one-password
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinese1Password CLI
1Password CLI
Follow the official CLI get-started steps. Don't guess install commands.
请遵循官方CLI入门步骤,不要自行猜测安装命令。
References
参考资料
- Official docs: https://developer.1password.com/docs/cli/get-started/
- (install + app integration + sign-in flow)
references/get-started.md - (real
references/cli-examples.mdexamples, including safe item create/edit patterns)op
- 官方文档:https://developer.1password.com/docs/cli/get-started/
- (安装 + 应用集成 + 登录流程)
references/get-started.md - (真实的
references/cli-examples.md命令示例,包括安全的条目创建/编辑模式)op
Workflow
工作流程
- Check OS + shell.
- Verify CLI present inside tmux: .
op --version - Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
- REQUIRED: create exactly one persistent named tmux session for the whole secret task.
- Sign in / authorize once inside that same session: (expect one app prompt).
op signin - Verify access inside that same session: (must succeed before any secret read).
op whoami - If multiple accounts: use or
--account.OP_ACCOUNT - If a command fails, reuse the same tmux session with ; do not start a second session just to retry.
tmux send-keys
- 检查操作系统与Shell环境。
- 在tmux内验证CLI是否存在:。
op --version - 确认桌面应用集成已启用(按照入门步骤操作)且应用已解锁。
- 必须要求:为整个密钥任务创建一个唯一的持久化命名tmux会话。
- 在同一个会话内完成一次登录/授权:(会触发一次应用弹窗提示)。
op signin - 在同一个会话内验证访问权限:(在读取任何密钥前必须执行成功)。
op whoami - 若存在多个账户:使用参数或
--account环境变量。OP_ACCOUNT - 若命令执行失败,使用复用同一个tmux会话;不要启动第二个会话来重试。
tmux send-keys
Default Account
默认账户
- Default account for personal/work secrets is .
my.1password.com - Do not silently use / Titan unless explicitly asked.
my.1password.eu - Pass on every
--account my.1password.comcommand when storing or reading secrets. Do not rely on ambient account selection.op - is metadata-only, but still must run inside tmux. Use it to confirm account names when routing is unclear.
op account list - can return status 0 with no useful output and still not make a later shell signed in. Prefer doing sign-in, create/edit/get, and verification in the same tmux shell.
op signin --account my.1password.com
- 个人/工作密钥的默认账户为。
my.1password.com - 除非明确要求,否则不要默认使用/ Titan账户。
my.1password.eu - 在存储或读取密钥时,每个命令都必须传递
op参数,不要依赖环境默认账户选择。--account my.1password.com - 仅返回元数据,但仍必须在tmux内运行。当路由不明确时,使用它确认账户名称。
op account list - 可能返回状态码0但无有效输出,且后续Shell仍未登录。建议在同一个tmux Shell内完成登录、创建/编辑/获取操作以及验证步骤。
op signin --account my.1password.com
Service account tokens
服务账户令牌
- 1Password service accounts are non-interactive tokens for a specific vault/scope, useful for automation without unlocking the desktop app.
- Use a pre-exported only for known items in the restricted
MOLTY_OP_SERVICE_ACCOUNT_TOKENvault.Molty - If the token is not already exported, use the desktop-app 1Password flow below.
- Export it only for the single command that needs it: .
OP_SERVICE_ACCOUNT_TOKEN="$MOLTY_OP_SERVICE_ACCOUNT_TOKEN" op item get "<known item>" --vault Molty ... - Service-account reads require an explicit vault query; omitting
opfails even when the token is valid.--vault Molty - Keep the tmux rule: every command, including service-account reads, still runs inside one named tmux session.
op - Do not enumerate vaults/items with service accounts. If the known item or field is not accessible, stop and ask the user instead of probing.
- Print presence/shape only, never token or secret values.
