Every agent I've built starts the same way. Paste an API key into .env, export it, hope it doesn't end up in a log or a subprocess env dump. token expires and something quietly breaks. We've all been there

so I wrote authsome. The bit I think is actually interesting is the run command:

  authsome run -- python my_agent.py

It launches the child behind a local auth proxy and the proxy intercepts outbound HTTPS and injects Auth headers at request time. the child process never has the secret in its environment, so it can't leak through os.environ, ps -e, or anything that dumps a subprocess env and the agent code doesn't change as well.

the tokens are stored locally, encrypted, and refreshed before they expire. Oauth flows for interactive and headless, plus a browser bridge for API-key providers. There is a cli for pulling headers directly when you don't want the proxy.

the proxy only sees traffic that goes through it, so libraries that pin their own CA bundle slip past, also the streaming uploads and long-lived connections probably have edge cases I haven't hit. It's still alpha, v0.2.1.

Most interested in feedback on the proxy approach itself, that's the part I'm least sure about.

https://github.com/manojbajaj95/authsome

How is it different from tools like https://github.com/clawvisor/clawvisor? From a first glance autosome seems like a more focused version of clawvisor without the overhead of agent identity.

[dead]