Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From 1p-local-auth
This skill should be used when the user asks to "rotate a credential", "update OAuth secret", "change Google client secret", "update my dev auth credentials", "replace a 1Password credential", "my OAuth secret changed", "update local dev credentials", "add a missing credential", or needs to update a specific OAuth credential in the 1Password dev auth item. Performs targeted rotation of a single credential in the local dev auth setup.
npx claudepluginhub aventerica89/jb-claude-plugins --plugin 1p-local-authHow this skill is triggered — by the user, by Claude, or both
Slash command
/1p-local-auth:auth-rotateThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Updates a single credential in the 1Password dev auth item. No template files change — templates reference field names, not values. After rotation, the next `npm run dev:auth` automatically uses the new value.
Guides 1Password CLI (op) integration for secret management in dev workflows with .op.env files, Makefile/Docker Compose/Kamal/CI patterns for infrastructure, deployments, local dev.
Manage API keys, credentials, and secrets securely using vaults, environment variables, and rotation policies. Prevent secrets from being committed to code or exposed in logs.
Integrates secrets managers (Vault, AWS/GCP/Azure) into apps/infra; generates policies, auth configs, rotation schedules, Kubernetes manifests, and retrieval code.
Share bugs, ideas, or general feedback.
Updates a single credential in the 1Password dev auth item. No template files change — templates reference field names, not values. After rotation, the next npm run dev:auth automatically uses the new value.
which op || echo "NOT INSTALLED"
op vault list 2>&1 | head -1
If op is not installed or not authenticated, stop: "1Password CLI not authenticated — run op signin first."
Ask the user: "Which credential needs to be updated?" If already specified in the request, confirm the understanding.
Determine:
GOOGLE_CLIENT_SECRET.env.local.dev.tpl to find the item that holds this field# Replace GOOGLE_CLIENT_SECRET with the actual var name from user's request
VAR=GOOGLE_CLIENT_SECRET
grep "^${VAR}=" .env.local.dev.tpl
# Example output: GOOGLE_CLIENT_SECRET=op://App Dev/clarity-dev-auth/GOOGLE_CLIENT_SECRET
Parse out: vault (App Dev), item (clarity-dev-auth), field (GOOGLE_CLIENT_SECRET).
Present a clear confirmation before updating:
About to update:
Vault: App Dev
Item: clarity-dev-auth
Field: GOOGLE_CLIENT_SECRET
Value: [new value will replace existing]
Proceed? [y/N]
Wait for user confirmation.
Use the 1Password MCP to update the field value on the existing item. Do not recreate the item — update only the specified field.
If the field does not exist on the item (new credential being added), create the field.
After updating, confirm the template still references the correct item and field:
grep "VARIABLE_NAME" .env.local.dev.tpl
If the reference is missing or malformed, report it and offer to add the correct line.
Run a quick preflight to confirm the new value resolves:
op run --env-file=.env.local.dev.tpl -- env 2>&1 | grep "^${VAR}=" | sed 's/=.*/=***/'
If the var appears in output: rotation successful. If it fails: diagnose and report.
Credential rotated
Vault: App Dev
Item: clarity-dev-auth
Field: GOOGLE_CLIENT_SECRET
Status: updated, verified resolving
Restart dev server to pick up new value:
npm run dev:auth
If the user is adding a credential for a new provider (not rotating an existing one):
{slug}-dev-auth in 1Password via MCPop:// reference lines to .env.local.dev.tplreferences/providers.md in the setup-local-auth skillMultiple credentials to rotate at once: Handle one at a time, repeating Steps 1–5 for each. Batch operations risk partial failures that are harder to debug.
Credential value contains special characters: 1Password stores values verbatim — no escaping needed. The issue only arises in shell context, not in 1Password storage.
Item not found: If {slug}-dev-auth doesn't exist, the setup was never completed or the item was deleted. Run /setup-local-auth to re-create from scratch.