Part of the Brigade fleet from Escoffier Labs
Authenticated sessions for agent machines.
Your agents run on machines that have never logged in to anything. Agent Pantry mirrors the cookies, browser auth state, and secrets you choose from your daily driver to the machine your agent runs on: Codex, Claude Code, OpenClaw, Hermes, or a custom runner. Encrypted end to end, over any byte stream you can reach.
Stock the pantry once. Your agents cook with real auth.
Source · your daily driver
- Watches Chromium, Firefox, or CDP cookie stores for changes
- Decrypts values with the platform keyring (Secret Service, DPAPI)
- Filters through your domain allow/deny policy
- Diffs against the last snapshot, so only changes move
- Mirrors named secrets from a sanitized secrets directory
Sink · the agent machine
- Verifies every frame against the pre-shared key
- Rejects any frame that does not advance the replay counter
- Applies diffs to a plaintext sidecar SQLite by default
- Optional surfaces: secrets files, real Chrome store on Windows
- Optional adapters: cookies.txt, gh CLI, OpenClaw, Hermes bundle
Opt-in by domain
Nothing syncs unless you allow it. Cookie movement is filtered through an explicit domain allow/deny policy, so the agent gets the sessions it needs and nothing else.
Sealed in transit
Every diff ships in an AES-256-GCM frame with HKDF per-session key derivation and a monotonic replay counter. Stale or replayed frames are rejected at the sink.
Reads real browsers
Chromium-family stores (Chrome, Brave, Edge), Firefox, and Chrome DevTools Protocol for app-bound Chrome v127+. Keyring, DPAPI, and fallback decryption handled per platform.
Lands where tools look
Sidecar SQLite by default, plus opt-in surfaces and adapters: Netscape cookies.txt, gh CLI, OpenClaw, Hermes Agent bundles, and a Windows real-Chrome re-encrypt surface.
Runs as a service
One command writes a systemd unit or Windows Scheduled Task. Auto-reconnect with exponential backoff keeps the pantry stocked through restarts and flaky links.
Diagnosable on purpose
doctor validates config, key, surfaces, and connectivity; status reports what synced and when. Both speak JSON for scripting.
| Command | What it does |
|---|---|
| agentpantry init | Initialize a config file for this machine, as a source or a sink. |
| agentpantry keygen | Generate or rotate the 32-byte pre-shared key both sides use. |
| agentpantry source | Run on your daily driver: watch browsers and secrets, send sealed diffs. |
| agentpantry sink | Run on the agent machine: verify frames, apply diffs to surfaces. |
| agentpantry doctor | Validate config, key, role, surfaces, and connectivity before trusting it. |
| agentpantry status | Report active role, peer, surfaces, last sync, and synced domains. |
| agentpantry install-service | Write a systemd unit (or Scheduled Task on Windows) so sync survives reboots. |
| agentpantry version | Print version, commit, build date, Go version, and platform. |
Agent Pantry moves real credentials, so it is explicit about its boundaries. Transport is sealed with AES-256-GCM and per-session derived keys over a pre-shared key you generate and copy yourself. Replay protection is monotonic and strict. CDP capture binds to loopback only.
It is equally explicit about what it does not protect: the sink writes a plaintext sidecar by default, because that is what agent tooling can read. The machine your agent runs on must be a machine you trust. The threat model documents what is protected, what is not, and what stays your responsibility as the operator.
Read the threat model →Copyable config templates for every common shape: Chromium or Firefox sources, a CDP source for app-bound Chrome, sinks with gh and OpenClaw adapters, a Hermes bundle sink, and a guide to running the whole thing over SSH stdio with no open ports.