Getting reliably through those gates, headless and unattended, was most of the actual engineering. It’s handled behind the scenes; if you enjoy anti-bot debugging war-stories, the repo’s `STATE.md`\n\nis a graveyard of every hypothesis I falsified getting there.\n\n## It gets faster the more it’s used\n\nThe first successful signup for a given service gets distilled into a replayable recipe and shared. The next time anyone provisions that service, it replays in about thirty seconds instead of the agent re-figuring the flow from scratch. A chore-removal tool that gets faster with use is a nice property to have.\n\n## What’s still hard (because it is)\n\nI’d rather tell you the edges than let you find them:\n\n- It works best with\n**OAuth signups**(Google/GitHub) — most of the modern SaaS I reach for, but not all of it. - Some services still win — the heaviest captcha stacks, phone-verification gates, the most aggressive anti-bot dashboards. When manual signup is genuinely the realistic call, I try to say so.\n**Single-use magic links** are a race, and datacenter-IP session invalidation is an ongoing operational reality.\n\nIt’s beta, and free during the beta.\n\n## Try it\n\nTrusty Squire is an open-source MCP server your coding agent drives. It plugs into Claude Code, Cursor, and Codex; you can [get started here](/start), or read the code [on GitHub](https://github.com/Trusty-Squire/trusty-squire). Would love feedback — especially on the secret model.", "url": "https://wpnews.pro/news/frontier-coding-agents-haven-t-stopped-lying-about-their-work-i-measured-it", "canonical_source": "https://trustysquire.ai/blog/the-last-mile-is-a-signup-form", "published_at": "2026-07-10 20:52:52+00:00", "updated_at": "2026-07-10 21:05:27.518127+00:00", "lang": "en", "topics": ["ai-tools", "ai-agents", "ai-infrastructure", "developer-tools"], "entities": ["Resend", "Claude Code", "Cursor", "Codex", "Goose", "OpenAI", "Operator", "Cloudflare"], "alternates": {"html": "https://wpnews.pro/news/frontier-coding-agents-haven-t-stopped-lying-about-their-work-i-measured-it", "markdown": "https://wpnews.pro/news/frontier-coding-agents-haven-t-stopped-lying-about-their-work-i-measured-it.md", "text": "https://wpnews.pro/news/frontier-coding-agents-haven-t-stopped-lying-about-their-work-i-measured-it.txt", "jsonld": "https://wpnews.pro/news/frontier-coding-agents-haven-t-stopped-lying-about-their-work-i-measured-it.jsonld"}}