Blog Releases Issues Docs Download Status Looking Glass Kontakt salg
Netværk Modstandsdygtighed Gendannelse Sikkerhed Uforanderlig boks Manipulationssikker audit Priser
Udviklere
UdvikleroversigtCLI, SDK'er, webhooks InfrastrukturDocker, K8s, Terraform, CI/CD. AI-agenterClaude Code, Codex, Cursor, Hermes, OpenClaw. MSP-værktøjerDatto, NinjaOne, ConnectWise, N-able. BrowserudvidelseAutofyld, enhedsbaseret login, generator MobilappsNative iOS og Android Claude CodeAfgrænsede tokens CodexOpenAI-integration CursorAgent-tilstand Hermes AgentHermes Agent fra Nous Research OpenClawAgent-resolver ImportFra enhver adgangskodemanager
Ressourcer
Blog Releases Issues Docs Download Status Looking Glass Kontakt salg
Løsninger
Forbruger SMB Enterprise MSP
Sprog
🇺🇸 English 🇮🇩 Bahasa Indonesia 🇩🇰 Dansk 🇩🇪 Deutsch 🇪🇸 Español 🇫🇷 Français 🇮🇹 Italiano 🇳🇱 Nederlands 🇳🇴 Norsk 🇵🇱 Polski 🇧🇷 Português 🇫🇮 Suomi 🇸🇪 Svenska 🇻🇳 Tiếng Việt 🇹🇷 Türkçe 🇷🇺 Русский 🇺🇦 Українська 🇮🇳 हिन्दी 🇹🇭 ไทย 🇨🇳 中文 🇯🇵 日本語 🇰🇷 한국어
Log ind Gratis for altid Kom i gang
Security Blog

The whole industry just agreed your agent shouldn't see your keys. They're hiding them in the wrong place.

#17

June 20, 2026 · By Marketing team

← All posts

Also in: 🇺🇸 English

In one week, Claude Code, Hermes, and Codex all shipped fixes to stop agents from seeing raw credentials. Convergent patches are not an architecture: the keys should not live in the harness at all.

This week Anthropic shipped a quiet line in the Claude Code changelog: "Fixed MCP servers requiring authentication exposing auth-stub tools to the model in headless/SDK mode" [1]. In plain terms — when Claude Code ran headless (the way it runs in CI and automated agent pipelines), authentication tools that were supposed to stay hidden were being exposed to the model: the AI could see the auth tool names, their parameters, and potentially poke at them. In the most-used coding agent on earth — 133k stars — the credential layer was leaking into the one place you least want it: the model's own context.

It got fixed. But the fix is the small story. The big one is why every serious agent harness is suddenly fighting the same battle.

Three harnesses, one week, the same instinct

Look at what shipped in a single 24-hour window:

  • Claude Code patched the auth-stub leak above and tightened MCP auth gating [1].
  • Hermes (v0.17.0) added "Managed Scope" — admin-pinned, user-immutable secrets locked at the filesystem so an agent operator can't override them — plus secret redaction in debug dumps and blocking of exfil-shaped MCP configs before they launch [2].
  • Codex (v0.141.0) wrapped remote-execution traffic in encrypted Noise channels and began routing plugins by their authentication mode [3].

Three rivals, three approaches, one shared conclusion: the harness must own the secrets, and the agent must never see the raw keys. When competitors converge like that in the same week, it isn't a fad. It's a category finally admitting what it's for.

The next problem is credential sprawl

Here's the catch. Every one of those fixes lives inside the harness. And the Claude Code bug is the tell: when authentication lives in the harness, right next to the model, "the agent must never see it" stops being a fact and becomes a property you have to keep engineering — and occasionally fail at, in headless mode, where no human is watching. You don't get to declare it once. You defend it, release after release.

But the deeper problem isn't any single leak — it's what happens when every harness, every vendor, and every use case ships its own answer. You end up with a vault inside Claude Code, a vault inside Hermes, a vault inside Codex, an OAuth pool here, a secrets file there — a separate credential store for every tool you run. That is credential sprawl, and it's the next problem, not a solved one.

Sprawl is the failure even when none of the silos leak. Your secrets get copied into each one to make it work — more copies, more places to steal from. Rotation has to happen N times, by hand, and the one you forget is the one that burns you. And nobody can answer the only question that actually matters — which agent used which key, against what, when — because the answer is scattered across a dozen stores that don't talk to each other. You cannot stand up a fresh vault for every vendor and every workflow. That doesn't scale. It is the thing that breaks.

The keys don't belong in the harness at all

The fix you never have to ship is the one where the agent never holds the auth in the first place. Put the credentials in one authority that sits outside every harness — not a vault per vendor, one underneath all of them. The agent — in Claude Code, in Codex, in Hermes, it doesn't matter — asks for one named action and gets a scoped, ephemeral credential injected for exactly that, fetched live and gone after. There's no auth-stub in the model's context to accidentally expose, because the auth was never in the harness. There's no sprawl, because there's one store instead of one per tool — rotate once, not N times. And every access lands on a single audit trail instead of scattering across a dozen silos that can't answer who-used-what. (Keeping the secret out of where the code runs is near the top of the rules a credential tool should keep — the industry just spent a week discovering it.)

And this is the part that's a security boundary, not a convenience: the credential cannot live in the same system as the agent. Co-locate them and they share a blast radius — a prompt injection, a poisoned MCP server, a shared debug dump, the next auth-stub bug, and whatever reaches the agent reaches the keys with it. That is why visibility alone is the breach: the moment a secret lands somewhere the agent can see it, you treat it as already leaked and rotate it — the way every careful team treated that Claude Code auth-stub the day it shipped. Hold the credential at arm's length, in a system the agent can only ask — never read, never hold — and a fully compromised agent still can't exfiltrate what was never in its reach. It can request an action. It cannot walk off with the key. The distance is the defense; an in-process vault doesn't have it at any price.

That's the line Clavitor draws. The whole field just proved the principle — the agent shouldn't see the keys. We just don't think you should have to re-prove it inside every harness you run, and we don't think the thing holding your keys should be the same thing an attacker just compromised.

Give the harness teams credit: admin-pinned secrets, encrypted relays, fail-closed defaults are real, good engineering. But a fix-of-the-week for a leak that keeps reappearing isn't an architecture — it's a symptom. The architecture is the keys not being there to leak.

When three competitors patch the same wound in the same week, the wound is the design. The agent shouldn't see your keys — so stop keeping them where it can.

Clavitor (@clavitorai) is the credential vault built for AI agents, and against them. clavitor.ai

Sources

[1] Claude Code v2.1.183 — "Fixed MCP servers requiring authentication exposing auth-stub tools to the model in headless/SDK mode" — https://github.com/anthropics/claude-code/releases/tag/v2.1.183

[2] Hermes Agent v0.17.0 — Managed Scope (admin-pinned secrets), secret redaction, exfil-config blocking — https://github.com/NousResearch/hermes-agent/releases

[3] OpenAI Codex v0.141.0 — encrypted Noise relay channels, auth-mode plugin routing — https://github.com/openai/codex/releases