- 1Password服务账户是针对特定保险箱/范围的非交互式令牌,适用于无需解锁桌面应用的自动化场景。
- 仅对受限保险箱中的已知条目使用预导出的
Molty。MOLTY_OP_SERVICE_ACCOUNT_TOKEN - 若令牌尚未导出,请按照以下桌面应用1Password流程操作。
- 仅为需要它的单个命令导出令牌:。
OP_SERVICE_ACCOUNT_TOKEN="$MOLTY_OP_SERVICE_ACCOUNT_TOKEN" op item get "<known item>" --vault Molty ... - 使用服务账户执行读取操作时,必须明确指定保险箱查询;即使令牌有效,省略
op也会执行失败。--vault Molty - 遵守tmux规则:所有命令,包括服务账户读取操作,仍需在一个命名tmux会话内运行。
op - 不要使用服务账户枚举保险箱/条目。若已知条目或字段无法访问,请停止操作并询问用户,不要自行探测。
- 仅输出令牌/密钥的存在状态或格式,绝不要输出令牌或密钥的具体值。
Required Persistent Tmux Session
必须使用持久化Tmux会话
The shell tool uses a fresh TTY per command. To avoid repeated 1Password prompts, run inside one dedicated tmux session and keep using that same session until the whole secret task is done.
opExample:
bash
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/clawdbot-op.sock"
SESSION="op-work"
tmux -S "$SOCKET" has-session -t "$SESSION" 2>/dev/null ||
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200Do not create a new tmux session after a quoting, item-name, or command failure. Send a corrected command into the existing session.
Shell工具每个命令都会使用新的TTY。为避免重复触发1Password提示,请在一个专用的tmux会话内运行命令,并持续使用该会话直到整个密钥任务完成。
op示例:
bash
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
mkdir -p "$SOCKET_DIR"
SOCKET="$SOCKET_DIR/clawdbot-op.sock"
SESSION="op-work"
tmux -S "$SOCKET" has-session -t "$SESSION" 2>/dev/null ||
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200若出现引号、条目名称或命令执行失败,不要创建新的tmux会话。将修正后的命令发送到现有会话中。
Service-Specific Workflows
特定服务工作流程
- Keep service-specific auth details in the owning skill.
- For npm registry/package work, use ; it documents the
$npmitem, username/password/TOTP flow, and package reservation helper.npmjs - This skill owns only the generic 1Password rules: tmux-only , targeted reads, one persistent session, no broad enumeration, no secret output.
op
- 将特定服务的认证详情保存在所属skill中。
- 对于npm注册表/包相关工作,使用;它记录了
$npm条目、用户名/密码/TOTP流程以及包预留辅助工具。npmjs - 本skill仅负责通用的1Password规则:仅限tmux环境的命令、定向读取、单一持久化会话、禁止广泛枚举、禁止输出密钥。
op
Known working secret-write pattern
已验证可行的密钥写入模式
Use the persistent tmux session. Write the exact secret task to a temp script, then send that script into ; do not create a second tmux session for retries.
op-workbash
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
SOCKET="$SOCKET_DIR/clawdbot-op.sock"
SESSION="op-work"
tmux -S "$SOCKET" has-session -t "$SESSION" 2>/dev/null ||
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
cat > /tmp/op-store-secret.sh <<'SCRIPT'
#!/usr/bin/env bash
set -euo pipefail
set +x
ACCOUNT="my.1password.com"
ITEM_TITLE="Service API Tokens"
FIELD_NAME="api_token"
EXPECTED_PREFIX=""
NOTES="Created via tmux-safe op workflow"
TOKEN="$(pbpaste)"
if [ -n "$EXPECTED_PREFIX" ]; then
case "$TOKEN" in "$EXPECTED_PREFIX"*) ;; *) echo "clipboard value does not match expected prefix" >&2; exit 2;; esac
fi
op item create --account "$ACCOUNT" --category "API Credential" --title "$ITEM_TITLE" "$FIELD_NAME[password]=$TOKEN" "notesPlain=$NOTES" >/dev/null
op item get "$ITEM_TITLE" --account "$ACCOUNT" --fields "label=$FIELD_NAME" >/dev/null
echo "stored and verified secret field without printing it"
SCRIPT
chmod 700 /tmp/op-store-secret.sh
tmux -S "$SOCKET" send-keys -t "$SESSION" -- "bash /tmp/op-store-secret.sh; rm -f /tmp/op-store-secret.sh" C-mThe category string is human-readable and case-sensitive in this CLI build; use , not .
