← Item page
Mission Control / Link Explainer / Agent Cookie
X post → GitHub/code tool

Agent Cookie

A macOS-only session-state replicator for agent machines: sync browser cookies, CLI tokens, API keys, and related auth blobs from the Mac Ananth actually uses to the Mac mini / agent host, over Tailscale, without a hosted relay.

Source post: @mvanhorn / 2061259423197372566 Outbound: github.com/mvanhorn/agentcookie Website noted in post: agentcookie.dev Explainer written: 2026-06-01T17:03:39Z
Bottom line

High-signal for Dab/Hermes, but treat it as privileged infrastructure.

Agent Cookie targets a real pain in Ananth’s setup: agents running on a second Mac or Mac mini repeatedly lose authenticated browser and CLI context. The tool’s pitch is not “password manager” or “cookie export”; it is continuous, one-way auth-state replication from the daily-driver Mac to the agent Mac.

For Mission Control/Dab this is relevant because it could reduce manual login/keychain friction for web-driving agents and Printing Press style CLIs. The tradeoff is obvious: if deployed broadly, the sink machine becomes a much more sensitive auth surface. It should be evaluated like an identity bridge, not like a harmless convenience utility.

What the X post says

Matt Van Horn introduces Agent Cookie for people running OpenClaw or Hermes on a Mac mini. Example failure: “Add this to my Amazon cart” or “Order my usual on Instacart” fails because the agent is logged out.

The claimed fix: laptop cookies, CLI tokens, and API keys sync continuously to the Mac mini, end-to-end encrypted over the user’s Tailscale tailnet.

Traction / context

At fetch time the X post showed roughly 857 likes, 1,445 bookmarks, 62 reposts, and a video with about 40k views. That is unusually high bookmark intent for an agent-infra tool.

Source: X API via xurl. Public metrics drift over time.

Repo snapshot

mvanhorn/agentcookie is a public Go repo with MIT license, created 2026-05-16, pushed 2026-06-01, about 85 stars and 6 forks at fetch time.

Languages: mostly Go, with a small TypeScript/Next marketing site. Topics include ai-agents, automation, chrome, cli, cookies, golang, macos, tailscale.

Mechanism

How it works

Source Mac

  • Daily-driver laptop where Ananth logs into websites and CLIs.
  • Watches Chrome cookies and a per-CLI secrets bus.
  • Decrypts local Chrome cookies using macOS Keychain, then applies blocklists.

Sink Mac

  • Agent host / Mac mini running Hermes, OpenClaw, browser drivers, and CLIs.
  • Receives sealed sync payloads over Tailscale.
  • Materializes auth state into Chrome, sidecar cookie DB, per-CLI adapters, and synced secrets.
Chrome cookies + CLI secrets
        │
        ▼
agentcookie source --watch
  decrypt locally → blocklist → pair-derived AES-GCM envelope
        │
        ▼
HTTPS over Tailscale tailnet
        │
        ▼
agentcookie sink / LaunchAgent
  verify sequence → sink blocklist → write delivery surfaces
Delivery surfaces

Three ways an agent consumes auth

  1. Universal Chrome profile delivery: write the sink’s Chrome Cookies SQLite so unmodified browser/cookie tools can read the real Default profile.
  2. Plaintext sidecar: write ~/.agentcookie/cookies-plain.db so tools can call agentcookie cookies --domain <domain> without touching Keychain.
  3. Per-CLI adapters + secrets bus: fan out service-specific sessions for tools like Instacart, Airbnb, eBay, Pagliacci, table-reservation-goat, and mirror KEY=VALUE auth blobs under ~/.agentcookie/secrets/<cli>/.
Security model

The useful guardrails

  • No hosted middleman in the repo docs; sync is over the user’s Tailscale tailnet.
  • Payloads are AES-256-GCM sealed with pairing-derived keys, layered over Tailscale/WireGuard transport.
  • Both source and sink enforce domain blocklists, so opted-out hosts can be dropped at either boundary.
  • Pairing uses a code + X25519/HKDF flow, with rate limiting and replay defenses according to the threat model.
  • The docs explicitly call out what it does not protect against: root/sudo, compromised source/sink OS, and local filesystem access to certain key material in current versions.
Source map

