fix: isolate gh CLI config per agent to prevent token mixing

Set GH_CONFIG_DIR=$AGENT_HOME/.config/gh before gh auth login so
each agent writes to its own directory rather than the shared global
config. This prevents tokens from different agents bleeding into one
another's gh auth state.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

github-app-token/SKILL.md

@@ -23,4 +23,6 @@ bash github-app-token/scripts/generate-token.sh
 
 The script validates env vars, generates a JWT, exchanges it for an installation token, writes the token to `$AGENT_HOME/.gh-token`, and runs `gh auth login`. On success it prints a confirmation line. On failure it exits non-zero with a descriptive error.
 
+The script sets and exports `GH_CONFIG_DIR=$AGENT_HOME/.config/gh` so each agent's `gh` state is isolated from every other agent on the same host. After sourcing or calling the script, subsequent `gh` commands in the same shell session will automatically use that isolated config. If you spawn a subprocess, export `GH_CONFIG_DIR` before calling `gh`.
+
 Requires `openssl`, `curl`, `jq`, and `gh`.

github-app-token/scripts/generate-token.sh

@@ -41,7 +41,12 @@ GH_TOKEN_FILE="${GH_TOKEN_FILE:-$(mktemp)}"
 printf '%s' "$TOKEN" > "$GH_TOKEN_FILE"
 chmod 600 "$GH_TOKEN_FILE"
 
-# --- Authenticate gh CLI ---
+# --- Authenticate gh CLI with per-agent config isolation ---
+# Each agent gets its own GH_CONFIG_DIR so tokens never bleed across agents.
+export GH_CONFIG_DIR="${AGENT_HOME:+${AGENT_HOME}/.config/gh}"
+GH_CONFIG_DIR="${GH_CONFIG_DIR:-$(mktemp -d)}"
+mkdir -p "$GH_CONFIG_DIR"
+
 gh auth login --with-token < "$GH_TOKEN_FILE"
 
-echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour)."
+echo "Authenticated. Token written to $GH_TOKEN_FILE (expires in 1 hour). GH_CONFIG_DIR=$GH_CONFIG_DIR"