Migrate credentials to 1Password: 58 items across 4 vaults

- Created 4 new vaults: Infrastructure (16), Clients (27), Projects (10), MSP Tools (5)
- Replaced credentials.md with op:// reference version (no plaintext secrets)
- Updated CLAUDE.md with 1Password access instructions for all workstations
- Service account (Agentic_Cli) for non-interactive CLI access

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/CLAUDE.md

@@ -39,9 +39,9 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
 ## Key Rules
 
 - **NO EMOJIS** - Use ASCII markers: `[OK]`, `[ERROR]`, `[WARNING]`, `[SUCCESS]`, `[INFO]`
-- **No hardcoded credentials** - Use encrypted storage
+- **No hardcoded credentials** - Use 1Password (`op read "op://Vault/Item/field"`) or encrypted storage
 - **SSH:** Use system OpenSSH (on Windows: `C:\Windows\System32\OpenSSH\ssh.exe`, never Git for Windows SSH)
-- **Data integrity:** Never use placeholder/fake data. Check credentials.md or ask user.
+- **Data integrity:** Never use placeholder/fake data. Check credentials.md (op:// refs) or 1Password or ask user.
 - **Full coding standards:** `.claude/CODING_GUIDELINES.md` (agents read on-demand, not every session)
 
 ---
@@ -57,10 +57,23 @@ You are NOT an executor. You coordinate specialized agents and preserve your con
 ## Context Recovery
 
 When user references previous work, use `/context` command. Never ask user for info in:
-- `credentials.md` - All infrastructure credentials (UNREDACTED)
+- `credentials.md` - Infrastructure reference with `op://` paths (secrets in 1Password)
 - `session-logs/` - Daily work logs (also in `projects/*/session-logs/` and `clients/*/session-logs/`)
 - `SESSION_STATE.md` - Project history
 
+### 1Password Credential Access
+
+Credentials are stored in 1Password across 4 vaults: **Infrastructure**, **Clients**, **Projects**, **MSP Tools**.
+
+**To read a secret:** `op read "op://VaultName/ItemTitle/field_name"`
+
+**Service account (non-interactive):** Set `OP_SERVICE_ACCOUNT_TOKEN` env var. Token stored in `op://Infrastructure/Service Account Auth Token: Agentic_Cli/credential`. The service account has Read & Write on all 4 vaults (except Projects which is read-only -- use desktop app auth for Projects writes).
+
+**Setup on new machines:**
+1. Install 1Password CLI: https://developer.1password.com/docs/cli/get-started/
+2. Sign in: `op signin` (or use desktop app integration)
+3. For non-interactive use, add to shell config: `set -gx OP_SERVICE_ACCOUNT_TOKEN "token_value"`
+
 ---
 
 ## Commands & Skills
@@ -69,7 +82,8 @@ When user references previous work, use `/context` command. Never ask user for i
 |---------|---------|
 | `/checkpoint` | Dual checkpoint: git commit + database context |
 | `/save` | Comprehensive session log (credentials, decisions, changes) |
-| `/context` | Search session logs and credentials.md |
+| `/context` | Search session logs, credentials.md, and 1Password |
+| `/1password` | 1Password secrets management integration |
 | `/sync` | Sync config from Gitea repository |
 | `/create-spec` | Create app specification for AutoCoder |
 | `/frontend-design` | Modern frontend design patterns (auto-invoke after UI changes) |