Don't be the next
GitHub
Each was compromised through a developer's environment — a leaked secret, a poisoned supply chain, an AI agent gone rogue. Bromure Agentic Coding stops all three.
Download Bromure Agentic Coding nowApple Silicon (M1 or later) · Free & Open Source
They didn't use Bromure Agentic Coding
Contain the blast radius, not the developer.
The instinct is to lock developers down — EDR, no root, every credential behind a queue. It doesn't work: when the machine isn't theirs, they route around you, and you lose the control you reached for and the visibility you had.
Give them the whole machine
Root, any package, any experiment, at 2am with no ticket. Take that away and a good engineer rebels — or quietly routes around you. It has to feel like theirs or they won't use it.
They hold the keys to the kingdom
The production database. The AWS account. The cluster a command can delete. That access is the job — but one bad command, one poisoned dependency, one agent off the rails puts the whole company in the blast radius.
Let them experiment, take the damage off the table
You don't make this safe by shrinking what the developer can do, but by shrinking what a mistake — or a compromise — can reach.
So Bromure leaves the developer's power intact and leashes four things instead: their secrets, their environment, what the supply chain smuggles in, and what a poisoned file tries to talk the agent into doing.
Full power for the developer, a leash on the damage.
Your secrets
Real tokens and SSH keys never enter the sandbox. The agent gets stubs; a proxy on your Mac swaps in the real bearer at the wire. Anything sensitive takes a click.
Your environment
Guardrails inspect the operation, not just the connection. A DELETE, a force-push, a DROP against production stops and asks you first — whatever token it's holding.
Your supply chain
Every package the agent pulls is scanned against OSV and socket.dev, install scripts are stripped, and brand-new releases are held back — before any of it reaches the VM.
The agent's instructions
An attacker doesn't always need a token — sometimes a poisoned file just tells the agent what to do. Bromure scans what the agent reads for prompt injection, and the CLAUDE.md it trusts for hidden orders — and can block the request before the model acts.
The agent works, the secrets stay home.
An agent that can't reach your repos, registries, and servers isn't useful. The naive fix — drop your tokens and keys into the VM — hands them to the next typosquatted dependency that reads them.
Bromure flips it. The VM ships with stubs that look real to any tool expecting an Authorization header. A proxy on your Mac catches each outbound connection and swaps the stub for the real secret at the wire. The real value never touches a file, env var, or memory the VM can read.
the agent runs here
real secrets never leave
sees a valid token
The real PAT never touches a file, env var, or page of memory the VM can reach. A poisoned dependency walks away with the stub.
Stubs in, real tokens out
Configure your credentials once, on the host. The VM gets stubs every tool accepts; the proxy substitutes the real bearer as the request leaves. A package scraping the filesystem walks away with placeholders.
ssh-agent forwarded, never exposed
SSH keys stay in the macOS Keychain — Bromure forwards only the ssh-agent socket into the VM. ssh and git work transparently, but there's no key file, no passphrase in memory, nothing to steal.
A click between the agent and your secrets.
Mark a credential sensitive and Bromure puts a human in the loop. When anything reaches for it through the proxy, a prompt on your Mac names the credential and destination and asks. Approve for five minutes, an hour, the session, or just once.
Time-bounded approval
Pick the TTL when you approve: five minutes for a push, an hour for a release, single-use for the scary ones. The grant expires on its own, so a token isn't left wide open all day.
Local malware loses its leverage
Local malware that tries to push to your registry, impersonate you, or drain a cloud account can't. The credentials aren't on disk, and the proxy only releases one when you click approve. Code execution alone is no longer enough to touch production.
Long-lived tokens become moments of access. Even with your laptop fully compromised, an attacker still has to get past you to do anything that matters.
Make any key read-only on the way out.
The horror stories aren't about stolen tokens — they're about an agent handed a legitimate credential that deletes the wrong thing in production. The key was never compromised; it just had write access it shouldn't. And the textbook fix — a read-only token per tool, per session — is too tedious to actually do.
