TLDR: AI coding agents automatically read your .env files and send secrets to remote servers. No permission system reliably prevents this. The fix: use Infisical for secrets, run your dev stack in Docker, and run AI agents in a separate sandbox with source code only. No secrets on disk. No shared environment. Trust no one.
I use AI coding agents every day. Claude Code, Codex, Cursor. They edit my files, run my tests, and help me ship faster. They also read my .env files, load my API keys into their context window, and send everything to remote servers. I did not ask for this. There was no prompt. It just happened.
This is the story of how I rebuilt my entire local development workflow to fix this.
The series
- Why 1Password CLI fails for developers: No project structure, biometric fatigue, opaque approval popups that cannot be fixed at the OS level.
- Setting up Infisical for local development: Installation, project/environment structure, CLI, Terraform/OpenTofu integration.
- AI coding agents are reading your secrets: The threat with proof, CVEs, and why ignore files do not help.
- Docker-first development architecture: Dev stack in Docker Compose, Infisical for secrets injection, the full setup.
- Expo and React Native: the Docker exception: Why Expo must run on the host and why that is safe.
- Why AI agent permissions don’t work: Claude’s trust levels, allowed actions, and permission popups are the wrong security model.
- Choosing an AI sandbox: nono vs zerobox vs Docker vs others: Every isolation option compared with trade-offs.
- Protecting against compromised packages: Multi-stage Docker builds, supply chain attacks, compromised package managers.
- Connecting AI sandboxes to dev containers: Three ways to let Claude test endpoints without seeing secrets.
- Git pre-commit secret scanning: Setup, pre-commit hooks, team enforcement.
- When a secret leaks: incident response: Rotate first, investigate second. Step by step.
- Securing host tools with nono: Sandboxing Helix, lazygit, and other CLI tools. Linux vs macOS.
- The dual-machine setup: Apple + Linux: Keep Apple for personal, Linux for development. Local LLMs for maximum privacy.
- Scaling secure development to a team: Onboarding, offboarding, RBAC, CI/CD machine identities.
- Why Infisical over Vault, Doppler, and SOPS: Alternatives compared, and why no secrets manager can save a compromised machine.
- Secure development daily workflows: Morning startup, coding with AI, adding and rotating secrets, multi-project setup.
- Secure development checklist and decision framework: Hardening checklist and a matrix of what goes where.
The core principle
Secrets live in Infisical. They are injected into Docker containers at runtime. AI agents run in separate sandboxes with source code only. No secrets on disk. No shared environment. Trust no one. Deny by default. Enforce with infrastructure, not with promises.
Tools
| Tool | Purpose |
|---|---|
| 1Password | Personal passwords, 2FA, SSH keys, browser autofill |
| Infisical | Application secrets, API keys, database credentials |
| nono | Kernel-level sandboxing for AI agents and CLI tools |
| zerobox | Process sandboxing with clean env vars and per-host secret injection |
| sbx | Micro-VM-isolated AI agent sandbox (standalone, no Docker Desktop needed) |
| age | Offline secret encryption |
| sops | Encrypted secrets in version control |