op"API Credential"api_credential使用持久化tmux会话。将完整的密钥任务写入临时脚本,然后将该脚本发送到会话中;不要为重试创建第二个tmux会话。
op-workbash
SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
SOCKET="$SOCKET_DIR/clawdbot-op.sock"
SESSION="op-work"
tmux -S "$SOCKET" has-session -t "$SESSION" 2>/dev/null ||
tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
cat > /tmp/op-store-secret.sh <<'SCRIPT'
#!/usr/bin/env bash
set -euo pipefail
set +x
ACCOUNT="my.1password.com"
ITEM_TITLE="Service API Tokens"
FIELD_NAME="api_token"
EXPECTED_PREFIX=""
NOTES="Created via tmux-safe op workflow"
TOKEN="$(pbpaste)"
if [ -n "$EXPECTED_PREFIX" ]; then
case "$TOKEN" in "$EXPECTED_PREFIX"*) ;; *) echo "clipboard value does not match expected prefix" >&2; exit 2;; esac
fi
op item create --account "$ACCOUNT" --category "API Credential" --title "$ITEM_TITLE" "$FIELD_NAME[password]=$TOKEN" "notesPlain=$NOTES" >/dev/null
op item get "$ITEM_TITLE" --account "$ACCOUNT" --fields "label=$FIELD_NAME" >/dev/null
echo "stored and verified secret field without printing it"
SCRIPT
chmod 700 /tmp/op-store-secret.sh
tmux -S "$SOCKET" send-keys -t "$SESSION" -- "bash /tmp/op-store-secret.sh; rm -f /tmp/op-store-secret.sh" C-m在此CLI版本中,的分类字符串为人类可读格式且区分大小写;请使用,不要使用。
op"API Credential"api_credentialRedacted debugging
脱敏调试
Keep the whole pipeline inside the same tmux session. Inspect status and output length, never secret values.
bash
cat > /tmp/op-debug.sh <<'SCRIPT'
#!/usr/bin/env bash
set -euo pipefail
set +x
SIGNIN_OUTPUT="$(op signin --account my.1password.com 2>&1 || true)"
echo "signin output bytes: ${#SIGNIN_OUTPUT}"
op account list 2>&1 | sed -E "s/(xox[baprs]-)[A-Za-z0-9-]+/\\1REDACTED/g; s/(xapp-)[A-Za-z0-9-]+/\\1REDACTED/g"
SCRIPT
chmod 700 /tmp/op-debug.sh
tmux -S "$SOCKET" send-keys -t "$SESSION" -- "bash /tmp/op-debug.sh; rm -f /tmp/op-debug.sh" C-m将整个流程保持在同一个tmux会话内。仅检查状态和输出长度,绝不要查看密钥值。
bash
cat > /tmp/op-debug.sh <<'SCRIPT'
#!/usr/bin/env bash
set -euo pipefail
set +x
SIGNIN_OUTPUT="$(op signin --account my.1password.com 2>&1 || true)"
echo "signin output bytes: ${#SIGNIN_OUTPUT}"
op account list 2>&1 | sed -E "s/(xox[baprs]-)[A-Za-z0-9-]+/\\1REDACTED/g; s/(xapp-)[A-Za-z0-9-]+/\\1REDACTED/g"
SCRIPT
chmod 700 /tmp/op-debug.sh
tmux -S "$SOCKET" send-keys -t "$SESSION" -- "bash /tmp/op-debug.sh; rm -f /tmp/op-debug.sh" C-mGuardrails
防护规则
- Never paste secrets into logs, chat, or code.
- Prefer /
op runover writing secrets to disk.op inject - If sign-in without app integration is needed, use .
op account add - If a command returns "account is not signed in", re-run inside tmux and authorize in the app.
op signin - Do not run outside tmux; stop and ask if tmux is unavailable.
op
- 绝不要将密钥粘贴到日志、聊天或代码中。
- 优先使用/
op run,而不是将密钥写入磁盘。op inject - 若无需应用集成即可登录,请使用。
op account add - 若命令返回“account is not signed in”,请在tmux内重新运行并在应用中完成授权。
op signin - 不要在tmux外运行命令;若tmux不可用,请停止操作并询问用户。
op