<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: s-gw</title>
    <description>The latest articles on DEV Community by s-gw (@s-gw).</description>
    <link>https://dev.to/s-gw</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4015328%2Fe6677ec7-ead0-41ad-9602-7223f956cf7b.png</url>
      <title>DEV Community: s-gw</title>
      <link>https://dev.to/s-gw</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/s-gw"/>
    <language>en</language>
    <item>
      <title>Stop giving coding agents raw credentials</title>
      <dc:creator>s-gw</dc:creator>
      <pubDate>Sat, 04 Jul 2026 18:18:37 +0000</pubDate>
      <link>https://dev.to/s-gw/stop-giving-coding-agents-raw-credentials-558f</link>
      <guid>https://dev.to/s-gw/stop-giving-coding-agents-raw-credentials-558f</guid>
      <description>&lt;p&gt;Coding agents can run tests, call APIs, manage infrastructure, and work with local developer tools. That usefulness eventually collides with credentials.&lt;/p&gt;

&lt;p&gt;The common options are uncomfortable: paste a token into a prompt, leave it in a broad environment variable, or let every subprocess inherit the same secret.&lt;/p&gt;

&lt;p&gt;I built &lt;a href="https://github.com/sgateway/s-gw" rel="noopener noreferrer"&gt;s-gw&lt;/a&gt; to put a local approval boundary between the agent and the credential.&lt;/p&gt;

&lt;h2&gt;
  
  
  Give the agent a handle, not the secret
&lt;/h2&gt;

&lt;p&gt;The agent receives a typed handle that identifies the credential it needs. When it wants to act, s-gw shows the exact command, credential, environment binding, working directory, policy, and destination for local review.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgm0jbthu5mnakv4v3v4o.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fgm0jbthu5mnakv4v3v4o.gif" alt="s-gw overview showing local readiness, approvals, credential handles, policies, usage flow, and recent activity" width="599" height="309"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The agent can request useful access without reading or retaining the raw value.&lt;/p&gt;

&lt;h2&gt;
  
  
  Keep execution inside one local trust loop
&lt;/h2&gt;

&lt;p&gt;After approval, s-gw resolves the credential locally and injects it into one bounded child process. The command runs with the approved scope, then the output is sanitized before it returns to the agent.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fkwd07dspwrr9onl114zd.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fkwd07dspwrr9onl114zd.gif" alt="s-gw trust loop from coding agent through local approval and bounded execution" width="759" height="386"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The flow is:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;The agent sends a typed handle and an action request.&lt;/li&gt;
&lt;li&gt;The policy engine validates the request.&lt;/li&gt;
&lt;li&gt;You review and approve the command locally.&lt;/li&gt;
&lt;li&gt;The credential enters only the approved process.&lt;/li&gt;
&lt;li&gt;Sanitized output returns to the agent.&lt;/li&gt;
&lt;li&gt;The local activity log records the request, decision, and destination without recording the raw secret.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This is not meant to make a coding agent trusted. It makes credential use narrower, visible, and revocable.&lt;/p&gt;

&lt;h2&gt;
  
  
  See where credentials are being used
&lt;/h2&gt;

&lt;p&gt;The local usage map connects agents to authentication types and destinations. It helps answer practical questions: Which agent used an AWS key? Which targets are receiving the most credentialed actions? Is an old handle still active?&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffck6duhyb4ws0flj40hy.gif" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffck6duhyb4ws0flj40hy.gif" alt="s-gw credential usage map showing agent, authentication type, and target routes" width="560" height="295"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Current status
&lt;/h2&gt;

&lt;p&gt;s-gw is open source preview software, not a hardened enterprise secrets platform. macOS is the primary path today, Windows is preview, and Linux is experimental.&lt;/p&gt;

&lt;p&gt;Install it from npm:&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;npm install -g @s-gw/s-gw
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;p&gt;Repository: &lt;a href="https://github.com/sgateway/s-gw" rel="noopener noreferrer"&gt;github.com/sgateway/s-gw&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Interactive demo: &lt;a href="https://s-gw.com" rel="noopener noreferrer"&gt;s-gw.com&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I would especially value feedback from people using coding agents with API tokens, SSH keys, cloud credentials, local MCP tools, or 1Password. What would you need to see before letting an agent use a real credential?&lt;/p&gt;

</description>
      <category>ai</category>
      <category>opensource</category>
      <category>security</category>
      <category>devtools</category>
    </item>
  </channel>
</rss>
