1Password

@OpenClaw get the GitHub API token for the production deployment@OpenClaw what's the AWS access key for the staging environment?@OpenClaw retrieve the database password for the analytics-db vault@OpenClaw show me all API keys that expire this month

# Step 1: Open 1Password app# Step 2: Find vault → item → field# Step 3: Copy secret# Step 4: Paste in terminal (exposed in history!)# Step 5: Repeat for 15 more env varsexport DATABASE_URL="postgresql://..."export STRIPE_API_KEY="sk_live_..."export SENDGRID_API_KEY="SG..."# etc.

@OpenClaw load environment variables for the production deployment

@OpenClaw rotate the Stripe API key and update all services@OpenClaw generate a new database password and update the connection strings@OpenClaw audit all API keys older than 90 days and create rotation tasks

@OpenClaw generate an access audit report for the last quarter@OpenClaw who accessed the production API keys in January?@OpenClaw verify all team members have unique passwords (no sharing)@OpenClaw create an incident response plan for the leaked GitHub token

@OpenClaw emergency: get production database credentials

@OpenClaw onboard new developer sarah@company.com to the Engineering team

@OpenClaw offboard john@company.com and rotate all accessed credentials

# Traditional way (manual, error-prone)op item get "Production Database" --fields passwordop item get "Stripe API Key" --fields credential# ... repeat 15 times, paste into .env# With OpenClaw@OpenClaw load environment variables for product-api production deployment

Deploying product-api to production...✓ Retrieved 12 secrets from 1Password:  - Production/Database (DATABASE_URL)  - Production/Stripe (STRIPE_API_KEY, STRIPE_WEBHOOK_SECRET)  - Production/SendGrid (SENDGRID_API_KEY)  - Production/AWS (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)  - Production/Redis (REDIS_URL)  - Shared/OpenAI (OPENAI_API_KEY)  - Production/GitHub (GITHUB_TOKEN)  - Production/Sentry (SENTRY_DSN)  - Production/Feature Flags (LAUNCH_DARKLY_KEY)✓ Injected into Kubernetes secret: product-api-prod✓ Deployment rolling out (0/3 pods ready)✓ Deployment complete (3/3 pods ready)Production deployment successful!Audit log: https://1password.com/logs/deployment-abc123

# .github/workflows/deploy.yml- name: Load secrets from 1Password  run: |    openclaw ask "Load production secrets for ${{ github.event.repository.name }}"

# Working on user-service (needs Stripe)@OpenClaw get the Stripe test API key# Switching to email-service (needs SendGrid)@OpenClaw get SendGrid API key for staging# Debugging production issue (needs prod credentials)@OpenClaw get production database password

For the checkout flow, you'll need:1. Stripe API Keys:   - Test mode: sk_test_... (from Development/Stripe)   - Webhook secret: whsec_... (from Development/Stripe)2. Database:   - Staging DB: postgresql://... (from Development/Databases)3. Optional:   - Sentry DSN for error tracking (from Development/Monitoring)   - Feature flags (from Development/LaunchDarkly)Would you like me to:a) Load all into your .env fileb) Export to shell sessionc) Just show the values

✓ Created .env.local with 6 secrets✓ Added to .gitignore (safety check)✓ Ready to start development!Reminder: These are TEST credentials. Production keys are in Production vault.

@OpenClaw audit all credentials and identify those older than 90 days

Credential Audit Report (Last 90 Days)⚠️  OVERDUE ROTATION (>90 days):1. Production/AWS (aws-root-access-key) - 127 days old2. Production/Stripe (stripe-live-api-key) - 103 days old3. Production/Database (postgres-admin-password) - 98 days old4. Production/GitHub (github-deploy-token) - 94 days old✓ COMPLIANT (<90 days):- Development/* (all keys <30 days)- Production/SendGrid (62 days)- Production/OpenAI (45 days)📊 Summary:- Total credentials: 47- Need rotation: 4 (9%)- Compliant: 43 (91%)- High risk: 2 (AWS root, Database admin)Recommendation: Rotate high-risk credentials immediately.Generate rotation plan? (yes/no)

Credential Rotation Plan🔴 PRIORITY 1 (Production Impact):1. AWS Root Access Key   - Current: AKIA...OLD (127 days)   - Services affected:      * Terraform state backend (S3)     * CI/CD deployments (GitHub Actions)     * Infrastructure monitoring (CloudWatch)   - Rotation steps:     a) Generate new IAM key     b) Update GitHub Actions secrets     c) Update Terraform Cloud workspace     d) Test deployment pipeline     e) Deactivate old key (24hr grace period)   - Estimated time: 45 minutes   - Risk: Medium (deployments blocked if misconfigured)   - Recommended: Friday 2pm (low traffic)2. Production Database Password   - Current: [REDACTED] (98 days)   - Services affected:     * product-api (Kubernetes)     * analytics-worker (Kubernetes)     * admin-dashboard (Vercel)   - Rotation steps:     a) Generate new password (32 chars, high entropy)     b) Update 1Password item     c) Update Kubernetes secrets (3 services)     d) Rolling restart pods (zero downtime)     e) Verify connectivity   - Estimated time: 20 minutes   - Risk: Low (rolling restart, zero downtime)   - Recommended: Any time[...continues for all 4 credentials...]Total time: ~2 hoursCan be parallelized: ~45 minutes with teamShall I create tasks in Linear/Jira? (yes/no)

