Ravi

Supacode

Overview

Supacode is a native macOS command center for running 50+ coding agents in parallel. Built on libghostty (the engine behind Ghostty terminal) — pure Swift, no Electron — it gives each agent an isolated git worktree and a unified GitHub-native interface to open PRs, check CI, and resolve conflicts at scale.

When you run a handful of agents, managing credentials is a nuisance. When you run fifty, it becomes the bottleneck. Ravi solves that.

The problem at scale

Each new Supacode worktree session needs credentials: a GitHub token, API keys for the services your agent touches, an email address for signups or notifications, maybe a phone number for 2FA. Without a shared identity layer you end up with hardcoded tokens scattered across sessions, no audit trail, and silent auth failures that are painful to debug across a fleet.

Ravi is the identity layer that closes this gap.

What Ravi adds

Credential vault — rotate once, apply everywhere. Agents pull shared credentials from Ravi’s encrypted secrets store at session start. When you rotate an API key, you update it in one place and every agent picks up the new value on next pull — no touching individual sessions.

Dedicated email identity. Services requiring email verification (package registries, SaaS trials, CI webhooks, npm publishing) get a stable Ravi address instead of a personal inbox or throwaway address. One address per agent fleet, with a real inbox your orchestrator can read programmatically.

Phone / SMS 2FA. SMS-based two-factor authentication is a hard blocker for fully autonomous runs. Ravi’s provisioned phone number lets agents receive and extract OTP codes without handing off to a human mid-task.

Secrets rotation without downtime. Supacode can spawn and kill sessions dynamically. Ravi’s pull-on-demand model means newly spawned sessions get current credentials automatically — no re-provisioning step required.

Setup

Install the Ravi CLI and authenticate:

brew install ravi-hq/tap/ravi
ravi auth login

Create a dedicated identity for your Supacode fleet:

ravi identity create "supacode-fleet"
ravi identity use supacode-fleet

Store the credentials your agents will need:

# GitHub token for all agents
ravi vault set GITHUB_TOKEN ghp_your_token_here

# Any other API keys
ravi vault set OPENAI_API_KEY sk-...
ravi vault set NPM_TOKEN npm_...

Agent bootstrap script

Add a credential injection step to your Supacode session startup. Each new worktree sources this before the agent runs:

#!/bin/bash
# ravi-bootstrap.sh — run at worktree session start

# Pull credentials from Ravi vault into environment
export GITHUB_TOKEN=$(ravi vault get GITHUB_TOKEN --json | jq -r '.value')
export OPENAI_API_KEY=$(ravi vault get OPENAI_API_KEY --json | jq -r '.value')

# Get the fleet email and phone for this session
export AGENT_EMAIL=$(ravi get email --json | jq -r '.email')
export AGENT_PHONE=$(ravi get phone --json | jq -r '.phone')

echo "Agent identity ready: $AGENT_EMAIL"

Pass this to Supacode as a session init command so every worktree starts pre-authenticated.

Handling verification mid-run

When an agent hits an email or SMS verification step:

# Wait for verification email
ravi inbox email --unread --json | jq '.threads[0]'

# Extract a verification link
ravi inbox email --unread --json \
  | jq -r '.threads[0].preview' \
  | grep -oP 'https://\S+'

# Extract an SMS OTP
ravi inbox sms --unread --json \
  | jq -r '.conversations[0].preview' \
  | grep -oP '\b[0-9]{6}\b'

These commands are non-blocking — poll with a short interval until the message arrives, then continue. No human handoff required.

Example: 50-agent npm publish fleet

A team running Supacode to automate npm package publishing across a monorepo. Each agent needs an npm token and an email to verify publishing rights.

# One-time setup
ravi vault set NPM_TOKEN npm_...
# ravi get email → packages@yourfleet.raviapp.com (stable, readable)

# Each agent session bootstrap:
export NPM_TOKEN=$(ravi vault get NPM_TOKEN --json | jq -r '.value')
npm set //registry.npmjs.org/:_authToken=$NPM_TOKEN

# If npm requires email verification for a new package:
# Agent reads the inbox, clicks the link, continues — no human needed

Rotate the npm token in Ravi once; the next batch of sessions picks it up automatically.

Why this matters at 50+ agents

Without RaviWith Ravi
Tokens hardcoded per sessionPulled from vault at start
Rotate = touch every sessionRotate once, all sessions update
Personal email exposedDedicated fleet address
SMS 2FA requires human handoffAgent resolves OTPs autonomously
No audit trailFull access log per identity

Next steps