Files
openclaw/skills/1password/references/get-started.md
Hani Koshaji 73241d39f6 fix(skills/1password): stop forcing tmux for desktop app auth (#52540) (#81825)
* fix(skills/1password): stop forcing tmux for desktop app auth (#52540)

The bundled skill currently mandates that every `op` invocation run inside
a fresh tmux session. That guidance is wrong on every desktop-app-integration
setup (macOS/Windows/Linux) because the 1Password app exposes the CLI over
a per-user Unix domain socket the gateway exec env can reach but tmux
subshells generally cannot — wrapping in tmux produces "1Password CLI
couldn't connect to the 1Password desktop app" failures.

Rewrite the skill to detect auth mode first and only use tmux for the one
case where it actually helps:

- Service account (`OP_SERVICE_ACCOUNT_TOKEN`): direct exec, no signin.
- Desktop app integration: direct exec, never tmux. Note the macOS socket
  location (`~/Library/Group Containers/2BUA8C4S2C.com.1password/t/`) so
  agents can recognize the failure mode.
- Standalone interactive signin: tmux is the right tool because it
  preserves the per-shell session token written by `op signin`.

Update Guardrails and the get-started reference accordingly. Drop the
blanket 'do not run op outside tmux' rule.

Fixes #52540

* fix(skills/1password): correct desktop-app IPC wording and signin example

Address PR #75090 review:

- Replace the blanket 'per-user Unix domain socket' description with
  per-platform wording: XPC via the 1Password Browser Helper on macOS,
  a Unix domain socket on Linux, a named pipe on Windows. Keep the macOS
  group-container path as a symptom indicator only, not as a transport
  claim. Mirror the same correction in the get-started reference and the
  changelog entry.
- Fix the standalone-signin tmux example: `op signin` was being sent as
  a plain command, so its eval-style export was printed but never applied.
  Subsequent `op whoami` and `op vault list` calls would fail because
  the OP_SESSION_* env var was never set. Wrap the call in
  `eval "$(op signin ...)"` so the session token is exported into the
  tmux pane environment as the surrounding text describes.

Same direct-exec direction; tighter and more accurate.

* docs(1password): clarify Windows standalone signin

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix(skills/1password): repair auth-mode guidance

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: openclaw-clownfish[bot] <280122609+openclaw-clownfish[bot]@users.noreply.github.com>
2026-06-19 08:26:56 +08:00

2.0 KiB

1Password CLI get-started (summary)

  • Works on macOS, Windows, and Linux.
    • macOS/Linux shells: bash, zsh, sh, fish.
    • Windows shell: PowerShell.
  • Requires a 1Password subscription and the desktop app to use app integration.
  • macOS requirement: Big Sur 11.0.0 or later.
  • Linux app integration requires PolKit + an auth agent.
  • Install the CLI per the official doc for your OS.
  • Enable desktop app integration in the 1Password app:
    • Open and unlock the app, then select your account/collection.
    • macOS: Settings > Developer > Integrate with 1Password CLI (Touch ID optional).
    • Windows: turn on Windows Hello, then Settings > Developer > Integrate.
    • Linux: Settings > Security > Unlock using system authentication, then Settings > Developer > Integrate.
  • After integration, run any command to sign in (example in docs: op vault list).
  • If multiple accounts: use op signin to pick one, or --account / OP_ACCOUNT.
  • For non-integration auth, use op account add.
  • Desktop app integration uses a per-user IPC channel the CLI must reach. The transport differs per platform (XPC via the 1Password Browser Helper on macOS, a Unix domain socket on Linux, a named pipe on Windows). Run op directly from the gateway's exec environment; wrapping in tmux can move the call into a different environment context where the IPC channel is unreachable, producing 1Password CLI couldn't connect to the 1Password desktop app errors.
    • macOS: the integration group container lives at ~/Library/Group Containers/2BUA8C4S2C.com.1password/t/ — useful for recognizing the failure mode, not as a reachability test.
    • Service account auth (OP_SERVICE_ACCOUNT_TOKEN) does not use the desktop IPC channel and works the same in or out of tmux.
  • Standalone interactive signin may use tmux only to preserve the OP_SESSION_* export in one persistent shell. The tmux example must start a POSIX shell such as /bin/sh before sending eval "$(op signin ...)"; do not send that POSIX eval form into fish or PowerShell.