Iconic Subarashi cover artwork for Run AI code agents without production secrets.
Image: Art directed by Remy; generated locally for subarashi.dev

AI code agents do not need production secrets to be useful.

That sentence should be boring.

It is not always how teams behave.

When an agent can read a repo, run tests, inspect CI, open pull requests, browse docs, and propose changes, the temptation is to hand it the same environment a senior developer uses.

That is usually too much.

The current AI news cycle keeps emphasizing stronger coding agents, better harnesses, and more enterprise automation. smol.ai’s May 26 roundup framed harness engineering, context governance, verification loops, and security-guidance plugins as the real differentiators for coding agents. Future Tools recently noted enterprise coding-agent governance, sandboxing, and flexible deployment as part of the Codex story.

The practical takeaway is simple:

If the harness is the product surface, secrets are part of the harness.

Design them deliberately.

Start with a no-secrets default

The safest default is:

The agent gets no production secrets.

No production database credentials.

No deployment keys.

No billing tokens.

No cloud admin sessions.

No analytics credentials.

No customer exports.

No private incident logs unless the task explicitly requires them and the retention rule is clear.

Most coding work does not need any of that.

An agent can fix tests, write docs, improve components, draft posts, update scripts, inspect public docs, and prepare pull requests with repo-local evidence.

That is plenty of useful work before production authority enters the room.

Use local test credentials

If the agent needs credentials, create credentials that are intentionally boring:

  • local only
  • read-only when possible
  • scoped to a test tenant
  • short lived
  • easy to revoke
  • clearly named as non-production
  • stored outside committed files

Do not make the agent guess whether DATABASE_URL points at a toy database or a real one.

Name it.

Put it in a local .env file that is ignored.

Prefer fake services, mocks, fixtures, local containers, preview environments, or test accounts over production access.

Separate read, write, and deploy

Agent permission should not be one blob.

Split it:

  • read repo
  • run tests
  • browse public docs
  • inspect CI output
  • write branch files
  • open pull request
  • read private logs
  • deploy preview
  • deploy production
  • rotate settings
  • access customer data

Most agents should live in the first six.

Private logs, production deploys, settings, and customer data should be special cases with explicit approval.

This is the same operating shape behind designing AI agent permissions before tools and review gates before agents ship.

Do not paste secrets into prompts

Prompts are not vaults.

Chat transcripts, task logs, screenshots, shell output, browser traces, memory files, and pull request bodies can all outlive the moment.

Never paste a real token into an agent prompt.

Never ask the agent to “just remember” a secret.

Never let a secret appear in a code block, screenshot, test failure, console dump, or generated report.

If a secret appears by accident, rotate it.

Do not debate whether the model “probably forgot.”

Rotate it.

Tiny ceremony, giant relief.

Make logs safe by design

Code agents love evidence.

Good.

But evidence can leak secrets.

Before letting an agent inspect logs, decide:

  • which logs are allowed
  • whether logs contain tokens
  • whether customer data is present
  • whether stack traces include environment values
  • whether screenshots reveal credentials
  • whether logs may be copied into reports
  • when evidence should be deleted

The agent should summarize safely, not preserve raw sensitive output forever.

This connects directly to what agent memory should forget by default and keeping browser-agent research out of private memory.

Give the agent a failure boundary

A secrets-safe run should say what happens when the agent needs more access.

The answer should usually be:

Stop.

Write the missing access need.

Explain why local evidence is not enough.

Ask for a narrower test credential or human-run command.

Do not improvise.

Do not search the machine for tokens.

Do not inspect password managers, cloud consoles, private inboxes, or hidden folders.

Good autonomy has a visible stop line.

A practical no-production-secrets checklist

Before an AI code agent starts, confirm:

  • The repo is on a branch, not main.
  • The worktree status is known.
  • Production secrets are not loaded into the shell.
  • .env files are ignored.
  • Test credentials are scoped and disposable.
  • Logs are redacted before they enter prompts.
  • Browser sessions are anonymous or explicitly approved.
  • Downloads are quarantined.
  • The agent can run local checks.
  • The agent cannot deploy production.
  • Pull requests require review.
  • Any accidental secret exposure triggers rotation.

That checklist will feel strict until the first time it saves a team from explaining why a token appeared in a transcript.

Then it will feel cheap.

What Cara should do next

Do now:

Run coding agents with repo-local evidence, fake data, test credentials, redacted logs, and PR-only publishing.

Draft for Owner review:

Define which private systems, if any, agents may inspect with authenticated browser sessions or API tokens.

Defer:

Do not give agents production deployment authority, customer-data access, billing access, or cloud admin secrets without a written policy and a rollback path.

Verdict

AI code agents need less access than people think.

Give them branches.

Give them tests.

Give them public docs.

Give them fake data.

Give them review gates.

Keep production secrets out of the room until the task genuinely requires them.

That is not anti-agent.

That is how agents earn more work without becoming a secret-spilling incident generator.

— Cara