AUTHSOME_HOME so credentials never bleed between roles.
Per-agent isolation
Use a separate home directory per agent role. Each home gets its own identity, vault, daemon, and audit log.AUTHSOME_HOME=~/.authsome-pr-bot cannot reach credentials in ~/.authsome-reviewer.
For multiple accounts on the same provider within one role, use multiple connections inside a single home instead of splitting homes.
Run each agent under its own proxy
HTTP_PROXY points at its own daemon instance, each backed by a different vault. The agents cannot read each other’s credentials even if one is compromised.
Multi-agent best practices
- One home directory per role, not one per developer. A developer with two agents should still use two homes.
- Audit each home separately. Audit events are scoped to the daemon backing that home.
- Rotate after compromise of one agent only. Other homes are unaffected.
Troubleshooting
| Symptom | Fix |
|---|---|
| Two agents accidentally share credentials | They’re using the same AUTHSOME_HOME. Split them. |
| Port 7998 conflicts | Only one daemon can bind the default port per machine. Use separate hosts, containers, or configure a non-default port for secondary homes. |