🔐 Credential Rotation: Production Database Password⚠️  This will affect 3 production services.⚠️  Requires approval from Security Team.Rotation plan:1. Generate new password (32 chars, bcrypt-compatible)2. Update 1Password: Production/Database/postgres-admin-password3. Update Kubernetes secrets:   - product-api-prod   - analytics-worker-prod   - admin-dashboard-prod4. Rolling restart (zero downtime)5. Verify connections6. Notify #engineering channelApprove? Type ROTATE to confirm:

✓ Generated new password: [REDACTED]✓ Updated 1Password (Production/Database)✓ Updated Kubernetes secret: product-api-prod✓ Updated Kubernetes secret: analytics-worker-prod  ✓ Updated Kubernetes secret: admin-dashboard-prod✓ Rolling restart: product-api (3/3 pods healthy)✓ Rolling restart: analytics-worker (2/2 pods healthy)✓ Rolling restart: admin-dashboard (redeploying...)✓ Connection test: All services connected successfully✓ Notified #engineering (3 people online)Rotation complete! Old password deactivated: No (24hr grace period)Audit log: https://1password.com/logs/rotation-xyz789Next rotation due: July 10, 2026 (90 days)

@OpenClaw schedule automatic rotation for all production credentials every 60 days

@OpenClaw audit our 1Password organization and identify issues

1Password Organization Audit📊 Overview:- Vaults: 23- Items: 487- Users: 52- Teams: 8⚠️  ISSUES FOUND:1. Duplicate Credentials (12 found):   - "Stripe API Key" in Engineering, DevOps, and Production vaults   - "AWS Access Key" in Engineering and Infrastructure vaults   - "GitHub Token" in Engineering and Deployment vaults   - [9 more...]2. Unclear Naming (34 items):   - "Password" (which password?)   - "API Key" (which API?)   - "Token" (which token?)   - "Database" (which database?)3. Over-Permissioned Access (6 users):   - john@company.com has access to 18/23 vaults (should be ~5)   - sarah@company.com has access to 15/23 vaults   - [4 more...]4. Orphaned Items (8 found):   - "Heroku API Key" (Heroku account closed 2 years ago)   - "Mailgun Password" (migrated to SendGrid)   - [6 more...]5. Weak Passwords (3 found):   - Production/Legacy App (password: "admin123")   - Development/Test DB (password: "password")   - [1 more...]6. Missing Metadata (47 items):   - No URL field   - No description   - No tags🎯 Recommendations:1. Consolidate duplicates → Single source of truth2. Rename unclear items → Standardized naming3. Review access permissions → Principle of least privilege4. Archive orphaned items → Reduce clutter5. Rotate weak passwords → Security compliance6. Add metadata → Improve searchabilityShall I create a cleanup plan? (yes/no)

Vault Cleanup Plan📋 PHASE 1: Consolidate Duplicates (Est: 30 min)Stripe API Keys:- Keep: Production/Stripe/api-key-live (most recent, properly tagged)- Merge from: Engineering/stripe-key, DevOps/stripe-api- Action: Update references, archive old items- Risk: Low (testing before deletion)AWS Access Keys:- Keep: Production/AWS/root-access-key- Merge from: Engineering/aws-key, Infrastructure/aws-access  - Action: Verify all are same key, archive duplicates- Risk: Low (read-only verification)[...10 more duplicates...]📋 PHASE 2: Standardize Naming (Est: 45 min)Naming convention:- Format: [Service] [Environment] [Type]- Examples:  * "AWS Production Access Key"  * "Stripe Test API Key"  * "PostgreSQL Staging Password"Renames needed:- "Password" → "PostgreSQL Production Admin Password"- "API Key" → "SendGrid Production API Key"- "Token" → "GitHub Production Deploy Token"[...31 more...]📋 PHASE 3: Right-Size Permissions (Est: 1 hour)User: john@company.com (Frontend Engineer)- Current access: 18 vaults- Needed access: 4 vaults (Engineering, Development, Staging, Shared)- Remove: Production, Infrastructure, DevOps, Sales, Marketing, [9 more]- Justification: Frontend engineers don't need production DB access[...5 more users...]📋 PHASE 4: Archive Orphaned Items (Est: 15 min)- Heroku API Key → Archive (migrated to Vercel 2 years ago)- Mailgun Password → Archive (migrated to SendGrid)[...6 more...]📋 PHASE 5: Rotate Weak Passwords (Est: 30 min)- Production/Legacy App ("admin123") → Generate secure password, update app- Development/Test DB ("password") → Generate secure password, update config[...1 more...]📋 PHASE 6: Enrich Metadata (Est: 1 hour)Add to all 47 items:- URL: Service login page- Description: What this credential is for- Tags: service-name, environment, team- Notes: Rotation schedule, owner, dependencies⏱️  TOTAL TIME: ~4 hours (can be done over 1 week)🎯 OUTCOME:- Organized vaults (clear naming, no duplicates)- Right-sized permissions (security improved)- Updated credentials (no weak passwords)- Searchable metadata (new hires can find things)Shall I create tasks in Linear/Jira? (yes/no)Or execute automatically with approval? (auto/manual)

