Your AI agent has a valid API key. That's the whole problem.

A prompt injection can't steal the key — it points the agent at the wrong action and lets the key do the damage (the confused deputy). Permissions decide which tools an agent can touch; delego decides whether this action is the one the human authorized — so an in-scope action can't be hijacked. No vault catches it, and no model sits in the decision path to be talked around.

• An approved action can't be silently re-pointed to a different one

• Risky actions wait for a human; everything else flows

• Every decision is signed into a tamper-evident audit trail

Sits in front of your existing credential broker — it doesn't replace it. Python library + MCP server + one-command Claude Code plugin. Open source.

→ github.com/Delego-Dev/delego