Repo structure worth knowing

PathWhat it appears to ownWhy it matters
cmd/agentcookieCLI entrypointAll operator commands flow through this binary.
internal/cliCobra command implementations: source, sink, pair, doctor, secret, wizard, accountsWhere install, health checks, and auth-state operations are coordinated.
internal/chromeChrome SQLite read/write, macOS Keychain, app-bound encryption, sidecarThe brittle part: browser storage and macOS security behavior.
internal/transport + internal/pairingAEAD sealing, X25519/HKDF pairingCore trust boundary between Macs.
internal/protocolSync envelope, sequence tracking, blocklist matchingPrevents replay and enforces opt-outs at protocol level.
internal/secretsbusPer-CLI secret discovery, manifests, writerHow API keys / bearer tokens ride alongside cookies.
internal/sinkpushPer-app cookie adaptersZero-config support for selected commerce/booking CLIs.
docs/threat-model.mdExplicit security scope and non-goalsRequired reading before any local deployment.
docs/consumption.mdHow CLIs should read synced cookies/secretsMost relevant for Dab/Printing Press integration design.
Install path

Minimum use path from README

  1. Both Macs: Tailscale, Chrome, Go 1.22+/1.24+ or release binary.
  2. Install: go install github.com/mvanhorn/agentcookie/cmd/agentcookie@latest.
  3. Source Mac: agentcookie wizard install --as source --peer <second-mac-hostname>.
  4. Sink Mac: agentcookie wizard install --as sink --peer <source> --code <pairing-code> --pair-url ....
  5. Verify with agentcookie doctor and agentcookie wizard verify-adapters --json.
  6. Opt out domains with agentcookie accounts off x.com; re-enable with accounts on.
Maturity

Promising but beta-shaped

  • Positive: public MIT repo, active pushes, extensive docs, explicit threat model, 500+ unit tests claimed in README, and recent beta releases.
  • Caution: macOS-only today, beta release notes say invitation-only, and the repo has active open issues/PRs around blocklist safety and browser-source support.
  • Caution: default at-rest sealing of sidecar/adapters is described as not fully on by default until consumer support lands; plaintext local stores are an acknowledged risk in the threat model.
Fit for Ananth / Dab

Where this could matter

Use caseFitNotes
Mac mini agent that needs web sessionsHighThis is the exact target: keep the agent host logged into sites the laptop already uses.
Printing Press / CLI auth propagationHighThe secrets bus and agentcookie.toml adoption standard are designed for CLIs that read bearer tokens/API keys.
Pi-hosted Notice BoardLow direct fitAgent Cookie is macOS-focused; the Pi should not become a cookie sink unless the design expands beyond macOS.
Hermes browser automationMedium-highCould reduce “please log in on the remote box” friction, but only if the sink machine is treated as trusted identity infrastructure.
One-off local experimentMediumWorth a controlled Mac-to-Mac test with one or two low-risk domains before any broad sync.
Evaluation checklist

If Ananth decides to try it

  • Read docs/threat-model.md first; do not skip the “does not protect against” section.
  • Start with a tight blocklist/allowlist posture. Do not sync banking, email, primary Google, password manager, or admin-console sessions casually.
  • Use a dedicated Mac sink user account for agents, with minimal local privileges.
  • Run agentcookie doctor --json before and after sync; save only non-secret summaries.
  • Test with a non-critical site and one CLI auth path before touching commerce/personal accounts.
  • Confirm how sidecar/adapters are stored on disk in the exact release being used.
Open questions

Things not to assume yet

  • Whether agentcookie.dev has fresher docs than GitHub. A local safety policy blocked direct fetch of the .dev site during this cron pass, so this explainer uses X API + GitHub API sources.
  • Whether the current release is meant for general public use; latest release text references closed beta/invitation-only.
  • Whether Ananth’s actual daily browser is Chrome. An open issue asks for Atlas/other Chromium source support, which may matter if Ananth is not living in Chrome.
  • Whether sink-side local plaintext stores are acceptable for Ananth’s threat model.
Verdict

Capture as a Dab Improvements candidate, not a casual install.

Agent Cookie is one of the more directly relevant links for Ananth’s “agents on my hardware” direction: it tackles authentication continuity, which is a real blocker for useful personal automation. It is also security-sensitive by design. The right next step is a deliberate evaluation plan: one source Mac, one sink Mac, one low-risk domain, strict blocklists, explicit rollback, and a decision on whether this belongs in Dab’s operating substrate.

Sources used
  • X API via xurl: original post, note_tweet body, metrics, and video metadata.
  • GitHub API: mvanhorn/agentcookie repo metadata, README, tree, issues, releases, architecture, threat model, quickstart, and consumption docs.
  • Source limitation: direct fetch of agentcookie.dev was blocked by local cron safety policy for .dev lookalike-TLD risk; no user approval is possible in this scheduled job.