Short answer: use Agent Pantry as a process-boundary Go sidecar (source on the daily driver, sink on the agent host). Brigade’s pantry station installs, plans setup, and health-checks; it does not mint PSKs or start services for you.
The problem
Agents that open authenticated web surfaces need real sessions. Copying cookies by hand is brittle. Dumping secrets into prompts is unsafe. Browser extensions that phone home are a non-starter for many operator setups.
The Brigade path
brigade extras on # pantry is on the extras surface
brigade add pantry
brigade pantry setup plan --role sink --peer 127.0.0.1:8787 # agent host
brigade pantry setup plan --role source --peer <sink-host>:8787 # daily driver
# run the printed agentpantry init/keygen/source|sink commands yourself
brigade pantry doctor
brigade pantry expiry-alert
Plans write under .brigade/pantry/plans/ when you pass --write. Expiry-alert can preview near-expiry cookies and optionally notify via the notifications station.
Boundaries
- Agent Pantry stays a separate Go binary.
- Brigade does not generate PSKs, start source/sink, or mutate browser profiles from
pantrycommands alone. - Treat synced material as sensitive host state, not content for public repos.
When this is enough
Use pantry when the agent machine is not the browser machine and you need selected sessions mirrored over a sealed channel. Use the agent’s own device-code or API-key login when the tool supports it without browser cookies.
Questions
Is this a password manager? No. It syncs browser session material you choose between hosts. Keep long-lived secrets in a password manager.
Does it work with notifications? Yes. brigade pantry expiry-alert --send can call agent-notify after you wire the notifications station.
Product page: brigade.tools/agentpantry. Optional notify: agent-notify.