{"slug": "hand-it-your-codebase-not-your-secrets", "title": "Hand it your codebase. Not your secrets", "summary": "Agentjail v0.6.0 has been released, hardening the credential broker and daemon to prevent coding agents from accessing secrets like master keys, database passwords, and cloud metadata. The update also improves macOS sandboxing to achieve ssh-agent parity and blocks credential leaks via process arguments and cloud metadata endpoints.", "body_md": "agentjail v0.6.0 is out. Hand your coding agent your real codebase and it does real work - clones, commits, pushes over SSH, on macOS and Linux. What it still cannot do is walk off with your secrets. This release makes that guarantee stronger and the sandbox more invisible than ever.\n\n## TL;DR\n\n**Your agent works normally, your secrets stay yours.** It can push to private Git repos over SSH, clone, and run on macOS and Linux - and still cannot read your credential master key, leak database passwords, or reach cloud metadata.**The cage got stronger.** The credential broker and daemon were hardened: the master key is unreadable by the agent,`psql`\n\npasswords no longer leak via argv, grants auto-expire, and IMDS egress is blocked.**The cage got quieter.** The macOS shield reaches ssh-agent parity (including the pinned-IdentityFile fix), and`.env.example`\n\ntemplates no longer trip the guard.**New reach.** First-class Linux install via a systemd`--user`\n\nservice, plus a clean-VM`make e2e-release`\n\ngate.\n\n## Credential broker and daemon hardening\n\nMost of this release is defensive work on the two components an agent would most like to subvert: the credential broker and the daemon that arbitrates grants.\n\n**The secrets-broker master key is now unreadable by the agent.** Both the policy layer and the OS shield deny reads of the key material, so a sandboxed agent cannot exfiltrate the key that unwraps stored credentials.**Postgres passwords no longer leak via** Credentials that were previously visible in the process argument list are passed out of band.`psql`\n\nargv.**Grants auto-expire, and requested TTLs are capped.** A grant can no longer be requested with an unbounded lifetime, and stale grants are cleaned up automatically.**The daemon verifies peer UID and CWD** at the socket level instead of trusting a self-reported identity. An agent cannot claim to be a different process.**Concurrent agent-socket connections are bounded** with an idle read deadline, so a misbehaving client cannot pin the daemon open.closing a redirect where a crafted socket path could point the hook somewhere else.`AGENTJAIL_SOCKET`\n\nis honored only when it resolves under`~/.agentjail`\n\n,**Cloud-metadata (IMDS) egress is guarded in port-only mode**(ADR 0049), so an agent on a cloud box cannot reach`169.254.169.254`\n\nto harvest instance credentials.**Per-project policy overlays are trust-gated before they are applied,** and the store redaction list was extended to cover more credential shapes.\n\nAll of these are enforced at the policy or OS-sandbox layer, not by convention.\n\n## macOS shield reaches ssh-agent parity\n\nOn Linux, an agent under the shield could already authenticate over SSH through `ssh-agent`\n\nwithout ever touching a private key on disk. On macOS the seatbelt sandbox blocked the agent socket, so the same flow failed. v0.6.0 closes that gap:\n\n`SSH_AUTH_SOCK`\n\nis passed through into the sandbox.- The agent socket connect is allowed on the macOS seatbelt.\n- Per-user temp directories and AF_UNIX local sockets are permitted, which several tools (LSPs, app-servers) need.\n\nThe point stands: the shield still blocks reads of the private key file itself. Auth happens through the agent, so the key never leaves the agent process.\n\n### The pinned-IdentityFile blind spot\n\nThere was a subtle failure that only showed up with a specific SSH config. If your `~/.ssh/config`\n\npins an `IdentityFile`\n\n(usually alongside `IdentitiesOnly yes`\n\n), OpenSSH reads that on-disk key *first*. The shield denies the read, and ssh fails before it ever tries the agent - so `git`\n\nover SSH silently broke under the sandbox.\n\nThe fix (ADR 0056): when the agent is available, the shield injects an agent-backed `GIT_SSH_COMMAND`\n\nfor shield-wrapped `git`\n\n:\n\n```\nGIT_SSH_COMMAND=\"ssh -o IdentitiesOnly=no -o IdentityFile=none -o IdentityAgent=$SSH_AUTH_SOCK\"\n```\n\n`IdentitiesOnly=no`\n\nis the decisive option: with `IdentitiesOnly yes`\n\nin the config, OpenSSH only offers agent keys that match a configured `IdentityFile`\n\n, so an agent key that differs from the pinned one is never offered. It is injected only when `SSH_AUTH_SOCK`\n\nis set, you have no `GIT_SSH_COMMAND`\n\nof your own, and `AGENTJAIL_NO_SSH_OVERRIDE`\n\nis unset. `agentjail doctor`\n\nwarns when keys are on disk but not loaded, and the hook prints a one-shot advisory - neither ever suggests granting a key-file read hole.\n\n### .env templates no longer break checkouts\n\nThe old shield write-deny matched `.env*`\n\nbroadly, which meant cloning a repo that commits `.env.example`\n\nor `.env.docker`\n\ntemplates failed on checkout. v0.6.0 inverts this to a secret-form deny-list (ADR 0057): only secret-bearing forms (`.env`\n\n, `.env.local`\n\n, `.env.production`\n\n, and similar) are write-denied. Templates are allowed. Read exposure is unchanged.\n\n## Linux install\n\nagentjail now installs natively on Linux via a systemd `--user`\n\ndaemon service (ADR 0051):\n\n```\ncurl -fsSL https://agentjail.io/install.sh | sh\n```\n\nThe installer no longer aborts the outer script under `set -eu`\n\n, and the shield re-asserts the agentjail hook right before exec so a session cannot start with the guardrail unwired.\n\n## Daemon control plane\n\nThe daemon can now reload its policy over a control socket, with `SIGHUP`\n\nas a fallback (ADR 0052) - no restart required to pick up a policy change. A new `daemon_unreachable`\n\npolicy knob (ADR 0050) lets you choose what happens when the daemon is not answering, backed by a hook-fallback sidecar the hook reads on the hot path.\n\n## A real release gate\n\nThis release ships a clean-VM testbed and a `make e2e-release`\n\ngate (ADR 0053) that stands up a fresh box, installs agentjail through the real `install.sh`\n\n, installs a coding agent, and asserts that policy enforcement actually holds on the installed binaries. It is the only check that exercises the true clean-box user path.\n\n## Upgrade\n\n```\ncurl -fsSL https://agentjail.io/install.sh | sh\n# or\nbrew upgrade LuD1161/tap/agentjail\n```\n\nFull changelog on the [changelog page](/changelog). Source on [GitHub](https://github.com/LuD1161/agentjail).", "url": "https://wpnews.pro/news/hand-it-your-codebase-not-your-secrets", "canonical_source": "https://agentjail.io/blog/announcing-v060/", "published_at": "2026-07-09 09:02:10+00:00", "updated_at": "2026-07-09 09:12:13.520792+00:00", "lang": "en", "topics": ["ai-agents", "ai-safety", "developer-tools"], "entities": ["agentjail", "OpenSSH", "macOS", "Linux"], "alternates": {"html": "https://wpnews.pro/news/hand-it-your-codebase-not-your-secrets", "markdown": "https://wpnews.pro/news/hand-it-your-codebase-not-your-secrets.md", "text": "https://wpnews.pro/news/hand-it-your-codebase-not-your-secrets.txt", "jsonld": "https://wpnews.pro/news/hand-it-your-codebase-not-your-secrets.jsonld"}}