v0.6.0: Hand it your codebase, not your secrets · agentjail
← All posts
agentjail v0.6.0 is out. Hand your coding agent your real codebase and it does real work - clones, commits, pushes over SSH, on macOS and Linux. What it still cannot do is walk off with your secrets. This release makes that guarantee stronger and the sandbox more invisible than ever.
TL;DR
Your agent works normally, your secrets stay yours. It can push to private Git repos over SSH, clone, and run on macOS and Linux - and still cannot read your credential master key, leak database passwords, or reach cloud metadata.
The cage got stronger. The credential broker and daemon were hardened: the master key is unreadable by the agent, psql passwords no longer leak via argv, grants auto-expire, and IMDS egress is blocked.
The cage got quieter. The macOS shield reaches ssh-agent parity (including the pinned-IdentityFile fix), and .env.example templates no longer trip the guard.
New reach. First-class Linux install via a systemd --user service, plus a clean-VM make e2e-release gate.
Credential broker and daemon hardening
Most of this release is defensive work on the two components an agent would most like to subvert: the credential broker and the daemon that arbitrates grants.
The secrets-broker master key is now unreadable by the agent. Both the policy layer and the OS shield deny reads of the key material, so a sandboxed agent cannot exfiltrate the key that unwraps stored credentials.
Postgres passwords no longer leak via psql argv. Credentials that were previously visible in the process argument list are passed out of band.
Grants auto-expire, and requested TTLs are capped. A grant can no longer be requested with an unbounded lifetime, and stale grants are cleaned up automatically.
The daemon verifies peer UID and CWD at the socket level instead of trusting a self-reported identity. An agent cannot claim to be a different process.
Concurrent agent-socket connections are bounded with an idle read deadline, so a misbehaving client cannot pin the daemon open.
AGENTJAIL_SOCKET is honored only when it resolves under ~/.agentjail, closing a redirect where a crafted socket path could point the hook somewhere else.
Cloud-metadata (IMDS) egress is guarded in port-only mode (ADR 0049), so an agent on a cloud box cannot reach 169.254.169.254 to harvest instance credentials.
Per-project policy overlays are trust-gated before they are applied, and the store redaction list was extended to cover more credential shapes.
All of these are enforced at the policy or OS-sandbox layer, not by convention.
macOS shield reaches ssh-agent parity
On Linux, an agent under the shield could already authenticate over SSH through ssh-agent without ever touching a private key on disk. On macOS the seatbelt sandbox blocked the agent socket, so the same flow failed. v0.6.0 closes that gap:
SSH_AUTH_SOCK is passed through into the sandbox.
The agent socket connect is allowed on the macOS seatbelt.
Per-user temp directories and AF_UNIX local sockets are permitted, which several tools (LSPs, app-servers) need.
The point stands: the shield still blocks reads of the private key file itself. Auth happens through the agent, so the key never leaves the agent process.
The pinned-IdentityFile blind spot
There was a subtle failure that only showed up with a specific SSH config. If your ~/.ssh/config pins an IdentityFile (usually alongside IdentitiesOnly yes), OpenSSH reads that on-disk key first. The shield denies the read, and ssh fails before it ever tries the agent - so git over SSH silently broke under the sandbox.
The fix (ADR 0056): when the agent is available, the shield injects an agent-backed GIT_SSH_COMMAND for shield-wrapped git:
GIT_SSH_COMMAND="ssh -o IdentitiesOnly=no -o IdentityFile=none -o IdentityAgent=$SSH_AUTH_SOCK"<br>IdentitiesOnly=no is the decisive option: with IdentitiesOnly yes in the config, OpenSSH only offers agent keys that match a configured IdentityFile, so an agent key that differs from the pinned one is never offered. It is injected only when SSH_AUTH_SOCK is set, you have no GIT_SSH_COMMAND of your own, and AGENTJAIL_NO_SSH_OVERRIDE is unset. agentjail doctor warns when keys are on disk but not loaded, and the hook prints a one-shot advisory - neither ever suggests granting a key-file read hole.
.env templates no longer break checkouts
The old shield write-deny matched .env* broadly, which meant cloning a repo that commits .env.example or .env.docker templates failed on checkout. v0.6.0 inverts this to a secret-form deny-list (ADR 0057): only secret-bearing forms (.env, .env.local, .env.production, and similar) are write-denied. Templates are allowed. Read exposure is unchanged.
Linux install
agentjail now installs natively on Linux via a systemd --user daemon service (ADR 0051):
curl -fsSL https://agentjail.io/install.sh | sh<br>The installer no longer aborts the outer script under set -eu, and the shield re-asserts the...