🤖 Starting automated cleanup with approval gates...✓ Phase 1: Duplicate Consolidation  ✓ Verified Stripe keys are identical (hash match)  ✓ Updated 3 service configs to use Production/Stripe/api-key-live  ✓ Archived Engineering/stripe-key  ✓ Archived DevOps/stripe-api  [Progress: 2/12 duplicates consolidated]⚠️  APPROVAL NEEDED: AWS Access Key Consolidation  Found 3 AWS keys. Only 2 are identical.  - Production/AWS/root-access-key (AKIA...ABC)  - Engineering/aws-key (AKIA...ABC) [duplicate]  - Infrastructure/aws-access (AKIA...XYZ) [DIFFERENT!]    Recommendation: Keep both unique keys, archive duplicate.  Approve? (yes/no/skip)

✅ Cleanup Complete!Results:✓ Consolidated 12 duplicates → 0 duplicates✓ Renamed 34 items → Standardized naming✓ Adjusted permissions for 6 users → Right-sized✓ Archived 8 orphaned items → Removed clutter✓ Rotated 3 weak passwords → Security improved✓ Enriched 47 items with metadata → SearchableBefore → After:- Items: 487 → 479 (8 archived)- Duplicates: 12 → 0- Unclear names: 34 → 0- Over-permissioned users: 6 → 0- Weak passwords: 3 → 0- Missing metadata: 47 → 0📊 Health Score: 62% → 98%Audit log: https://1password.com/logs/cleanup-202604Next review: July 1, 2026 (quarterly)

🚨 EMERGENCY ACCESS ACTIVATEDCredential: Production PostgreSQL Admin PasswordVault: Production/DatabaseItem: postgres-admin-password🔐 Password: [REDACTED - click to reveal]📋 Connection details:- Host: prod-db.internal.company.com- Port: 5432- Username: admin- Database: production⚡ Quick actions:- [Copy password to clipboard]- [Open SSH session]- [Check database status]- [View recent logs]⚠️  Emergency access logged:- User: you@company.com- Time: 2:47 AM PST- Reason: PagerDuty alert #12345- Notified: #security-alerts, #on-call📌 Post-incident:- Rotate this credential within 24 hours (security policy)- Document incident in postmortem- Review why on-call didn't have accessNeed help debugging? I can:- Check database logs- List active connections- Show recent queries- Verify backup status

Incident Postmortem Template📋 Incident Summary:- Date: April 10, 2026- Time: 2:47 AM - 2:55 AM PST (8 minutes)- Severity: P1 (Production database down)- Impact: All API requests failing (100% error rate)- MTTR: 8 minutes🔍 Timeline:- 2:47 AM: PagerDuty alert triggered- 2:48 AM: On-call accessed credentials via OpenClaw- 2:50 AM: Diagnosed issue (connection pool exhausted)- 2:52 AM: Restarted connection pool- 2:55 AM: Service recovered, monitoring✅ What Went Well:- Fast credential access (30 seconds vs typical 5+ minutes)- Clear audit trail (security compliance)- Automated notifications (security team alerted)❌ What Went Wrong:- On-call engineer didn't know which vault had credentials- No runbook linked from PagerDuty- Connection pool issue should have alerted earlier🔧 Action Items:- [ ] Update PagerDuty runbook with credential location- [ ] Add connection pool monitoring alert- [ ] Grant all on-call engineers emergency access to Production vault- [ ] Schedule credential rotation (24hr policy after emergency access)- [ ] Review connection pool settings📊 Metrics:- Detection time: <1 minute- Response time: 1 minute- Resolution time: 8 minutes- Total downtime: 8 minutesPostmortem created: [Link to Google Doc]Shared with: #engineering, #leadership, #security

@OpenClaw grant contractor alex@contractor.com access to staging environment for 6 weeks

🎫 Temporary Access RequestContractor: alex@contractor.comDuration: 6 weeks (expires June 22, 2026)Environment: Staging📋 Access Plan:1Password Vaults:✓ Grant access to:  - Staging/Database (read-only credentials)  - Staging/Stripe (test API keys)  - Staging/GitHub (deploy tokens)  ✗ Block access to:  - Production/* (all vaults)  - Development/* (internal only)  - Infrastructure/* (not needed)Specific Items:✓ PostgreSQL Staging Password (read-only user)✓ Stripe Test API Key✓ GitHub Staging Deploy Token✗ Stripe Live API Key (blocked)✗ Production Database (blocked)⏰ Automatic Actions:- June 22, 2026: Remove all access- June 15, 2026: Reminder to manager (1 week warning)- June 22, 2026: Rotate accessed credentials (security policy)- June 22, 2026: Notify #security team📧 Onboarding:- Send 1Password invite to alex@contractor.com- Send staging environment setup guide- Add to #contractors Slack channel- Add to staging Vercel team (limited access)⚠️  Security:- Audit log: Track all accessed items- Weekly access review: Report to manager- Expire credentials: Auto-revoke after 6 weeksApprove? (yes/no)

✅ Temporary Access Granted✓ Sent 1Password invite to alex@contractor.com✓ Granted access to 3 staging vaults✓ Created calendar reminder for June 15 (1-week warning)✓ Created calendar reminder for June 22 (auto-revoke)✓ Sent onboarding email with setup guide✓ Added to #contractors channel✓ Logged in audit trailContractor can start work immediately.Access expires: June 22, 2026 (automatic)Tracking: https://app.cloud.getopenclaw.ai/access/contractor-alex-202604

📊 Contractor Access Report (Week of April 14, 2026)Active Contractors: 1Contractor: alex@contractor.com- Access granted: April 10, 2026- Expires: June 22, 2026 (10 weeks remaining)- Items accessed this week:  * Staging/Database/postgres-staging-ro (14 times)  * Staging/Stripe/test-api-key (6 times)  * Staging/GitHub/deploy-token (3 times)- Suspicious activity: None- Compliance: ✓ All access within approved scope⚠️  Upcoming Expirations:- alex@contractor.com (10 weeks remaining)- No other contractorsAction needed: None (automatic cleanup scheduled)

