azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
70aa4c484b253b3df44b85cb55ee2ba2f20439dc
claudetools/.claude/memory/feedback_1password_service_token.md
Mike Swanson d3f3d28fb6 sync: auto-sync from GURU-KALI at 2026-05-26 19:41:06 
Author: Mike Swanson
Machine: GURU-KALI
Timestamp: 2026-05-26 19:41:06
2026-05-26 19:41:07 -07:00

2.1 KiB
Raw Blame History

name, description, type
name description type
1Password — always use service account token Use the SOPS-vaulted OP_SERVICE_ACCOUNT_TOKEN for all op CLI calls; the desktop-app integration prompts are unacceptable in agent flows feedback

For every op CLI invocation, source OP_SERVICE_ACCOUNT_TOKEN from infrastructure/1password-service-account.sops.yaml first. Without it, op falls back to the desktop-app integration which interrupts the workflow with "unlock the app" prompts.

Why: Mike confirmed 2026-04-30 — "the prompts are infuriating." Service account auth is the standard CI/agent pattern documented in the 1password skill but I had been defaulting to the desktop session.

How to apply: Vault path is per-machine from .claude/identity.json vault_path — never hardcode it. Reach the entry via the wrapper:

SVC_TOKEN=$(bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field infrastructure/1password-service-account.sops.yaml credential 2>/dev/null | head -1)

# Pass through env var to every op call
OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN" op item get ...
# Or export once at the top of a script
export OP_SERVICE_ACCOUNT_TOKEN="$SVC_TOKEN"

If the vault.sh get-field wrapper fails on this entry (it has historically tripped on a missing PyYAML dependency in the fallback parser), fall back to a direct sops -d + grep on the same entry. Resolve the vault root from identity.json rather than hardcoding it, e.g.:

VAULT_PATH=$(python3 -c "import json;print(json.load(open('$CLAUDETOOLS_ROOT/.claude/identity.json'))['vault_path'])")
SVC_TOKEN=$(sops -d "$VAULT_PATH/infrastructure/1password-service-account.sops.yaml" 2>/dev/null \
  | grep -E '^\s*credential:' | sed -E 's/^\s*credential:\s*//' | head -1)

Vaults the service account can see (per 2026-04-30 test): Clients, Infrastructure, Internal Sites, Managed Websites, MSP Tools, Projects, Sorting. (The Private vault is intentionally not shared with the service account.)

When to skip: Never. If the desktop session also happens to be authed, that's fine, but the service token path must be the one the agent reaches for.

Reference in New Issue View Git Blame Copy Permalink