Shai-hulud, prompt-injection - you name it. They cannot steal what your agent (or an process) don't have.
I run coding agents (Claude Code, Codex) on my own machines most of the day. Every one of them wants real API keys in env and I was scratching my head for the last few months how to contain it.
The usual answer to this is a firewall. I don't buy it. A firewall tries to contain a secret the process is still holding, and the rules are painful to maintain.
AVP gives the agent a placeholder and injects the real value at the last moment, on the wire: ``` # the agent's env holds only a placeholder STRIPE_API_KEY=avp-placeholder # agent sends: Authorization: Bearer avp-placeholder # AVP forwards upstream: Authorization: Bearer sk_live_...real... ```
Keep your passwords in your vault where they belong. AVP initially relies on Bitwarden as a secret manager. It's MIT licensed.
Appreciate any feedback.