The problem was simple and the wrong solution was obvious.
Five agents. Five API keys. ANTHROPIC_API_KEY for Claude. OPENAI_API_KEY for Codex. GOOGLE_API_KEY for Gemini. DASHSCOPE_API_KEY for Qwen. OPENCODE_API_KEY for OpenCode. Each key was a secret. Each key cost money when used. Each key granted access to a specific provider's infrastructure.
The wrong solution was to forward all five keys into every container. Let the container figure out which one it needed. Simple, lazy, dangerous. An agent running as Claude would have access to the OpenAI key it didn't need. A compromised container would leak all five keys instead of one. The blast radius of a single breach would be everything.
Leash did it the right way. When you ran leash --open claude, Leash looked at the agent name, consulted a mapping table, and forwarded only ANTHROPIC_API_KEY into the container. The other four keys remained on the host, invisible, unreachable, nonexistent from the container's perspective.
leash --open codex forwarded OPENAI_API_KEY and nothing else.
leash --open gemini forwarded GOOGLE_API_KEY and nothing else.
One agent, one key. The principle of least privilege applied to API credentials.
Jay appreciated the elegance when he first read the source code. The mapping was defined in the config file, human-readable, human-editable. You could add new agents, remap keys, define custom environment variables for custom agents. The default mapping was sensible. The overrides were straightforward.
"It's the small things," Jay told Justin during their weekly one-on-one. "Nobody talks about credential forwarding in AI tooling. Everybody talks about prompt engineering and model selection and fine-tuning. But the thing that actually protects you from a thousand-dollar surprise on your API bill is whether the container has access to the right key and only the right key."
Justin nodded. "Security is the accumulation of small correct decisions. No single one is dramatic. But the aggregate is the difference between a system you can trust and a system you hope works."
Navan had a different appreciation. He liked that the credential forwarding happened automatically, without him having to think about it. When he typed leash --open claude, the right key appeared inside the container as if by magic. He didn't have to remember which environment variable Claude needed. He didn't have to write a shell script to extract and forward it. Leash knew.
"It's like a bartender who remembers your drink," Navan said.
"Except the bartender only gives you your drink," Jay replied. "Not everyone else's drink plus yours."
Five agents. Five keys. Five isolated environments. Each one seeing exactly what it needed and nothing more. The credential forwarding was invisible, automatic, and correct. Which, in security, was the trifecta.
The wrong solution being "forward all five keys" is what literally every tutorial does. "Just add all your keys to the .env file!" Leash doing it right by default is a massive improvement.