Goutham Veeramachaneni wanted an AI SRE to manage his homelab. He set up Hermes Agent to monitor and fix his self-hosted services running on k3s. But giving an agent real API keys for Grafana, Todoist, and other tools means trusting that agent won't leak those credentials. Especially when you're testing with local models like Gemma4 and Qwen that might follow malicious instructions they find on the web. The solution he built: a credential injection proxy. The agent sees fake credentials, like "fake-todoist-key-1". When it makes a request, the proxy intercepts it and swaps in the real token. The agent never touches actual secrets.
It's a MITM setup. The proxy generates its own certificate authority, and you inject that CA into the agent's container. This lets the proxy inspect and rewrite HTTPS traffic. Veeramachaneni built it on goproxy with a config file mapping fake credentials to real ones pulled from environment variables. Simple enough in theory. In practice, things got messy. Chrome automated through Playwright refused to honor the proxy certificates. He had to switch to Camoufox for browser-based tasks. The matrix-nio Python library ignored HTTP_PROXY entirely because aiohttp needs explicit trust_env=True to respect it. Even after Hermes moved to the mautrix library, proxy support remained broken.
The broader agent security ecosystem is starting to build around these patterns. Agent Vault launched recently, standardizing the credential injection approach Veeramachaneni had hand-rolled. Kloak takes a different angle, using eBPF to intercept and modify requests at a lower level. And there's work happening on gVisor-based sandboxes that can intercept every network call, with Kubernetes working on native support and GKE already offering experimental integration.
The infrastructure is still early. The proxy approach works for most HTTP-based tools but breaks when client libraries don't respect standard proxy environment variables. Sandboxing at the network level might be the more reliable path forward, but it requires more setup and isn't yet well-documented. Veeramachaneni notes the Kubernetes docs for agent sandbox support are "very weird," which tells you where the maturity level sits.