From 62adf6349de31c74794c5b6af8777ada9575163e Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Fri, 24 Apr 2026 18:26:28 +0100 Subject: [PATCH] docs(release): require tmux for 1password fallback --- .agents/skills/openclaw-release-maintainer/SKILL.md | 3 +++ docs/reference/RELEASING.md | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/.agents/skills/openclaw-release-maintainer/SKILL.md b/.agents/skills/openclaw-release-maintainer/SKILL.md index 785ad97a686..6fe6eba5078 100644 --- a/.agents/skills/openclaw-release-maintainer/SKILL.md +++ b/.agents/skills/openclaw-release-maintainer/SKILL.md @@ -345,6 +345,9 @@ node --import tsx scripts/openclaw-npm-postpublish-verify.ts or stale, use the local tmux + 1Password fallback: - Start or reuse a tmux session so interactive `npm login` and OTP prompts are observable and recoverable. + - Hard rule: never run `op` directly in the main agent shell during release + work. Any 1Password CLI use must happen inside that tmux session so prompts + and alerts are contained and observable. - Use the 1Password item `op://Private/Npmjs` for npm credentials and OTP. Do not print passwords, tokens, or OTPs to the transcript; send them through tmux buffers, env vars scoped to the tmux command, or `expect` with diff --git a/docs/reference/RELEASING.md b/docs/reference/RELEASING.md index b3ee390dd3b..3e60bae4059 100644 --- a/docs/reference/RELEASING.md +++ b/docs/reference/RELEASING.md @@ -200,6 +200,11 @@ requires `NPM_TOKEN`, while the public repo keeps OIDC-only publish. That keeps the direct publish path and the beta-first promotion path both documented and operator-visible. +If a maintainer must fall back to local npm authentication, run any 1Password +CLI (`op`) commands only inside a dedicated tmux session. Do not call `op` +directly from the main agent shell; keeping it inside tmux makes prompts, +alerts, and OTP handling observable and prevents repeated host alerts. + ## Public references - [`.github/workflows/openclaw-npm-release.yml`](https://github.com/openclaw/openclaw/blob/main/.github/workflows/openclaw-npm-release.yml)