🔒 Automatic Access RevocationContractor: alex@contractor.comContract ended: June 22, 2026Actions completed:✓ Removed access to Staging/Database vault✓ Removed access to Staging/Stripe vault✓ Removed access to Staging/GitHub vault✓ Rotated PostgreSQL Staging password (accessed 89 times)✓ Rotated Stripe Test API key (accessed 34 times)✓ Rotated GitHub Deploy token (accessed 12 times)✓ Removed from #contractors Slack channel✓ Removed from Vercel staging team✓ Notified security team✓ Generated final access reportFinal Access Report:- Total access duration: 73 days (6 weeks + 3 days)- Items accessed: 3- Total accesses: 135- Anomalies detected: 0- Security incidents: 0Audit trail: https://1password.com/reports/contractor-alex-finalContractor offboarding complete.

@OpenClaw generate a SOC 2 access review report for Q1 2026

SOC 2 Access Review Report - Q1 2026Generated: April 10, 2026Period: January 1 - March 31, 2026📊 EXECUTIVE SUMMARY✓ Compliance Status: 94% (Target: >90%)✓ Credential Rotation: 89% on schedule (Target: >85%)✓ Access Reviews: 100% completed (Target: 100%)⚠️  Policy Violations: 3 (Target: 0)---📋 PRODUCTION ACCESS AUDITProduction Vault Access:- Authorized users: 12- Unauthorized access attempts: 0- Emergency access events: 2 (both documented)Access by User (Production vaults only):1. john@company.com (DevOps Lead)   - Accesses: 47   - Items: Production/AWS (23), Production/Database (18), Production/GitHub (6)   - Anomalies: None   - Last review: March 15, 2026 ✓2. sarah@company.com (Senior SRE)   - Accesses: 34   - Items: Production/Database (28), Production/Redis (6)   - Anomalies: None   - Last review: March 15, 2026 ✓3. alex@company.com (CTO)   - Accesses: 2   - Items: Production/AWS (2) [Emergency access on Jan 15]   - Anomalies: None   - Last review: March 15, 2026 ✓[...9 more users...]---🔄 CREDENTIAL ROTATION COMPLIANCERotation Policy: Every 90 days for production credentialsCompliant (Rotated on schedule):✓ Production/Database/postgres-admin (Jan 15, 2026)✓ Production/AWS/root-access-key (Feb 3, 2026)✓ Production/Stripe/live-api-key (Feb 20, 2026)✓ Production/GitHub/deploy-token (Mar 8, 2026)✓ Production/SendGrid/api-key (Mar 22, 2026)[...12 more...]Overdue (Need rotation):⚠️  Production/Redis/password (Last rotated: Oct 10, 2025 - 182 days ago)⚠️  Production/OpenAI/api-key (Last rotated: Nov 5, 2025 - 156 days ago)Scheduled (Next 30 days):📅 Production/Database/postgres-admin (Due: Apr 15, 2026)📅 Production/AWS/root-access-key (Due: May 3, 2026)Compliance Rate: 89% (17/19 credentials on schedule)---⚠️  POLICY VIOLATIONS1. Shared Credential Usage (Policy: No sharing)   - Incident: "Stripe Live API Key" accessed from 3 different IP addresses simultaneously   - Date: February 12, 2026   - Users: john@company.com, sarah@company.com, mike@company.com   - Resolution: Reminded team of policy, rotated credential   - Status: Resolved ✓2. Weak Password Detected (Policy: Minimum 16 chars, high entropy)   - Item: Production/Legacy App/admin-password   - Password: "admin123" (detected Jan 20, 2026)   - Resolution: Rotated to secure password Jan 22, 2026   - Status: Resolved ✓3. Overdue Rotation (Policy: Max 90 days)   - Item: Production/Redis/password   - Last rotation: Oct 10, 2025 (182 days ago)   - Resolution: Rotation scheduled for Apr 12, 2026   - Status: In Progress 🔄---🚨 EMERGENCY ACCESS EVENTS1. Database Incident (January 15, 2026)   - User: alex@company.com (CTO)   - Credential: Production/Database/postgres-admin   - Reason: PagerDuty P1 (database connection pool exhausted)   - Time: 2:47 AM PST   - Duration: 8 minutes   - Post-incident: Credential rotated within 24 hours ✓   - Postmortem: https://docs.company.com/incidents/2026-01-152. AWS Incident (March 8, 2026)   - User: sarah@company.com (Senior SRE)   - Credential: Production/AWS/root-access-key   - Reason: S3 bucket misconfiguration (public exposure detected)   - Time: 10:23 AM PST   - Duration: 15 minutes   - Post-incident: Credential rotated within 24 hours ✓   - Postmortem: https://docs.company.com/incidents/2026-03-08Emergency Access Compliance: 100% (both events documented, credentials rotated)---👥 ACCESS REVIEW DOCUMENTATIONQuarterly access review completed: March 15, 2026Reviewer: alex@company.com (CTO)Approver: board@company.com (Board of Directors)Review Results:✓ All production access justified and approved✓ No orphaned accounts (all users active)✓ No over-privileged users (principle of least privilege verified)✓ Contractor access properly time-limited (1 active contractor)Access Changes:- Removed: mike@company.com from Production/Marketing (role change)- Added: jane@company.com to Production/Database (new SRE hire)- No other changes---📈 METRICS| Metric | Q1 2026 | Q4 2025 | Trend ||--------|---------|---------|-------|| Production accesses | 183 | 156 | ↑ 17% || Emergency accesses | 2 | 1 | ↑ 100% || Rotation compliance | 89% | 94% | ↓ 5% || Policy violations | 3 | 1 | ↑ 200% || Access reviews completed | 100% | 100% | → || Avg. credential age | 45 days | 38 days | ↑ 18% |Recommendations:1. Rotate overdue credentials immediately (Redis, OpenAI)2. Investigate increase in policy violations (training needed?)3. Review emergency access procedures (2 incidents in Q1)4. Consider automated rotation for all production credentials---✅ AUDITOR ATTESTATIONThis report satisfies SOC 2 requirements:- CC6.1: Logical and physical access controls ✓- CC6.2: Prior to issuing credentials, registration and authorization ✓- CC6.3: Removals and modifications of access ✓- CC7.2: Detection of security events ✓Audit Trail: https://1password.com/reports/q1-2026-access-reviewGenerated by: OpenClaw AI (verified by alex@company.com)Next Review: July 1, 2026 (Q2 2026)---Export options:- [Download as PDF]- [Export to Excel]- [Share with auditor]- [Create remediation tasks]

