agentjail v0.6.0 is out. Hand your coding agent your real codebase and it does real work - clones, commits, pushes over SSH, on macOS and Linux. What it still cannot do is walk off with your secrets. This release makes that guarantee stronger and the sandbox more invisible than ever.
TL;DR #
Your agent works normally, your secrets stay yours. It can push to private Git repos over SSH, clone, and run on macOS and Linux - and still cannot read your credential master key, leak database passwords, or reach cloud metadata.The cage got stronger. The credential broker and daemon were hardened: the master key is unreadable by the agent,psql
passwords no longer leak via argv, grants auto-expire, and IMDS egress is blocked.The cage got quieter. The macOS shield reaches ssh-agent parity (including the pinned-IdentityFile fix), and.env.example
templates no longer trip the guard.New reach. First-class Linux install via a systemd--user
service, plus a clean-VMmake e2e-release
gate.
Credential broker and daemon hardening #
Most of this release is defensive work on the two components an agent would most like to subvert: the credential broker and the daemon that arbitrates grants.
The secrets-broker master key is now unreadable by the agent. Both the policy layer and the OS shield deny reads of the key material, so a sandboxed agent cannot exfiltrate the key that unwraps stored credentials.Postgres passwords no longer leak via Credentials that were previously visible in the process argument list are passed out of band.psql
argv.Grants auto-expire, and requested TTLs are capped. A grant can no longer be requested with an unbounded lifetime, and stale grants are cleaned up automatically.The daemon verifies peer UID and CWD at the socket level instead of trusting a self-reported identity. An agent cannot claim to be a different process.Concurrent agent-socket connections are bounded with an idle read deadline, so a misbehaving client cannot pin the daemon open.closing a redirect where a crafted socket path could point the hook somewhere else.AGENTJAIL_SOCKET
is honored only when it resolves under~/.agentjail
,Cloud-metadata (IMDS) egress is guarded in port-only mode(ADR 0049), so an agent on a cloud box cannot reach169.254.169.254
to harvest instance credentials.Per-project policy overlays are trust-gated before they are applied, and the store redaction list was extended to cover more credential shapes.
All of these are enforced at the policy or OS-sandbox layer, not by convention.
macOS shield reaches ssh-agent parity #
On Linux, an agent under the shield could already authenticate over SSH through ssh-agent
without ever touching a private key on disk. On macOS the seatbelt sandbox blocked the agent socket, so the same flow failed. v0.6.0 closes that gap:
SSH_AUTH_SOCK
is passed through into the sandbox.- The agent socket connect is allowed on the macOS seatbelt.
- Per-user temp directories and AF_UNIX local sockets are permitted, which several tools (LSPs, app-servers) need.
The point stands: the shield still blocks reads of the private key file itself. Auth happens through the agent, so the key never leaves the agent process.
The pinned-IdentityFile blind spot
There was a subtle failure that only showed up with a specific SSH config. If your ~/.ssh/config
pins an IdentityFile
(usually alongside IdentitiesOnly yes
), OpenSSH reads that on-disk key first. The shield denies the read, and ssh fails before it ever tries the agent - so git
over SSH silently broke under the sandbox.
The fix (ADR 0056): when the agent is available, the shield injects an agent-backed GIT_SSH_COMMAND
for shield-wrapped git
:
GIT_SSH_COMMAND="ssh -o IdentitiesOnly=no -o IdentityFile=none -o IdentityAgent=$SSH_AUTH_SOCK"
IdentitiesOnly=no
is the decisive option: with IdentitiesOnly yes
in the config, OpenSSH only offers agent keys that match a configured IdentityFile
, so an agent key that differs from the pinned one is never offered. It is injected only when SSH_AUTH_SOCK
is set, you have no GIT_SSH_COMMAND
of your own, and AGENTJAIL_NO_SSH_OVERRIDE
is unset. agentjail doctor
warns when keys are on disk but not loaded, and the hook prints a one-shot advisory - neither ever suggests granting a key-file read hole.
.env templates no longer break checkouts
The old shield write-deny matched .env*
broadly, which meant cloning a repo that commits .env.example
or .env.docker
templates failed on checkout. v0.6.0 inverts this to a secret-form deny-list (ADR 0057): only secret-bearing forms (.env
, .env.local
, .env.production
, and similar) are write-denied. Templates are allowed. Read exposure is unchanged.
Linux install #
agentjail now installs natively on Linux via a systemd --user
daemon service (ADR 0051):
curl -fsSL https://agentjail.io/install.sh | sh
The installer no longer aborts the outer script under set -eu
, and the shield re-asserts the agentjail hook right before exec so a session cannot start with the guardrail unwired.
Daemon control plane #
The daemon can now reload its policy over a control socket, with SIGHUP
as a fallback (ADR 0052) - no restart required to pick up a policy change. A new daemon_unreachable
policy knob (ADR 0050) lets you choose what happens when the daemon is not answering, backed by a hook-fallback sidecar the hook reads on the hot path.
A real release gate #
This release ships a clean-VM testbed and a make e2e-release
gate (ADR 0053) that stands up a fresh box, installs agentjail through the real install.sh
, installs a coding agent, and asserts that policy enforcement actually holds on the installed binaries. It is the only check that exercises the true clean-box user path.
Upgrade #
curl -fsSL https://agentjail.io/install.sh | sh
brew upgrade LuD1161/tap/agentjail
Full changelog on the changelog page. Source on GitHub.