Bottom line
High-signal for Dab/Hermes, but treat it as privileged infrastructure.
Agent Cookie targets a real pain in Ananth’s setup: agents running on a second Mac or Mac mini repeatedly lose authenticated browser and CLI context. The tool’s pitch is not “password manager” or “cookie export”; it is continuous, one-way auth-state replication from the daily-driver Mac to the agent Mac.
For Mission Control/Dab this is relevant because it could reduce manual login/keychain friction for web-driving agents and Printing Press style CLIs. The tradeoff is obvious: if deployed broadly, the sink machine becomes a much more sensitive auth surface. It should be evaluated like an identity bridge, not like a harmless convenience utility.
What the X post says
Matt Van Horn introduces Agent Cookie for people running OpenClaw or Hermes on a Mac mini. Example failure: “Add this to my Amazon cart” or “Order my usual on Instacart” fails because the agent is logged out.
The claimed fix: laptop cookies, CLI tokens, and API keys sync continuously to the Mac mini, end-to-end encrypted over the user’s Tailscale tailnet.
Traction / context
At fetch time the X post showed roughly 857 likes, 1,445 bookmarks, 62 reposts, and a video with about 40k views. That is unusually high bookmark intent for an agent-infra tool.
Source: X API via xurl. Public metrics drift over time.
Repo snapshot
mvanhorn/agentcookie is a public Go repo with MIT license, created 2026-05-16, pushed 2026-06-01, about 85 stars and 6 forks at fetch time.
Languages: mostly Go, with a small TypeScript/Next marketing site. Topics include ai-agents, automation, chrome, cli, cookies, golang, macos, tailscale.
Mechanism
How it works
Source Mac
- Daily-driver laptop where Ananth logs into websites and CLIs.
- Watches Chrome cookies and a per-CLI secrets bus.
- Decrypts local Chrome cookies using macOS Keychain, then applies blocklists.
→
Sink Mac
- Agent host / Mac mini running Hermes, OpenClaw, browser drivers, and CLIs.
- Receives sealed sync payloads over Tailscale.
- Materializes auth state into Chrome, sidecar cookie DB, per-CLI adapters, and synced secrets.
Chrome cookies + CLI secrets
│
▼
agentcookie source --watch
decrypt locally → blocklist → pair-derived AES-GCM envelope
│
▼
HTTPS over Tailscale tailnet
│
▼
agentcookie sink / LaunchAgent
verify sequence → sink blocklist → write delivery surfaces
Delivery surfaces
Three ways an agent consumes auth
- Universal Chrome profile delivery: write the sink’s Chrome Cookies SQLite so unmodified browser/cookie tools can read the real Default profile.
- Plaintext sidecar: write
~/.agentcookie/cookies-plain.db so tools can call agentcookie cookies --domain <domain> without touching Keychain.
- Per-CLI adapters + secrets bus: fan out service-specific sessions for tools like Instacart, Airbnb, eBay, Pagliacci, table-reservation-goat, and mirror
KEY=VALUE auth blobs under ~/.agentcookie/secrets/<cli>/.
Security model
The useful guardrails
- No hosted middleman in the repo docs; sync is over the user’s Tailscale tailnet.
- Payloads are AES-256-GCM sealed with pairing-derived keys, layered over Tailscale/WireGuard transport.
- Both source and sink enforce domain blocklists, so opted-out hosts can be dropped at either boundary.
- Pairing uses a code + X25519/HKDF flow, with rate limiting and replay defenses according to the threat model.
- The docs explicitly call out what it does not protect against: root/sudo, compromised source/sink OS, and local filesystem access to certain key material in current versions.
Source map
Repo structure worth knowing
| Path | What it appears to own | Why it matters |
cmd/agentcookie | CLI entrypoint | All operator commands flow through this binary. |
internal/cli | Cobra command implementations: source, sink, pair, doctor, secret, wizard, accounts | Where install, health checks, and auth-state operations are coordinated. |
internal/chrome | Chrome SQLite read/write, macOS Keychain, app-bound encryption, sidecar | The brittle part: browser storage and macOS security behavior. |
internal/transport + internal/pairing | AEAD sealing, X25519/HKDF pairing | Core trust boundary between Macs. |
internal/protocol | Sync envelope, sequence tracking, blocklist matching | Prevents replay and enforces opt-outs at protocol level. |
internal/secretsbus | Per-CLI secret discovery, manifests, writer | How API keys / bearer tokens ride alongside cookies. |
internal/sinkpush | Per-app cookie adapters | Zero-config support for selected commerce/booking CLIs. |
docs/threat-model.md | Explicit security scope and non-goals | Required reading before any local deployment. |
docs/consumption.md | How CLIs should read synced cookies/secrets | Most relevant for Dab/Printing Press integration design. |
Install path
Minimum use path from README
- Both Macs: Tailscale, Chrome, Go 1.22+/1.24+ or release binary.