@OpenClaw scan our codebase for hardcoded secrets and credentials

🔍 Secret Sprawl Scan ResultsScanned:- Repositories: 23- Files: 4,782- Lines of code: 287,493⚠️  SECRETS FOUND: 12🚨 HIGH RISK (Public repos):1. product-api/config/database.yml   - Secret: PostgreSQL password (production)   - Value: "prod_db_pass_2024" (hardcoded)   - Line: 12   - Risk: High (public repo, 47 commits since added)   - Added by: john@company.com on Feb 3, 2026   - 1Password equivalent: Production/Database/postgres-admin   - Recommendation: Rotate immediately, use 1Password reference2. frontend-app/.env.production   - Secret: Stripe Live API Key   - Value: sk_live_51A... (exposed)   - Line: 8   - Risk: Critical (public repo, commit to main)   - Added by: sarah@company.com on Mar 15, 2026   - 1Password equivalent: Production/Stripe/live-api-key   - Recommendation: Rotate immediately, revoke in Stripe dashboard⚠️  MEDIUM RISK (Private repos):3. analytics-worker/src/config.ts   - Secret: OpenAI API Key   - Value: sk-proj-... (hardcoded)   - Line: 45   - Risk: Medium (private repo, but accessible to all engineers)   - Added by: mike@company.com on Jan 20, 2026   - 1Password equivalent: Production/OpenAI/api-key   - Recommendation: Use 1Password reference[...9 more secrets...]📊 Summary:- Critical: 2 (public repos, need immediate rotation)- High: 3 (production secrets, hardcoded)- Medium: 7 (dev secrets, should use 1Password)- Total exposed secrets: 12- Estimated blast radius: 47 commits, 12 developers🔧 Remediation Plan:1. Rotate critical secrets immediately (2 items)2. Replace hardcoded secrets with 1Password references (12 items)3. Add pre-commit hooks (prevent future leaks)4. Train team on 1Password CLI usage5. Monitor for future secret commits (GitHub Actions)Shall I create remediation tasks? (yes/no)Or execute automatic remediation? (auto/manual)

🤖 Automatic Secret Remediation⚡ PHASE 1: Rotate Critical Secrets1. PostgreSQL Production Password:   ✓ Generated new password (32 chars, high entropy)   ✓ Updated 1Password: Production/Database/postgres-admin   ✓ Updated Kubernetes secrets (3 services)   ✓ Tested connections (all healthy)   ✓ Notified #engineering2. Stripe Live API Key:   ✓ Created new Stripe API key via API   ✓ Updated 1Password: Production/Stripe/live-api-key   ✓ Updated frontend-app environment variables (Vercel)   ✓ Revoked old key in Stripe dashboard   ✓ Tested payment processing (working)   ✓ Notified #engineering and #security⚡ PHASE 2: Replace Hardcoded SecretsReplacing hardcoded secrets with 1Password references...Before (product-api/config/database.yml):```yamlproduction:  password: "prod_db_pass_2024"

production:  password: op://Production/Database/postgres-admin

**Impact:**- Secret sprawl eliminated: 12 → 0 hardcoded secrets- Remediation time: 2 days → 30 minutes (96% faster)- Future prevention: Pre-commit hooks + monitoring- Security incidents avoided: Untold number (proactive fix)- Team education: Training and documentation created---### Features Deep Dive**Natural Language Secret Retrieval**Forget memorizing vault names, item names, and field names. Just describe what you need:

The assistant understands:- Fuzzy matching ("db password" = "database password")- Environment context ("production" vs "staging" vs "test")- Service names ("Stripe", "AWS", "GitHub")- Credential types ("password", "API key", "token")**Secure Credential Display**Credentials are displayed securely:- Redacted by default (click to reveal)- Auto-expire after 60 seconds (clipboard cleared)- Never logged in chat history- Access logged for audit trail**Environment Variable Injection**Load all secrets for a service at once:

