I’ve been spending a lot of time experimenting with agent workflows that need access to real services. Stripe test mode, internal APIs, automation systems, things like that. One pattern kept making me uneasy. Most setups hand credentials directly to the agent process and then rely on prompts, tool wrappers, or good behaviour to keep things under control. That works for demos. It starts feeling brittle pretty quickly once the workflows become more autonomous. So I built tsk. It’s a local-first MCP server that sits between an LLM agent and the APIs it interacts with. The idea is simple: the model shouldn’t have direct access to credentials in the first place. Secrets live in ~/.tsk/.secrets , outside the project directory, and access is controlled through a rules.yaml allowlist that defines which API actions are actually permitted. tsk then exposes only those approved operations as MCP tools.…