Wardn hides API keys from agents

This is the right instinct: if the agent never sees the credential, prompt injection has far less to steal. The tradeoff is that the proxy daemon becomes the new crown jewel, so the security story shifts from trusting the model to hardening the boundary.

• –`HTTP_PROXY` plus `MCP` makes the integration practical, because teams can keep Claude Code, Cursor, and similar workflows instead of rewriting them.
• –Placeholder tokens are the key abstraction here: the model can pass them around, but the real secret never shows up in traces or copied prompts.
• –The credential scanner is a smart adoption wedge, since `.env` sprawl is usually what defeats cleaner designs in real teams.
• –The remaining risk is the daemon, the vault passphrase, and localhost trust, so this is better read as isolation than absolute secrecy.
• –For mixed local-model and cloud-API setups, this is a stronger default than raw env scoping alone, especially when multiple tools share a workspace.