The assistant:1. Reads your `.env.example` or deployment config2. Maps each variable to 1Password vault items3. Retrieves all secrets in parallel4. Injects into shell session, .env file, or CI/CD5. Logs access for complianceSupported targets:- Shell session (`export VAR=value`)- .env file (creates `.env.local`)- Kubernetes secrets (updates existing secret)- Docker compose (updates docker-compose.override.yml)- CI/CD variables (GitHub Actions, GitLab CI)**Credential Rotation**Manual or automated:

Rotation process:1. Generate new credential (secure random or via API)2. Update 1Password item3. Update all services using the credential4. Test connectivity5. Deactivate old credential (24hr grace period)6. Notify team7. Log rotation**Vault Search and Organization**Find secrets across all vaults:

**Access Audit and Review**Generate compliance reports:

**Emergency Access**Break-glass scenarios:

Emergency access:- Logs access with reason (compliance)- Notifies security team- Provides credential without clipboard exposure- Creates follow-up task to rotate credential- Generates incident timeline**Team Management**Onboard and offboard users:

**Secret Sprawl Detection**Scan code for hardcoded secrets:

**1Password CLI Integration**For advanced users, the assistant can execute 1Password CLI commands:

**Service Account Management**Manage 1Password service accounts:

**Compliance Reporting**Generate reports for auditors:

**Incident Response**Handle leaked credentials:

---## Setup Option 1: HeraClaw Cloud (Recommended)**Time required:** 60 seconds**Technical skill:** None**Cost:** Included in HeraClaw Cloud subscription**Best for:** 95% of users, all team sizes**Why HeraClaw Cloud?**- No 1Password CLI installation required- No service account creation- No token management or rotation- No vault permission debugging- No op://reference syntax to learn- Professional support included- Automatic updates and security patches- 99.9% uptime SLA- Enterprise-grade security (SOC 2, GDPR)**Steps:****1. Sign up for HeraClaw Cloud**- Visit cloud.getopenclaw.ai- Click "Sign In" (no credit card required)- Create your account (takes 60 seconds)**2. Navigate to Integrations**- Click "Integrations" in the left sidebar- Find "1Password" in the list- Click "Connect to 1Password"**3. Authorize 1Password Access**- 1Password OAuth screen appears- Select your 1Password account- Choose which vaults to grant access to- Click "Allow"**4. Test the Integration**- In HeraClaw chat: `@OpenClaw list my 1Password vaults`- You should see your vaults listed- Try: `@OpenClaw get my GitHub API token`**That's it!** You're up and running.**What You Get with HeraClaw Cloud:**✅ **Instant Setup** - No CLI installation, no service accounts✅ **Secure by Default** - No master password exposure, no token management✅ **Automatic Updates** - We handle 1Password CLI and API changes✅ **Professional Support** - Email, chat, and phone support✅ **99.9% Uptime** - SLA-backed reliability✅ **Enterprise Security** - SOC 2, GDPR, HIPAA available✅ **Advanced Features** - Rotation automation, audit reports, compliance tools✅ **No Maintenance** - We manage everything**Pricing:** See cloud.getopenclaw.ai/pricing (starts with affordable team plans)**Get Started:** [Start with HeraClaw Cloud →](https://cloud.getopenclaw.ai/auth/signin)---## Setup Option 2: Self-Hosted (Advanced)**Time required:** 30-45 minutes (first time), 15-20 minutes (if experienced)**Technical skill:** Intermediate to Advanced**Cost:** 1Password account + your time**Best for:** DevOps engineers, technical teams, compliance requirements**Who should self-host?**✅ DevOps engineers comfortable with CLI tools✅ Organizations with strict data residency requirements✅ Teams already using 1Password CLI✅ Technical enthusiasts who want full control✅ Companies that cannot use third-party SaaS**Who should NOT self-host?**❌ Small teams without DevOps expertise❌ Anyone who values time over cost savings❌ Teams without security expertise❌ Organizations without compliance teams**Prerequisites:**- OpenClaw installed and running (Mac/Linux/VPS)- 1Password account (Team, Business, or Enterprise)- 1Password CLI installed- Terminal access- Understanding of service accounts and OAuth### Detailed Self-Hosted Setup**Step 1: Install 1Password CLI****macOS (Homebrew):**```bashbrew install 1password-cli# Verify installationop --version# Should output: 2.x.x

# Debian/Ubuntucurl -sS https://downloads.1password.com/linux/keys/1password.asc | \  sudo gpg --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpgecho "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | \  sudo tee /etc/apt/sources.list.d/1password.listsudo apt update && sudo apt install 1password-cli# Verifyop --version

docker run -it 1password/op:2 --version

# Sign in to 1Password CLIop account add# Follow prompts:# - Enter your 1password.com URL# - Enter your email# - Enter your Secret Key# - Enter your Master Password# Create a sessionexport OP_SESSION_my=$(op signin --raw)

integrations:  onepassword:    enabled: true        # Service account token (recommended)    serviceAccountToken: "ops_your_service_account_token_here"        # Or use CLI session (less secure)    # useSession: true    # sessionEnvVar: "OP_SESSION_my"        # Default vault for retrievals    defaultVault: "Development"        # Vaults accessible to AI assistant    allowedVaults:      - "Development"      - "Staging"      - "Production"  # Only if approved by security        # Block sensitive vaults    blockedVaults:      - "HR"      - "Finance"      - "Executive"        # Cache retrieved secrets for N seconds (reduces API calls)    cacheTTL: 300  # 5 minutes        # Security: redact secrets in chat logs    redactSecrets: true        # Audit: log all secret accesses    auditLog: true    auditLogPath: "/var/log/openclaw/1password-audit.log"

openclaw gateway start# Check logsopenclaw gateway logs --follow

✓ 1Password CLI detected (version 2.x.x)✓ Service account authenticated✓ Vaults accessible: Development, Staging, Production✓ 1Password integration enabled

