[webpolis]

The keychain-per-agent model is the right instinct, but the threat model gets complicated fast. When five agents share a keychain process, a prompt injection in agent A can exfiltrate credentials for agents B–E — one bad LLM output becomes a full company compromise.

The safer architecture is per-session credential scoping: each agent gets credentials minted for that specific task, revoked on completion. That's what we built Cyqle (https://cyqle.in) around — ephemeral sessions where the encryption key is destroyed on close, so if an agent misbehaves, the blast radius is bounded to that session.

The keychain needs the same isolation principle, but applied at the task boundary, not the agent boundary.