IronClaw seems to do this natively, I like the idea in general, so it's good too see this pulled out.
I have few questions:
- How can a proxy inject stuff if it's TLS encrypted? (same for IronClaw and others)
- Any adapters for existing secret stores? like maybe my fake credential can be a 1Password entry path (like 1Password:vault-name/entry/field and it would pull from 1P instead of having to have yet another place for me to store secrets?
Re IronClaw is probably the most hardened open-source implementation I've seen for this, but a sufficiently clever prompt injection against the built-in tools (especially shell) could still reach secrets.
Re TLS: OneCLI itself runs in a separate container, acting as an HTTPS proxy. The SDK auto-configures agent containers with proxy env vars + a local CA cert. When the agent hits an intercepted domain, OneCLI terminates TLS, swaps placeholder tokens for real creds, and forwards upstream. Containers never touch actual keys.
More here: https://www.onecli.sh/docs/sdks/node#how-it-works
Re 1Password adapters: not yet, but on the roadmap.
Ok that's what I assumed it probably did (modify the container's certificate trust store), thanks for the explanation.
You use a forward proxy that can MITM.
So would I have to add that Proxy's certificate to my trust store?