Clone .env and sed-patch keeps secrets out of transcript
Provisioning a second per-account config file for a sync agent that uses a shared INGEST_SECRET, on a host the agent runs on remotely.
To add a new instance of a multi-tenant sync agent that consumes a per-account .env file, the cleanest path is to cp an existing working .env.<other-account> to .env.<new-account> on the remote host, then sed -i in place to patch only the user-specific fields (user, addresses, high-water key, token-file path). The shared values like INGEST_SECRET / API endpoints stay untouched and never traverse the conversation transcript, which matters because reading the existing .env to copy values would expose credentials. The sed -e chain edits are safe to display because they only show the keys and the public-knowledge replacement values.
Before constructing a per-account config from scratch, check whether an analogous account already runs on the host — cp + sed -i is faster, lower-risk, and keeps shared secrets out of the agent context, vs grepping out the secret and pasting it into a fresh file.