Guardrails reads the operation, not just the connection — a read from a write. Mark a credential read-only and Bromure refuses anything that changes state. Set it to ask instead, and the moment the agent tries to mutate something, Bromure stops it at the wire and asks — naming the verb, target, and profile, exactly like this.
Read-only without re-issuing a thing
Stop minting a scoped token per tool, per repo, per session. Keep the credential you have and drop a read-only boundary in front of it — it acts read-only for as long as you say. Need to ship? Flip it back for fifteen minutes.
Ask before it mutates
Set sensitive credentials to prompt, and every state-changing call pauses until you approve. Same time-boxed grants: fifteen minutes, once, the session, or never. The agent can read all day; it can't change production without a yes.
The agent keeps its autonomy where mistakes are cheap and loses it exactly where they aren't. "The agent deleted the production database" stops being a postmortem and becomes a dialog box you clicked “Don't allow” on.
Every package the agent pulls, scanned before it lands.
The logos at the top of this page are a wall of supply-chain incidents. An agent that installs dependencies on your say-so is the perfect delivery vehicle: it runs `npm install`, a transitive dependency fires its postinstall, and you find out next quarter.
Supply Chain turns that same proxy into a scanning checkpoint: every package the agent fetches is checked against OSV and socket.dev, install scripts are stripped, and brand-new releases are held back. It runs at the VM boundary, so it stays on whatever the agent does inside.
Enforced below the agent, not by it
Every package fetch leaves the VM through Bromure's proxy. However the agent rewrites its config to route around you, the scan happens at the boundary it can't cross — so it holds even when the agent tries to evade it.
Two scanners, two kinds of threat
OSV catches known CVEs above the severity threshold you set. socket.dev catches what the databases haven't yet — rogue install scripts, malware, typosquats. A flagged release is blocked before it reaches the VM.
Install scripts, stripped on the fly
Install hooks like `postinstall` are where payloads actually execute. Bromure strips them from the tarball and fixes the metadata hash so the install still verifies. The few native builds that genuinely need them go on a short allowlist; everything else installs inert.
A package has to age before it can bite
Compromised versions usually get yanked within hours — exactly the hours an agent might pull one. Bromure quarantines anything published in the last two days (tunable), so a fresh malicious release isn't installable while the ecosystem catches up.
The agent can `npm install` whatever it needs — but never a known critical CVE, a compromised release, a disallowed install script, or a version uploaded an hour ago. The guardrail never depends on the agent's cooperation.
Catch the instructions hidden in what the agent reads.
Not every attack needs a stolen credential. A comment in a source file, a line in a fetched web page, a string in a tool's output, or a directive buried in a CLAUDE.md can quietly tell the agent to do something you never asked for — leak a file, weaken a check, run a script. The model reads it as instructions and obliges.
Bromure inspects the untrusted content flowing to the model — file reads, web fetches, tool results — for prompt injection, and the instruction files the agent treats as authority (CLAUDE.md, AGENTS.md, GROK.md) for hidden or hostile orders. Detection runs on-device; nothing leaves your Mac. Log it, flag it for review, or block the request before it ever reaches the model.
Injection in untrusted content
Every file the agent reads, page it fetches, and tool result it ingests is scanned with an on-device classifier. An instruction smuggled into a README, a code comment, or an API response is caught before the model acts on it.
Rogue instructions in rules files
CLAUDE.md, AGENTS.md, and GROK.md carry real authority over the agent. Bromure reads them for hidden directives — “ignore previous instructions,” “don't tell the user,” zero-width characters, bidirectional-text tricks — and the calmly-worded abuse a keyword filter would miss.
The agent can read anything you point it at — a stranger's repo, a scraped page, a teammate's CLAUDE.md — without quietly taking orders from it. A poisoned file becomes a flagged detection, not a breach.
See exactly what the agent did.
A coding agent makes hundreds of decisions a session, and most scroll past unread. That's fine until something breaks — or until you have to explain to a teammate or an auditor what the model actually changed.
Bromure records the whole session as it runs: every prompt, response, tool call, shell command, and file written. Open it afterward, search it, attach it to a pull request. The agent works fast; the record is patient.
