The solution that Anthropic uses for Claude Code Web for repository access is to not give the LLM any secrets at all - anything requiring escalated privilege is done through a proxy which holds the credentials.

Concrete setup: (1) All secrets in 1Password/Bitwarden with CLI, (2) Agent sandbox with no env var access, (3) Wrapper scripts that fetch secrets on-demand and inject at runtime, (4) Context scrubbers that strip secrets before LLM sees logs. Key insight: don't prevent agent access to secrets, prevent secrets from entering agent context/logs. Different problem, solvable with tooling.

TBH, the best pattern I've seen is just nuking the secrets at the input level. Run a local regex watcher in-memory that flags anything looking like a PK or seed phrase before it even hits the agent's context window. Keeps it off the network stack entirely

I’m not too familiar with the space, but a friend of mine works at Descope[0] where they offer IAM solutions for agents.

[0] https://www.descope.com/

Run the agent in a sandbox without access to production secrets.

I've been having success using Doppler for secret storage. Takes it off the filesystem.