The mTLS sidecar is the right answer but it's worth noting why most people won't do it: the operational complexity is brutal. You need cert provisioning, rotation, a CA you actually trust, and suddenly your "just give the agent an API key" problem has become a PKI problem.

What I find more interesting is the host-scoping approach hardsnow mentioned upthread. Even without mTLS, if the proxy only injects credentials for requests matching specific host+path patterns, you've at least bounded the blast radius. A prompt-injected agent can abuse the credentials it has access to, sure, but it can't exfiltrate them to arbitrary endpoints. That's not perfect security but it's a meaningful improvement over "agent has raw Stripe key in an env var."

The real gap nobody's addressing yet is request-level authorization. Credential injection solves "who are you" but not "should you be doing this." An agent with scoped GitHub access can still force-push to main.