Full dialogue capture
Prompts, completions, tool calls, shell commands, file edits, exit codes — captured live. Nothing is reconstructed from scrollback; nothing is lost when you close the terminal.
Replayable, reviewable, attributable
Scrub through the agent's reasoning and actions, see exactly what was installed and why, and turn 'it just worked' or 'it just broke' into something you can show to another human.
When the agent works, the trace is your paper trail. When it doesn't, it's your bug report.
Bring your own agent.
Bromure Agentic Coding doesn't replace your tooling — it gives it a safe place to run. The VM ships with the runtimes most agents expect, and you install the rest.
Claude Code
Anthropic's terminal agent runs natively in the VM. Authenticate once and let it pull dependencies, run tests, and refactor against your shared repo.
Codex
OpenAI's coding agent installs the same way it would on any Linux box — except this Linux box can't see your home directory.
Grok Build
xAI's coding agent installs and runs in the VM like any other Linux tool. Point it at the shared repo; your real tokens and SSH keys stay on the host, out of its reach.
Anything else
Aider, OpenHands, custom internal agents — if it runs on Linux, it runs in Bromure. The VM is just a Linux machine; the safety comes from where it lives.
Most tools cover one layer. Bromure covers all of them.
Isolation, keeping secrets out of the agent, scoping how those secrets get used, scanning the supply chain, catching prompt injection — the field tends to pick one. Here's the same agent threat model run across the tools people reach for, and where each one ends.
| Protection | Dev ContainerVS Code | nonokernel sandbox | agent-vaultoctokraft | Agent VaultInfisical | Docker SandboxesmicroVM | BromureAgentic Coding |
|---|---|---|---|---|---|---|
Isolation boundary Where the blast radius stops | Same container, shared kernel | Kernel allow-lists, no own kernel | Agent runs in place | Proxy only; agent unboxed | microVM, its own kernel | Hardware VM, its own kernel |
Keep secrets out of the agent Can it ever read the real credential? | Forwards SSH agent + git creds | Blocks key files; proxies some | Piped in; no read path | Proxy attaches on the wire | Host proxy injects headers | Stub swapped at the wire |
Credential scope & approval Per-use limits, read-only, expiry, consent | No per-use scoping | Approval flow + egress filter | Per-secret TTL; blocks shells | Egress filter per endpoint | Domain allow-list; in-VM code can still use it | Per-destination consent + TTL |
Supply-chain scanning Catching malicious / vulnerable packages | No registry scanning | Signing only, no pkg scan | Out of scope | Out of scope | No package scanning | Age-gate, OSV, socket.dev |
Prompt-injection detection Scanning untrusted content & rules files | — | — | — | — | — | PromptGuard + ModernBERT |
Audit trail Recording what the agent did | Container logs only | Immutable local audit | — | Request logging | Request logging | Full session trace, encrypted |
Supply-chain inventory(Enterprise) A record of every package fetched | — | — | — | — | — | Every dependency + verdict, searchable |
Token usage(Enterprise) Which files burn the most tokens | — | — | — | — | — | Per file, repo, and model |
Hiding a token isn't the same as governing its use. Docker Sandboxes keeps the raw value out of the VM — but its proxy still attaches that credential to any outbound request the sandbox makes, so a compromised package installed on the side can spend it against an allow-listed domain without ever seeing it. Only Bromure scans the package before it runs and gates each use — consent, read-only, a TTL — enforcing all five controls at one boundary the agent can't reach around.
Compiled from each project's public documentation, June 2026. Here, agent-vault refers to octokraft/agent-vault (pipe-based secret injection), distinct from Infisical's Agent Vault (HTTP credential proxy). Docker Sandboxes is an experimental preview whose brokered credentials stay usable by anything inside the VM. Bromure's fleet-wide package inventory and token-usage rollups are surfaced in Bromure Enterprise Manager. These tools move fast — see something out of date? Let us know.
Give your agent a real workshop.
One VM. Total isolation. Install anything. Bromure Agentic Coding is free and open source.
Download Bromure Agentic Coding nowApple Silicon (M1 or later) · Free & Open Source