# Hand it your codebase. Not your secrets

> Source: <https://agentjail.io/blog/announcing-v060/>
> Published: 2026-07-09 09:02:10+00:00

agentjail v0.6.0 is out. Hand your coding agent your real codebase and it does real work - clones, commits, pushes over SSH, on macOS and Linux. What it still cannot do is walk off with your secrets. This release makes that guarantee stronger and the sandbox more invisible than ever.

## TL;DR

**Your agent works normally, your secrets stay yours.** It can push to private Git repos over SSH, clone, and run on macOS and Linux - and still cannot read your credential master key, leak database passwords, or reach cloud metadata.**The cage got stronger.** The credential broker and daemon were hardened: the master key is unreadable by the agent,`psql`

passwords no longer leak via argv, grants auto-expire, and IMDS egress is blocked.**The cage got quieter.** The macOS shield reaches ssh-agent parity (including the pinned-IdentityFile fix), and`.env.example`

templates no longer trip the guard.**New reach.** First-class Linux install via a systemd`--user`

service, plus a clean-VM`make e2e-release`

gate.

## Credential broker and daemon hardening

Most of this release is defensive work on the two components an agent would most like to subvert: the credential broker and the daemon that arbitrates grants.

**The secrets-broker master key is now unreadable by the agent.** Both the policy layer and the OS shield deny reads of the key material, so a sandboxed agent cannot exfiltrate the key that unwraps stored credentials.**Postgres passwords no longer leak via** Credentials that were previously visible in the process argument list are passed out of band.`psql`

argv.**Grants auto-expire, and requested TTLs are capped.** A grant can no longer be requested with an unbounded lifetime, and stale grants are cleaned up automatically.**The daemon verifies peer UID and CWD** at the socket level instead of trusting a self-reported identity. An agent cannot claim to be a different process.**Concurrent agent-socket connections are bounded** with an idle read deadline, so a misbehaving client cannot pin the daemon open.closing a redirect where a crafted socket path could point the hook somewhere else.`AGENTJAIL_SOCKET`

is honored only when it resolves under`~/.agentjail`

,**Cloud-metadata (IMDS) egress is guarded in port-only mode**(ADR 0049), so an agent on a cloud box cannot reach`169.254.169.254`

to harvest instance credentials.**Per-project policy overlays are trust-gated before they are applied,** and the store redaction list was extended to cover more credential shapes.

All of these are enforced at the policy or OS-sandbox layer, not by convention.

## macOS shield reaches ssh-agent parity

On Linux, an agent under the shield could already authenticate over SSH through `ssh-agent`

without ever touching a private key on disk. On macOS the seatbelt sandbox blocked the agent socket, so the same flow failed. v0.6.0 closes that gap:

`SSH_AUTH_SOCK`

is passed through into the sandbox.- The agent socket connect is allowed on the macOS seatbelt.
- Per-user temp directories and AF_UNIX local sockets are permitted, which several tools (LSPs, app-servers) need.

The point stands: the shield still blocks reads of the private key file itself. Auth happens through the agent, so the key never leaves the agent process.

### The pinned-IdentityFile blind spot

There was a subtle failure that only showed up with a specific SSH config. If your `~/.ssh/config`

pins an `IdentityFile`

(usually alongside `IdentitiesOnly yes`

), OpenSSH reads that on-disk key *first*. The shield denies the read, and ssh fails before it ever tries the agent - so `git`

over SSH silently broke under the sandbox.

The fix (ADR 0056): when the agent is available, the shield injects an agent-backed `GIT_SSH_COMMAND`

for shield-wrapped `git`

:

```
GIT_SSH_COMMAND="ssh -o IdentitiesOnly=no -o IdentityFile=none -o IdentityAgent=$SSH_AUTH_SOCK"
```

`IdentitiesOnly=no`

is the decisive option: with `IdentitiesOnly yes`

in the config, OpenSSH only offers agent keys that match a configured `IdentityFile`

, so an agent key that differs from the pinned one is never offered. It is injected only when `SSH_AUTH_SOCK`

is set, you have no `GIT_SSH_COMMAND`

of your own, and `AGENTJAIL_NO_SSH_OVERRIDE`

is unset. `agentjail doctor`

warns when keys are on disk but not loaded, and the hook prints a one-shot advisory - neither ever suggests granting a key-file read hole.

### .env templates no longer break checkouts

The old shield write-deny matched `.env*`

broadly, which meant cloning a repo that commits `.env.example`

or `.env.docker`

templates failed on checkout. v0.6.0 inverts this to a secret-form deny-list (ADR 0057): only secret-bearing forms (`.env`

, `.env.local`

, `.env.production`

, and similar) are write-denied. Templates are allowed. Read exposure is unchanged.

## Linux install

agentjail now installs natively on Linux via a systemd `--user`

daemon service (ADR 0051):

```
curl -fsSL https://agentjail.io/install.sh | sh
```

The installer no longer aborts the outer script under `set -eu`

, and the shield re-asserts the agentjail hook right before exec so a session cannot start with the guardrail unwired.

## Daemon control plane

The daemon can now reload its policy over a control socket, with `SIGHUP`

as a fallback (ADR 0052) - no restart required to pick up a policy change. A new `daemon_unreachable`

policy knob (ADR 0050) lets you choose what happens when the daemon is not answering, backed by a hook-fallback sidecar the hook reads on the hot path.

## A real release gate

This release ships a clean-VM testbed and a `make e2e-release`

gate (ADR 0053) that stands up a fresh box, installs agentjail through the real `install.sh`

, installs a coding agent, and asserts that policy enforcement actually holds on the installed binaries. It is the only check that exercises the true clean-box user path.

## Upgrade

```
curl -fsSL https://agentjail.io/install.sh | sh
# or
brew upgrade LuD1161/tap/agentjail
```

Full changelog on the [changelog page](/changelog). Source on [GitHub](https://github.com/LuD1161/agentjail).
