[hardsnow]

This is the right approach. I built a similar system to https://github.com/airutorg/airut - couple of learnings to share:

1) Not all systems respect HTTP_PROXY. Node in particular is very uncooperative in this regard.

2) AWS access keys can’t be handled by simple credential swap; the requests need to be resigned with the real keys. Replicating the SigV4 and SigV4A exactly was bit of a pain.

3) To be secure, this system needs to run outside of the execution sandbox so that the agent can’t just read the keys from the proxy process.

For Airut I settled on a transparent (mitm)proxy, running in a separate container, and injecting proxy cert to the cert store in the container where the agent runs. This solved 1 and 3.

[joostme]

Great tool. Yours is much more sophisticated than mine, but I also came up with a similar solution to my personal problem of running opencode web in a container with access to all my API keys. I also settled on mitmproxy. Before I was trying to use IPTables, but that didnt really safely work, because the agent could still escape if he tried hard enough. I'm happy there is some work being done of securing agents more properly. Maybe this helps broader adoption for experiments with access to more services.

https://github.com/joostme/doubleagent

[lancetipton]

Im literally working on the exact same solution. Difference is I'm running the system in a Kubernetes cluster.

I essentially run a sidecar container that sets up ip tables that redirect all requests through my mitm proxy. This was specifically required because of Node not respecting HTTP_PROXY.

Also had to inject a self signed cert to ensure SSL could be proxied and terminated by the mitm proxy, which then injects the secrets, and forwards the request on.

Have you run into any issues with this setup? I'm trying to figure out if there's anything I'm missing that might come back to bite me?

[hardsnow]

I’ve been running this with workloads accessing Anthropic, GitHub, Gemini, and AWS & CF R2 APIs for a while now, and have not ran into issues. I’m sure there’s an API out there that won’t work out of the box but I’m positive that support could be added.

Another thing I did was to allow configuring which hosts each credential is scoped to. Replacement /resigning doesn’t happen unless host matches. That way it is not possible to leak keys by making requests to malicious hosts.

[lancetipton]

The last note about configuring hosts to credentials is an excellent idea, and one I did not think to do. Currently I'm just doing a replace on any that matches in the request. This adds an extra layer of security to it. Much appreciated.

[dtkav]

I'm working on something similar with https://github.com/dtkav/agent-creds though I keep growing the scope.

The model is solid. It feels like the right way to use YOLO mode.

I've been working on making the auth setup more granular with macaroons and third party caveats.

My dream is to have plugins for upstreams using OpenAPI specs and then make it really easy to stitch together grants across subsets of APIs.

I think there's a product in here somewhere...

[semanticc]

Node 24+ does respect HTTP_PROXY when NODE_USE_ENV_PROXY=1 is set.

[huksley]

Node v22.21+ as well

[arianvanp]

Also doesn't this mean I have to reconfigure all my tools to use HTTP and then when I forget to enable this it will fall back to getting MITM'd by the Internet? Fails open in the most insecure method ever

[inssein]

This is basically what https://www.verygoodsecurity.com/ (their main product), but it's heavily focused on credit card data.