alt Hacker NewsThe thread illustrates a recurring pattern: encrypting the artifact instead of narrowing the authority.
An agent executing code in your environment has implicit access to anything that environment can reach at runtime. Encrypting .env moves the problem one print statement away.
The proxy approaches (Airut, OrcaBot) get closer because they move the trust boundary outside the agent's process. The agent holds a scoped reference that only resolves at a chokepoint you control.
But the real issue is what stephenr raised: why does the agent have ambient access at all? Usually because it inherited the developer's shell, env, and network. That's the actual problem. Not the file format.
The agent has ambient access because it makes it more capable.
For the same reasons we go to extreme measures to try to make dev environments identical with tooling like docker, and we work hard to ensure that there's consistency between environments like staging and production.
Viewing the "state of things" from the context of the user is much more valuable than viewing a "fog of war" minimal view with a lack of trust.
> Usually because it inherited the developer's shell, env, and network. That's the actual problem. Not the file format.
I'd argue this is folly. The actual problem is that the LLM behind the agent is running on someone else's computer, with zero accountability except the flimsy promise of legal contracts (at the best case - when backed by well funded legal departments working for large businesses).
This whole category of problems goes out of scope if the model is owned by you (or your company) and run on hardware owned by you (or your company).
If you want to fix things - argue for local.