swigerb/gh-auth-isolation

Context

Many developers use GitHub through an Enterprise Managed User (EMU) account at work while maintaining a personal GitHub account for open-source contributions. AI agents spawned by Squad inherit the shell's default gh authentication — which is usually the EMU account. This causes failures when agents try to push to personal repos, create PRs on forks, or interact with resources outside the enterprise org.

This skill teaches agents how to detect the active identity, switch contexts safely, and avoid mixing credentials across operations.

Patterns

Detect Current Identity

Before any GitHub operation, check which account is active:

gh auth status

Look for:

• Logged in to github.com as USERNAME — the active account
• Token scopes: ... — what permissions are available
• Multiple accounts will show separate entries

Extract a Specific Account's Token

When you need to operate as a specific user (not the default):

# Get the personal account token (by username)
gh auth token --user personaluser

# Get the EMU account token
gh auth token --user corpalias_enterprise

Use case: Push to a personal fork while the default gh auth is the EMU account.

Push to Personal Repos from EMU Shell

The most common scenario: your shell defaults to the EMU account, but you need to push to a personal GitHub repo.

# 1. Extract the personal token
$token = gh auth token --user personaluser

# 2. Push using token-authenticated HTTPS
git push https://personaluser:[email protected]/personaluser/repo.git branch-name

Why this works: gh auth token --user reads from gh's credential store without switching the active account. The token is used inline for a single operation and never persisted.

Create PRs on Personal Forks

When the default gh context is EMU but you need to create a PR from a personal fork:

# Option 1: Use --repo flag (works if token has access)
gh pr create --repo upstream/repo --head personaluser:branch --title "..." --body "..."

# Option 2: Temporarily set GH_TOKEN for one command
$env:GH_TOKEN = $(gh auth token --user personaluser)
gh pr create --repo upstream/repo --head personaluser:branch --title "..."
Remove-Item Env:\GH_TOKEN

Config Directory Isolation (Advanced)

For complete isolation between accounts, use separate gh config directories:

# Personal account operations
$env:GH_CONFIG_DIR = "$HOME/.config/gh-public"
gh auth login  # Login with personal account (one-time setup)
gh repo clone personaluser/repo

# EMU account operations (default)
Remove-Item Env:\GH_CONFIG_DIR
gh auth status  # Back to EMU account

Setup (one-time):

# Create isolated config for personal account
mkdir ~/.config/gh-public
$env:GH_CONFIG_DIR = "$HOME/.config/gh-public"
gh auth login --web --git-protocol https

Shell Aliases for Quick Switching

Add to your shell profile for convenience:

# PowerShell profile
function ghp { $env:GH_CONFIG_DIR = "$HOME/.config/gh-public"; gh @args; Remove-Item Env:\GH_CONFIG_DIR }
function ghe { gh @args }  # Default EMU

# Usage:
# ghp repo clone personaluser/repo   # Uses personal account
# ghe issue list                       # Uses EMU account

# Bash/Zsh profile
alias ghp='GH_CONFIG_DIR=~/.config/gh-public gh'
alias ghe='gh'

# Usage:
# ghp repo clone personaluser/repo
# ghe issue list

Examples

✓ Correct: Agent pushes blog post to personal GitHub Pages

# Agent needs to push to personaluser.github.io (personal repo)
# Default gh auth is corpalias_enterprise (EMU)

$token = gh auth token --user personaluser
git remote set-url origin https://personaluser:[email protected]/personaluser/personaluser.github.io.git
git push origin main

# Clean up — don't leave token in remote URL
git remote set-url origin https://github.com/personaluser/personaluser.github.io.git

✓ Correct: Agent creates a PR from personal fork to upstream

# Fork: personaluser/squad, Upstream: bradygaster/squad
# Agent is on branch contrib/fix-docs in the fork clone

git push origin contrib/fix-docs  # Pushes to fork (may need token auth)

# Create PR targeting upstream
gh pr create --repo bradygaster/squad --head personaluser:contrib/fix-docs `
  --title "docs: fix installation guide" `
  --body "Fixes #123"

✗ Incorrect: Blindly pushing with wrong account

# BAD: Agent assumes default gh auth works for personal repos
git push origin main
# ERROR: Permission denied — EMU account has no access to personal repo

# BAD: Hardcoding tokens in scripts
git push https://personaluser:[email protected]/personaluser/repo.git main
# SECURITY RISK: Token exposed in command history and process list

✓ Correct: Check before you push

# Always verify which account has access before operations
gh auth status
# If wrong account, use token extraction:
$token = gh auth token --user personaluser
git push https://personaluser:[email protected]/personaluser/repo.git main

Anti-Patterns

• ❌ Hardcoding tokens in scripts, environment variables, or committed files. Use gh auth token --user to extract at runtime.
• ❌ Assuming the default gh auth works for all repos. EMU accounts can't access personal repos and vice versa.
• ❌ Switching gh auth login globally mid-session. This changes the default for ALL processes and can break parallel agents.
• ❌ Storing personal tokens in .env or .squad/ files. These get committed by Scribe. Use gh's credential store.
• ❌ Ignoring token cleanup after inline HTTPS pushes. Always reset the remote URL to avoid persisting tokens.
• ❌ Using gh auth switch in multi-agent sessions. One agent switching affects all others sharing the shell.
• ❌ Mixing EMU and personal operations in the same git clone. Use separate clones or explicit remote URLs per operation.