Hand it your codebase. Not your secrets Agentjail v0.6.0 has been released, hardening the credential broker and daemon to prevent coding agents from accessing secrets like master keys, database passwords, and cloud metadata. The update also improves macOS sandboxing to achieve ssh-agent parity and blocks credential leaks via process arguments and cloud metadata endpoints. agentjail v0.6.0 is out. Hand your coding agent your real codebase and it does real work - clones, commits, pushes over SSH, on macOS and Linux. What it still cannot do is walk off with your secrets. This release makes that guarantee stronger and the sandbox more invisible than ever. TL;DR Your agent works normally, your secrets stay yours. It can push to private Git repos over SSH, clone, and run on macOS and Linux - and still cannot read your credential master key, leak database passwords, or reach cloud metadata. The cage got stronger. The credential broker and daemon were hardened: the master key is unreadable by the agent, psql passwords no longer leak via argv, grants auto-expire, and IMDS egress is blocked. The cage got quieter. The macOS shield reaches ssh-agent parity including the pinned-IdentityFile fix , and .env.example templates no longer trip the guard. New reach. First-class Linux install via a systemd --user service, plus a clean-VM make e2e-release gate. Credential broker and daemon hardening Most of this release is defensive work on the two components an agent would most like to subvert: the credential broker and the daemon that arbitrates grants. The secrets-broker master key is now unreadable by the agent. Both the policy layer and the OS shield deny reads of the key material, so a sandboxed agent cannot exfiltrate the key that unwraps stored credentials. Postgres passwords no longer leak via Credentials that were previously visible in the process argument list are passed out of band. psql argv. Grants auto-expire, and requested TTLs are capped. A grant can no longer be requested with an unbounded lifetime, and stale grants are cleaned up automatically. The daemon verifies peer UID and CWD at the socket level instead of trusting a self-reported identity. An agent cannot claim to be a different process. Concurrent agent-socket connections are bounded with an idle read deadline, so a misbehaving client cannot pin the daemon open.closing a redirect where a crafted socket path could point the hook somewhere else. AGENTJAIL SOCKET is honored only when it resolves under ~/.agentjail , Cloud-metadata IMDS egress is guarded in port-only mode ADR 0049 , so an agent on a cloud box cannot reach 169.254.169.254 to harvest instance credentials. Per-project policy overlays are trust-gated before they are applied, and the store redaction list was extended to cover more credential shapes. All of these are enforced at the policy or OS-sandbox layer, not by convention. macOS shield reaches ssh-agent parity On Linux, an agent under the shield could already authenticate over SSH through ssh-agent without ever touching a private key on disk. On macOS the seatbelt sandbox blocked the agent socket, so the same flow failed. v0.6.0 closes that gap: SSH AUTH SOCK is passed through into the sandbox.- The agent socket connect is allowed on the macOS seatbelt. - Per-user temp directories and AF UNIX local sockets are permitted, which several tools LSPs, app-servers need. The point stands: the shield still blocks reads of the private key file itself. Auth happens through the agent, so the key never leaves the agent process. The pinned-IdentityFile blind spot There was a subtle failure that only showed up with a specific SSH config. If your ~/.ssh/config pins an IdentityFile usually alongside IdentitiesOnly yes , OpenSSH reads that on-disk key first . The shield denies the read, and ssh fails before it ever tries the agent - so git over SSH silently broke under the sandbox. The fix ADR 0056 : when the agent is available, the shield injects an agent-backed GIT SSH COMMAND for shield-wrapped git : GIT SSH COMMAND="ssh -o IdentitiesOnly=no -o IdentityFile=none -o IdentityAgent=$SSH AUTH SOCK" IdentitiesOnly=no is the decisive option: with IdentitiesOnly yes in the config, OpenSSH only offers agent keys that match a configured IdentityFile , so an agent key that differs from the pinned one is never offered. It is injected only when SSH AUTH SOCK is set, you have no GIT SSH COMMAND of your own, and AGENTJAIL NO SSH OVERRIDE is unset. agentjail doctor warns when keys are on disk but not loaded, and the hook prints a one-shot advisory - neither ever suggests granting a key-file read hole. .env templates no longer break checkouts The old shield write-deny matched .env broadly, which meant cloning a repo that commits .env.example or .env.docker templates failed on checkout. v0.6.0 inverts this to a secret-form deny-list ADR 0057 : only secret-bearing forms .env , .env.local , .env.production , and similar are write-denied. Templates are allowed. Read exposure is unchanged. Linux install agentjail now installs natively on Linux via a systemd --user daemon service ADR 0051 : curl -fsSL https://agentjail.io/install.sh | sh The installer no longer aborts the outer script under set -eu , and the shield re-asserts the agentjail hook right before exec so a session cannot start with the guardrail unwired. Daemon control plane The daemon can now reload its policy over a control socket, with SIGHUP as a fallback ADR 0052 - no restart required to pick up a policy change. A new daemon unreachable policy knob ADR 0050 lets you choose what happens when the daemon is not answering, backed by a hook-fallback sidecar the hook reads on the hot path. A real release gate This release ships a clean-VM testbed and a make e2e-release gate ADR 0053 that stands up a fresh box, installs agentjail through the real install.sh , installs a coding agent, and asserts that policy enforcement actually holds on the installed binaries. It is the only check that exercises the true clean-box user path. Upgrade curl -fsSL https://agentjail.io/install.sh | sh or brew upgrade LuD1161/tap/agentjail Full changelog on the changelog page /changelog . Source on GitHub https://github.com/LuD1161/agentjail .