I would recommend nono - it's practically 0 seconds of latency, developed by the creator of sigstore which is used by google, github, and secures a lot of the open source software supply chain.
What I like most is, its like a runtime `nono run ... agent` and there is not managing vms, containers ,mounts.
This sounds like the approach the nono project took: it injects a phantom token, so the sandboxed agent never gets to see the real key, it has a session scoped, time limited dummy key https://nono.sh/docs/cli/features/credential-injection
What I like most is, its like a runtime `nono run ... agent` and there is not managing vms, containers ,mounts.