Show HN: AVP – an agent can't leak a secret it never had
github.comA process can't leak a secret it never had.
Shai-hulud, prompt-injection - you name it. They cannot steal what your agent (or an process) don't have.
I run coding agents (Claude Code, Codex) on my own machines most of the day. Every one of them wants real API keys in env and I was scratching my head for the last few months how to contain it.
The usual answer to this is a firewall. I don't buy it. A firewall tries to contain a secret the process is still holding, and the rules are painful to maintain.
AVP gives the agent a placeholder and injects the real value at the last moment, on the wire: ``` # the agent's env holds only a placeholder STRIPE_API_KEY=avp-placeholder # agent sends: Authorization: Bearer avp-placeholder # AVP forwards upstream: Authorization: Bearer sk_live_...real... ```
Keep your passwords in your vault where they belong. AVP initially relies on Bitwarden as a secret manager. It's MIT licensed.
Appreciate any feedback. Interesting approach. How do you prevent an agent from sending the placeholder to an unapproved domain and having it replaced there? Is secret injection restricted by destination host?