Planck v0.1.10
67822a3 
alexdesousa
Alex de Sousa
Credential security
The big theme of this release is keeping API keys out of agent context entirely.
Credential proxy (Docker stack)
The Docker stack now includes Infisical agent-vault as an internal HTTPS MITM proxy. All outbound HTTP calls — LLM requests and tool calls alike — route through the proxy, which injects credentials silently based on host-matching service rules.
Agents never see API keys. The bash tool runs with a minimal environment (PATH, HOME, and proxy vars only). Credential injection is host-scoped: a rule for api.anthropic.com only fires for requests to that host, so prompt injection can't exfiltrate keys to attacker-controlled servers.
Port 14321 (vault management API) is not published externally. Everything is managed through Planck's own UI.
Secrets modal
The setup modal gains two new flows accessible from the choose step:
- Manage secrets — add, edit, and delete stored API keys with masked values
- Configure a service rule — associate a secret with an outbound host so the proxy injects it automatically. Includes a service template picker (Anthropic, OpenAI, Google, GitHub, Linear, Slack, Custom) that prefills host, auth type, and header for known providers.
Automatic setup
On first run, the setup container:
- Registers the vault owner account
- Creates the
planckvault - Creates a scoped agent token (
adminrole on theplanckvault only) - Writes
AGENT_VAULT_TOKENandPLANCK_SECRETS_HOOKto the install.env
Admin credentials never leave the setup container. On subsequent runs, if the agent already exists, the token is rotated instead.
Vault data directory
vault-data is now a bind-mount directory ($PLANCK_HOME/vault-data) rather than a named Docker volume — consistent with typesense-data and easy to inspect or wipe from the host.
Agent reliability
Tool call loop detection
The agent runtime now tracks consecutive identical {tool_name, args} calls within a turn. After 3 repetitions, a soft nudge is appended to the tool result:
"Note: you have called
{tool}with identical arguments 3 times this turn. If you need different information, consider changing your approach."
The agent still receives the result — this is not a hard stop. The counter resets at the start of each turn.
Under the hood
Planck.Agent.Secretsbehaviour — new behaviour covering credentials (store,fetch,list,delete) and service rules (store_service,delete_service,list_services).EnvFilestores credentials asKEY=valuelines and service rules as# planck-service:comment lines in.env.Sidecar.Secrets.AgentVaultmanages both through the vault API with auto-migration from.envon sidecar startup.- Secrets dispatch —
Planck.Headless.Secretsresolves the active backend fromPLANCK_SECRETS_HOOK. Modules available locally are called directly; remote modules (sidecar) are called via RPC. Falls back gracefully when the sidecar is not yet connected. FloatingDropdownJS hook — neobrutalism dropdowns now render atposition: fixedto escapeoverflow-y: autoclipping in the modal.destructive-foregroundCSS variable added to the Tailwind@themeblock — delete button hover state now renders white text correctly.
Upgrading
Docker (existing install):
cd ~/planck
docker compose pull
docker compose run --rm setup
docker compose up -dThe setup container will:
- Bootstrap agent-vault (registers owner, creates vault, generates scoped token)
- Update the bundled sidecar — the sidecar is now stamped with
PLANCK_VERSIONand replaced automatically when the version changes, so the new vault integration is available immediately
Your existing API keys in .planck/.env are automatically migrated to the vault on sidecar startup.
Fresh install:
curl -fsSL https://raw.githubusercontent.com/alexdesousa/planck/main/docs/install_docker.sh | sh