技能檔案

Env Debug

Name: Env Debug
Author: 89jobrien

Use when op run fails with env conflicts, direnv isn't loading secrets, source_up chain is broken, Claude shell can't resolve op:// URIs, or secrets work in terminal but not in Claude context

89jobrien0 星標2026年4月11日

職業
分類: 除錯

技能內容

Systematic diagnosis of the secrets environment chain: direnv → source_up → 1Password → op run.

The Chain

~/.envrc (or project .envrc)
  └── source_up
        └── ~/dev/.envrc
              └── op run --env-file ~/.secrets -- <cmd>
                    └── injects resolved op:// vars

Claude's shell context cannot resolve op:// URIs directly. Always use op read or op run explicitly.

Step 1: Check direnv

direnv status     # Allowed? Which .envrc loaded?
direnv allow      # Unblock current directory if needed
echo $DIRENV_DIR  # Should be set if active

Step 2: Trace source_up chain

相關技能

Env Debug | Skills Pool

cat ~/.envrc
cat ~/dev/.envrc   # Walk up until you find the op run call

# See conflicting vars
env | grep -E "KEY|TOKEN|SECRET" | sort

# Clear specific conflicts before op run
env -u OPENAI_API_KEY -u ANTHROPIC_API_KEY op run --env-file ~/.secrets -- your-command

# Nuke all and re-inject
unset OPENAI_API_KEY ANTHROPIC_API_KEY
op run --account=my.1password.com --env-file ~/.secrets -- your-command

op account list                        # Signed-in accounts
op signin --account my.1password.com   # Sign in if needed
op item list --account=my.1password.com --limit=3  # Test read access

op read "op://vault/item/field" --account=my.1password.com
# Example:
op read "op://Personal/OPENAI/credential" --account=my.1password.com

echo "=== direnv ===" && direnv status
echo "=== op accounts ===" && op account list
echo "=== conflicting vars ===" && env | grep -E "KEY|TOKEN|SECRET" | sort
echo "=== op read test ===" && op item list --account=my.1password.com --limit=1

Symptom	Cause	Fix
`op://` not resolved in Claude	Shell can't use direnv	Use `op read` directly
`op run` ignores a secret	Var already in shell	`env -u VAR op run ...`
Secret works in terminal, not Claude	direnv not in Claude's shell	`op read` or `op run` explicitly
`op: not signed in`	Session expired	`op signin --account my.1password.com`
`direnv: .envrc not allowed`	direnv blocked	`direnv allow`
`source_up: no parent .envrc`	Chain broken	Check `~/dev/.envrc` exists
`grep ^KEY ~/.secrets` returns empty	Key name mismatch	`grep KEY ~/.secrets` to find exact name

Env Debug

The Chain

Step 1: Check direnv

Step 2: Trace source_up chain

Env Debug

The Chain

Step 1: Check direnv

Step 2: Trace source_up chain

Step 3: Diagnose op run conflicts

Step 4: Verify op connectivity

Step 5: Read a specific secret directly

Quick Diagnostic

Common Failures

Session Logs

OpenClaw Test Heap Leaks

Node Connect

Openclaw Qa Testing

Openclaw Secret Scanning Maintainer

Flags