#Is there a way to do secret substitution

No thats not possible. The engine doesn't really have a concept if it's own files or variables. Can you describe why you'd want to do that?

Defense-in-depth security when running semi-trusted workloads, so I want to limit where secrets can be exfiltrated from. For example doing local development, I'd like to give an AI agent access to the CLI but not the engine and not the secrets (I have a whole VM sandbox setup going on that's complicated to explain).

Similarly for CI/CD workflows, I'd rather trust the engine with secrets instead of the CLI.

I see. I'm not fully understanding the threat model. The client, or agent, could change the dagger code to do whatever it wants with that secret from the engine, including Secret.PlainText. So is that threat model really that different from using a secrets manager like 1password or vault?

Eh, it's a little different because that's a more complicated exfiltration that would take more targeted effort compared to just grabbing from the env or similarly obvious ways... but yeah fair enough that it's still achievable by running a malicious dagger function. Thanks for pointing that out.