Your agent needs credentials. API keys for external services. OAuth tokens. Database passwords. SSH keys.

Where do you store them?

This sounds simple — until you realize:

• Memory leaks — agent logs or debug output exposes secrets
• Backup leaks — you backup state, secrets end up in plain text files
• Migration leaks — you move infrastructure, secrets travel unencrypted
• Recovery leaks — you restore from backup, old (possibly revoked) credentials resurface

This is the secret problem — and most agent builders solve it wrong.