mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-16 15:21:38 +00:00
* fix(skills/1password): stop forcing tmux for desktop app auth (#52540) The bundled skill currently mandates that every `op` invocation run inside a fresh tmux session. That guidance is wrong on every desktop-app-integration setup (macOS/Windows/Linux) because the 1Password app exposes the CLI over a per-user Unix domain socket the gateway exec env can reach but tmux subshells generally cannot — wrapping in tmux produces "1Password CLI couldn't connect to the 1Password desktop app" failures. Rewrite the skill to detect auth mode first and only use tmux for the one case where it actually helps: - Service account (`OP_SERVICE_ACCOUNT_TOKEN`): direct exec, no signin. - Desktop app integration: direct exec, never tmux. Note the macOS socket location (`~/Library/Group Containers/2BUA8C4S2C.com.1password/t/`) so agents can recognize the failure mode. - Standalone interactive signin: tmux is the right tool because it preserves the per-shell session token written by `op signin`. Update Guardrails and the get-started reference accordingly. Drop the blanket 'do not run op outside tmux' rule. Fixes #52540 * fix(skills/1password): correct desktop-app IPC wording and signin example Address PR #75090 review: - Replace the blanket 'per-user Unix domain socket' description with per-platform wording: XPC via the 1Password Browser Helper on macOS, a Unix domain socket on Linux, a named pipe on Windows. Keep the macOS group-container path as a symptom indicator only, not as a transport claim. Mirror the same correction in the get-started reference and the changelog entry. - Fix the standalone-signin tmux example: `op signin` was being sent as a plain command, so its eval-style export was printed but never applied. Subsequent `op whoami` and `op vault list` calls would fail because the OP_SESSION_* env var was never set. Wrap the call in `eval "$(op signin ...)"` so the session token is exported into the tmux pane environment as the surrounding text describes. Same direct-exec direction; tighter and more accurate. * docs(1password): clarify Windows standalone signin * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(skills/1password): repair auth-mode guidance --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
2.0 KiB
2.0 KiB
1Password CLI get-started (summary)
- Works on macOS, Windows, and Linux.
- macOS/Linux shells: bash, zsh, sh, fish.
- Windows shell: PowerShell.
- Requires a 1Password subscription and the desktop app to use app integration.
- macOS requirement: Big Sur 11.0.0 or later.
- Linux app integration requires PolKit + an auth agent.
- Install the CLI per the official doc for your OS.
- Enable desktop app integration in the 1Password app:
- Open and unlock the app, then select your account/collection.
- macOS: Settings > Developer > Integrate with 1Password CLI (Touch ID optional).
- Windows: turn on Windows Hello, then Settings > Developer > Integrate.
- Linux: Settings > Security > Unlock using system authentication, then Settings > Developer > Integrate.
- After integration, run any command to sign in (example in docs:
op vault list). - If multiple accounts: use
op signinto pick one, or--account/OP_ACCOUNT. - For non-integration auth, use
op account add. - Desktop app integration uses a per-user IPC channel the CLI must reach. The transport differs per platform (XPC via the 1Password Browser Helper on macOS, a Unix domain socket on Linux, a named pipe on Windows). Run
opdirectly from the gateway's exec environment; wrapping in tmux can move the call into a different environment context where the IPC channel is unreachable, producing1Password CLI couldn't connect to the 1Password desktop apperrors.- macOS: the integration group container lives at
~/Library/Group Containers/2BUA8C4S2C.com.1password/t/— useful for recognizing the failure mode, not as a reachability test. - Service account auth (
OP_SERVICE_ACCOUNT_TOKEN) does not use the desktop IPC channel and works the same in or out of tmux.
- macOS: the integration group container lives at
- Standalone interactive signin may use tmux only to preserve the
OP_SESSION_*export in one persistent shell. The tmux example must start a POSIX shell such as/bin/shbefore sendingeval "$(op signin ...)"; do not send that POSIXevalform into fish or PowerShell.