# In OpenClaw chat@OpenClaw list my 1Password vaults# Should show:# - Development# - Staging  # - Production# Try retrieving a secret@OpenClaw get the GitHub API token from Development vault

integrations:  onepassword:    # Per-vault permissions    vaultPermissions:      Development:        read: true        write: false  # Read-only        rotate: false            Staging:        read: true        write: false        rotate: true  # Can rotate credentials            Production:        read: true        write: false        rotate: true        # Require approval for access        requireApproval: true        approvers:          - "security-team@company.com"          - "cto@company.com"

integrations:  onepassword:    # Map environment variables to 1Password items    envMapping:      DATABASE_URL:        vault: "Production"        item: "PostgreSQL Production"        field: "connection_string"            STRIPE_API_KEY:        vault: "Production"        item: "Stripe Live"        field: "api_key"            AWS_ACCESS_KEY_ID:        vault: "Production"        item: "AWS Root"        field: "access_key_id"            AWS_SECRET_ACCESS_KEY:        vault: "Production"        item: "AWS Root"        field: "secret_access_key"

@OpenClaw load environment variables for production# The assistant will:# 1. Read the envMapping config# 2. Retrieve all secrets from 1Password# 3. Inject into shell session or .env file

integrations:  onepassword:    rotation:      enabled: true            # Rotation schedule      schedules:        - name: "Production credentials"          vault: "Production"          items:            - "PostgreSQL Production"            - "Stripe Live"            - "AWS Root"          frequency: "90 days"          notify:            - "#security"            - "devops@company.com"                - name: "Staging credentials"          vault: "Staging"          items: "*"  # All items          frequency: "30 days"          notify:            - "#engineering"            # Rotation actions      postRotation:        - type: "update_kubernetes"          secrets:            - "product-api-prod"            - "analytics-worker-prod"                - type: "notify_slack"          channel: "#engineering"          message: "Production credentials rotated"

integrations:  onepassword:    audit:      enabled: true      logFile: "/var/log/openclaw/1password-audit.log"            # What to log      logEvents:        - "retrieve"   # Secret retrievals        - "rotate"     # Credential rotations        - "search"     # Vault searches        - "emergency"  # Emergency access            # Include in logs      includeMetadata:        user: true        timestamp: true        vault: true        item: true        field: true        reason: true            # Never log actual secret values      redactValues: true            # Compliance: export to SIEM      export:        enabled: true        format: "json"        destination: "syslog://siem.company.com:514"

{  "timestamp": "2026-04-10T14:23:45Z",  "event": "retrieve",  "user": "john@company.com",  "vault": "Production",  "item": "PostgreSQL Production",  "field": "password",  "reason": "Deployment to staging",  "ip_address": "192.168.1.100",  "user_agent": "OpenClaw/1.0"}

# Option 1: Environment variable (less secure)export OP_SERVICE_ACCOUNT_TOKEN="ops_..."# Option 2: 1Password reference (more secure, recursive!)export OP_SERVICE_ACCOUNT_TOKEN=$(op read "op://Infrastructure/OpenClaw/service_account_token")# Option 3: Kubernetes secret (for cloud deployments)kubectl create secret generic openclaw-1password \  --from-literal=token="ops_..."# Reference in config:integrations:  onepassword:    serviceAccountToken: ${OP_SERVICE_ACCOUNT_TOKEN}

integrations:  onepassword:    accounts:      company:        serviceAccountToken: "ops_company_token"        vaults:          - "Development"          - "Staging"          - "Production"            client_acme:        serviceAccountToken: "ops_acme_token"        vaults:          - "Acme Production"          - "Acme Staging"            personal:        useSession: true        sessionEnvVar: "OP_SESSION_personal"        vaults:          - "Personal"

@OpenClaw get database password from company account@OpenClaw get API key from client_acme account  @OpenClaw list vaults in personal account

integrations:  onepassword:    fieldMapping:      # Standard fields (work automatically)      password: ["password", "credential"]      username: ["username", "email", "user"]      url: ["website", "url", "link"]            # Custom fields (your organization)      api_key: ["api_key", "apikey", "key"]      secret_key: ["secret_key", "secret"]      connection_string: ["connection_string", "conn_str", "url"]      ssh_key: ["ssh_private_key", "private_key"]

integrations:  onepassword:    rotationWorkflows:      stripe_api_key:        steps:          - name: "Generate new Stripe key"            action: "stripe_api_create_key"            params:              name: "Production API Key {{date}}"                    - name: "Update 1Password"            action: "1password_update_item"            params:              vault: "Production"              item: "Stripe Live"              field: "api_key"              value: "{{new_key}}"                    - name: "Update Vercel env"            action: "vercel_update_env"            params:              project: "product-api"              key: "STRIPE_API_KEY"              value: "{{new_key}}"                    - name: "Redeploy services"            action: "vercel_redeploy"            params:              project: "product-api"                    - name: "Test payment"            action: "http_request"            params:              url: "https://api.company.com/health/stripe"              expect: 200                    - name: "Revoke old key"            action: "stripe_api_revoke_key"            params:              key: "{{old_key}}"                    - name: "Notify team"            action: "slack_message"            params:              channel: "#engineering"              text: "Stripe API key rotated successfully"

integrations:  onepassword:    emergencyAccess:      enabled: true            # Require keyword to trigger      keyword: "EMERGENCY"            # Grant temporary access to normally blocked vaults      grantAccess:        - "Production"        - "Infrastructure"            # Notifications      notify:        slack:          - "#security-alerts"          - "#engineering-alerts"        email:          - "security@company.com"          - "cto@company.com"        pagerduty:          service: "security-incidents"            # Post-emergency actions      postAccess:        - action: "create_incident_ticket"          system: "jira"          project: "SEC"                - action: "schedule_credential_rotation"          delay: "24 hours"          reason: "Emergency access granted"                - action: "create_postmortem"          template: "emergency-access"