- Install:
go install github.com/mvanhorn/agentcookie/cmd/agentcookie@latest.
- Source Mac:
agentcookie wizard install --as source --peer <second-mac-hostname>.
- Sink Mac:
agentcookie wizard install --as sink --peer <source> --code <pairing-code> --pair-url ....
- Verify with
agentcookie doctor and agentcookie wizard verify-adapters --json.
- Opt out domains with
agentcookie accounts off x.com; re-enable with accounts on.
Maturity
Promising but beta-shaped
- Positive: public MIT repo, active pushes, extensive docs, explicit threat model, 500+ unit tests claimed in README, and recent beta releases.
- Caution: macOS-only today, beta release notes say invitation-only, and the repo has active open issues/PRs around blocklist safety and browser-source support.
- Caution: default at-rest sealing of sidecar/adapters is described as not fully on by default until consumer support lands; plaintext local stores are an acknowledged risk in the threat model.
Fit for Ananth / Dab
Where this could matter
| Use case | Fit | Notes |
| Mac mini agent that needs web sessions | High | This is the exact target: keep the agent host logged into sites the laptop already uses. |
| Printing Press / CLI auth propagation | High | The secrets bus and agentcookie.toml adoption standard are designed for CLIs that read bearer tokens/API keys. |
| Pi-hosted Notice Board | Low direct fit | Agent Cookie is macOS-focused; the Pi should not become a cookie sink unless the design expands beyond macOS. |
| Hermes browser automation | Medium-high | Could reduce “please log in on the remote box” friction, but only if the sink machine is treated as trusted identity infrastructure. |
| One-off local experiment | Medium | Worth a controlled Mac-to-Mac test with one or two low-risk domains before any broad sync. |
Evaluation checklist
If Ananth decides to try it
- Read
docs/threat-model.md first; do not skip the “does not protect against” section.
- Start with a tight blocklist/allowlist posture. Do not sync banking, email, primary Google, password manager, or admin-console sessions casually.
- Use a dedicated Mac sink user account for agents, with minimal local privileges.
- Run
agentcookie doctor --json before and after sync; save only non-secret summaries.
- Test with a non-critical site and one CLI auth path before touching commerce/personal accounts.
- Confirm how sidecar/adapters are stored on disk in the exact release being used.
Open questions
Things not to assume yet
- Whether agentcookie.dev has fresher docs than GitHub. A local safety policy blocked direct fetch of the
.dev site during this cron pass, so this explainer uses X API + GitHub API sources.
- Whether the current release is meant for general public use; latest release text references closed beta/invitation-only.
- Whether Ananth’s actual daily browser is Chrome. An open issue asks for Atlas/other Chromium source support, which may matter if Ananth is not living in Chrome.
- Whether sink-side local plaintext stores are acceptable for Ananth’s threat model.
Verdict
Capture as a Dab Improvements candidate, not a casual install.
Agent Cookie is one of the more directly relevant links for Ananth’s “agents on my hardware” direction: it tackles authentication continuity, which is a real blocker for useful personal automation. It is also security-sensitive by design. The right next step is a deliberate evaluation plan: one source Mac, one sink Mac, one low-risk domain, strict blocklists, explicit rollback, and a decision on whether this belongs in Dab’s operating substrate.
Sources used
- X API via
xurl: original post, note_tweet body, metrics, and video metadata.
- GitHub API: mvanhorn/agentcookie repo metadata, README, tree, issues, releases, architecture, threat model, quickstart, and consumption docs.
- Source limitation: direct fetch of
agentcookie.dev was blocked by local cron safety policy for .dev lookalike-TLD risk; no user approval is possible in this scheduled job.