This skill should be used when the user asks to "resolve secrets", "check 1password", "debug env", "why isn't my op:// ref working", "trace direnv chain", "fix secret not loading", or invokes /sanctum:op-resolver. Also fires automatically at session start via the SessionStart hook.
Validate 1Password authentication, trace the .envrc source_up chain, detect op://
URI conflicts between accounts, and report missing environment variables.
op account list
Expected output: table showing at least two accounts (toptal.1password.com and my.1password.com).
If the command fails or shows no accounts: 1Password CLI is not authed. Instruct user:
"Run
op signinor open 1Password and unlock it, then retry."
Starting from the current working directory, trace upward:
d="$PWD"
while [ "$d" != "$HOME" ] && [ "$d" != "/" ]; do
[ -f "$d/.envrc" ] && echo "$d/.envrc"
d=$(dirname "$d")
done
For each .envrc found, check for op:// references using the Grep tool (not bash grep).
Report the chain:
DIRENV CHAIN (CWD → HOME)
/Users/joe/dev/minibox/.envrc — 3 op:// refs
/Users/joe/dev/.envrc — 1 op:// ref (source_up)
/Users/joe/.envrc — 2 op:// refs (source_up)
Scan all .envrc files in the chain for op:// refs and identify which account they target:
op://toptal.1password.com/... → Toptal accountop://my.1password.com/... or op://Personal/... → Personal accountop://<uuid>/... — check UUID against op account list to identify accountIf refs target multiple accounts in the same chain, flag as a potential conflict:
"WARNING: .envrc chain references both Toptal and Personal 1Password accounts. Commands using
op runmay need--accountflag to disambiguate."
Claude's shell context cannot resolve op:// URIs directly. If the environment
contains literal op:// values (not resolved secrets), warn:
"WARNING: Environment variable FOO contains a literal op:// URI. Use
op run -- <command>to inject resolved values into commands."
1PASSWORD AUTH OK (2 accounts)
DIRENV CHAIN 3 files found, 6 op:// refs total
ACCOUNT CONFLICTS None detected
LITERAL OP:// REFS None in current environment
| Issue | Fix |
|---|---|
op account list fails | Run op signin or unlock 1Password |
source_up not loading parent | Run direnv reload in each parent dir |
| Wrong account selected | Add --account <uuid> to op run |
| Literal op:// in env | Wrap command with op run -- |
| op item not found | Use UUID not item name in op:// path |
Never use item names in op:// paths — they may not resolve correctly across accounts.
Use op item list --vault <vault> to get exact item UUIDs.
Available as /sanctum:op-resolver for on-demand mid-session invocation.