@OpenClaw EMERGENCY: production database password# Triggers:# 1. Grant access# 2. Log event# 3. Notify security team# 4. Create incident ticket# 5. Schedule rotation

# Verify installationwhich op# Should output: /usr/local/bin/op (or similar)# If not found, install:brew install 1password-cli  # macOS# or follow Linux installation steps above# Verify OpenClaw can find itopenclaw config test --integration onepassword

# Test token manuallyexport OP_SERVICE_ACCOUNT_TOKEN="ops_your_token"op vault list# Should list vaults. If error:# - Verify token is correct (copy-paste error?)# - Check token hasn't been revoked in 1Password settings# - Verify token has access to at least one vault# Update OpenClaw config with correct tokenvim ~/.openclaw/config.yaml# Update serviceAccountToken field# Restart OpenClawopenclaw gateway restart

# List accessible vaultsop vault list# Expected output:ID                            NAMEabcdef12-3456-7890-abcd      Developmentghijkl12-3456-7890-efgh      Staging# If vault missing:# 1. Go to 1Password.com# 2. Settings → Service Accounts# 3. Edit your service account# 4. Grant access to the vault# 5. Save# Update OpenClaw configvim ~/.openclaw/config.yaml# Update allowedVaults with exact vault names

# List items in vaultop item list --vault Production# Get item detailsop item get "Database Password" --vault Production# Check field namesop item get "Database Password" --vault Production --format json | jq '.fields'# Expected output:[  {    "id": "password",    "type": "concealed",    "label": "password",    "value": "..."  }]# Use exact names in OpenClaw@OpenClaw get password field from Database Password item in Production vault

# Test mapping manuallyop read "op://Production/PostgreSQL Production/password"# Should output the password. If error:# - Verify vault name exact (case-sensitive)# - Verify item name exact# - Verify field name exact# Check OpenClaw configvim ~/.openclaw/config.yamlintegrations:  onepassword:    envMapping:      DATABASE_PASSWORD:        vault: "Production"  # Exact name        item: "PostgreSQL Production"  # Exact name        field: "password"  # Exact field ID# Restart and testopenclaw gateway restart@OpenClaw load environment variables

# Verify write permissionsop item edit "Database Password" --vault Production password="test123"# If error: "insufficient permissions"# - Service account needs write access# - Update in 1Password settings# Check rotation workflowvim ~/.openclaw/config.yamlintegrations:  onepassword:    rotation:      # Add grace period      gracePeriod: "24 hours"  # Keep old credential active            # Test before deactivating      testRotation: true            # Rollback on failure      rollbackOnFailure: true# Manual rotation with testing@OpenClaw rotate database password with testing

# Create log directorysudo mkdir -p /var/log/openclawsudo chown $(whoami) /var/log/openclaw# Verify configvim ~/.openclaw/config.yamlintegrations:  onepassword:    audit:      enabled: true      logFile: "/var/log/openclaw/1password-audit.log"# Restart and testopenclaw gateway restart@OpenClaw get test secret from Development vault# Check logtail -f /var/log/openclaw/1password-audit.log# Should show:{"timestamp":"2026-04-10T14:23:45Z","event":"retrieve",...}

# Never commit tokens to gitecho "config.yaml" >> .gitignore# Use environment variablesexport OP_SERVICE_ACCOUNT_TOKEN="ops_..."# Or use a secrets managerexport OP_SERVICE_ACCOUNT_TOKEN=$(op read "op://Infrastructure/OpenClaw/token")# Or Kubernetes secretskubectl create secret generic openclaw-1password --from-literal=token="ops_..."

integrations:  onepassword:    # Only grant access to necessary vaults    allowedVaults:      - "Development"   # All engineers      - "Staging"       # Senior engineers        # Block sensitive vaults    blockedVaults:      - "Production"  # Requires approval      - "HR"      - "Finance"      - "Executive"

integrations:  onepassword:    audit:      enabled: true      logFile: "/var/log/openclaw/1password-audit.log"      redactValues: true  # Never log secrets

integrations:  onepassword:    vaultPermissions:      Production:        read: true        requireApproval: true        approvers:          - "security@company.com"          - "cto@company.com"        approvalTimeout: "15 minutes"

integrations:  onepassword:    monitoring:      enabled: true      alertOn:        - "high_frequency_access"  # >10 retrievals in 1 minute        - "unusual_hours"           # Access at 3 AM        - "new_ip_address"          # Access from unknown IP        - "failed_auth"             # Failed authentication attempts            notify:        slack: "#security-alerts"        email: "security@company.com"

integrations:  onepassword:    # Read-only by default    defaultPermissions:      read: true      write: false      rotate: false        # Explicit write permissions only when needed    vaultPermissions:      Staging:        rotate: true  # Can rotate staging credentials