Evaluate agent-vault integration for credential brokering in agent products #55

New issue

Open

opened 2026-04-23 18:12:47 -07:00 by pyr0ball · 0 comments

pyr0ball commented

2026-04-23 18:12:47 -07:00

Owner

Overview

agent-vault is a transparent HTTPS credential proxy for AI agents. Agents route outbound API calls through a MITM proxy — agent-vault intercepts and injects real credentials before forwarding upstream. The agent never receives the secret value.

Why it matters for CF

Every downstream ND product (Osprey, Harrier, Rufous, Ibis) will need to call external APIs with user credentials — government portals, benefits systems, insurance, healthcare. The threat model is correct: a prompted agent processing untrusted content (a webpage, a document) could be tricked into exfiltrating credentials. Agent Vault eliminates the attack surface by removing the secret from the agent process entirely.

The proposal/approval workflow (agent requests access → human reviews and enters credentials → agent retries) also aligns with the CF pipeline: AI Assist → Human Approval → Execute.

Recommended integration

Not a Python library — a Go sidecar binary + protocol standard:

cf-core.vault process wrapper — installs the binary, starts it as a sidecar, mints a session, injects proxy env vars into agent subprocesses, tears down cleanly. Products call vault.run_agent(fn) without knowing the details.
Adopt the AGENTS.md protocol — document /discover, /proxy/{host}/{path}, and the proposal workflow as the CF standard for how agents declare and request external API credentials.
Human-approval hook — wire the proposal workflow to the product approval UI as the Human Approval step.

Concerns to resolve before adopting

Go 1.25 required — cutting edge, may complicate build environments on older nodes
Enterprise ee/ tier — audit which features require Infisical commercial licensing; the core proxy is MIT
No Python SDK — agents use REST or HTTPS_PROXY env var injection (trivial in both cases)
Binary distribution — need a strategy for shipping/pinning the Go binary alongside products

License

Core is MIT. Enterprise ee/ features require Infisical commercial license. cf-core wrapper stays MIT.

Priority

Backlog — defer until Osprey or Harrier moves out of early prototype. File now to preserve the evaluation.

References

Research doc: circuitforge-plans/shared/2026-04-23-agent-vault-evaluation.md
Upstream repo: https://github.com/Infisical/agent-vault
Upstream AGENTS.md protocol: https://github.com/Infisical/agent-vault/blob/main/AGENTS.md

## Overview [agent-vault](https://github.com/Infisical/agent-vault) is a transparent HTTPS credential proxy for AI agents. Agents route outbound API calls through a MITM proxy — agent-vault intercepts and injects real credentials before forwarding upstream. The agent never receives the secret value. ## Why it matters for CF Every downstream ND product (Osprey, Harrier, Rufous, Ibis) will need to call external APIs with user credentials — government portals, benefits systems, insurance, healthcare. The threat model is correct: a prompted agent processing untrusted content (a webpage, a document) could be tricked into exfiltrating credentials. Agent Vault eliminates the attack surface by removing the secret from the agent process entirely. The proposal/approval workflow (agent requests access → human reviews and enters credentials → agent retries) also aligns with the CF pipeline: `AI Assist → Human Approval → Execute`. ## Recommended integration Not a Python library — a **Go sidecar binary + protocol standard**: 1. **`cf-core.vault` process wrapper** — installs the binary, starts it as a sidecar, mints a session, injects proxy env vars into agent subprocesses, tears down cleanly. Products call `vault.run_agent(fn)` without knowing the details. 2. **Adopt the AGENTS.md protocol** — document `/discover`, `/proxy/{host}/{path}`, and the proposal workflow as the CF standard for how agents declare and request external API credentials. 3. **Human-approval hook** — wire the proposal workflow to the product approval UI as the `Human Approval` step. ## Concerns to resolve before adopting - **Go 1.25 required** — cutting edge, may complicate build environments on older nodes - **Enterprise `ee/` tier** — audit which features require Infisical commercial licensing; the core proxy is MIT - **No Python SDK** — agents use REST or `HTTPS_PROXY` env var injection (trivial in both cases) - **Binary distribution** — need a strategy for shipping/pinning the Go binary alongside products ## License Core is MIT. Enterprise `ee/` features require Infisical commercial license. cf-core wrapper stays MIT. ## Priority Backlog — defer until Osprey or Harrier moves out of early prototype. File now to preserve the evaluation. ## References - Research doc: `circuitforge-plans/shared/2026-04-23-agent-vault-evaluation.md` - Upstream repo: https://github.com/Infisical/agent-vault - Upstream AGENTS.md protocol: https://github.com/Infisical/agent-vault/blob/main/AGENTS.md