A discussion on Hacker News last week (115 points, "The agent harness belongs outside the sandbox") landed on a structural fact most agent platforms have not internalised. If your harness lives inside the same sandbox as the user code, every credential the harness holds belongs to the user code too. Container escape isn't required. The harness is in the same process tree. The thread converged on a sharper observation in the comments. There's no off-the-shelf primitive for centralized zero-trust auth for agents. Teams are inventing scoping schemes for OAuth tokens, IP-allowlisting their own infrastructure, and pretending the harness boundary is a security boundary because nothing better exists. It does. Ed25519 plus JWKS. Most platforms just haven't wired it up. What "credentials in the sandbox" actually means Take a typical agent loop. The harness pulls the user's code, runs LLM API calls on the user's behalf, executes tool invocations against external services.…