From 8c48220a60cab0c1a5825cbdecf7bf10539b8ae0 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Wed, 7 Jan 2026 20:37:48 +0100
Subject: [PATCH] docs: require tmux for 1password skill

---
 skills/1password/SKILL.md | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/skills/1password/SKILL.md b/skills/1password/SKILL.md
index 7aea6b8c1c6..7bac1be06b6 100644
--- a/skills/1password/SKILL.md
+++ b/skills/1password/SKILL.md
@@ -19,26 +19,29 @@ Follow the official CLI get-started steps. Don't guess install commands.
 1. Check OS + shell.
 2. Verify CLI present: `op --version`.
 3. Confirm desktop app integration is enabled (per get-started) and the app is unlocked.
-4. Sign in / authorize this terminal: `op signin` (expect an app prompt).
-5. If multiple accounts: use `--account` or `OP_ACCOUNT`.
-6. Verify access: `op whoami` or `op account list`.
+4. REQUIRED: create a fresh tmux session for all `op` commands (no direct `op` calls outside tmux).
+5. Sign in / authorize inside tmux: `op signin` (expect app prompt).
+6. Verify access inside tmux: `op whoami` (must succeed before any secret read).
+7. If multiple accounts: use `--account` or `OP_ACCOUNT`.
 
-## Avoid repeated auth prompts (tmux)
+## REQUIRED tmux session (T-Max)
 
-The bash tool uses a fresh TTY per command, so app integration may prompt every time. To reuse authorization, run multiple `op` commands inside a single tmux session.
+The shell tool uses a fresh TTY per command. To avoid re-prompts and failures, always run `op` inside a dedicated tmux session with a fresh socket/session name.
 
-Example (see `tmux` skill for socket conventions):
+Example (see `tmux` skill for socket conventions, do not reuse old session names):
 
 ```bash
 SOCKET_DIR="${CLAWDBOT_TMUX_SOCKET_DIR:-${TMPDIR:-/tmp}/clawdbot-tmux-sockets}"
 mkdir -p "$SOCKET_DIR"
-SOCKET="$SOCKET_DIR/clawdbot.sock"
-SESSION=op-auth
+SOCKET="$SOCKET_DIR/clawdbot-op.sock"
+SESSION="op-auth-$(date +%Y%m%d-%H%M%S)"
 
 tmux -S "$SOCKET" new -d -s "$SESSION" -n shell
 tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op signin --account my.1password.com" Enter
+tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op whoami" Enter
 tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -- "op vault list" Enter
 tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
+tmux -S "$SOCKET" kill-session -t "$SESSION"
 ```
 
 ## Guardrails
@@ -46,4 +49,5 @@ tmux -S "$SOCKET" capture-pane -p -J -t "$SESSION":0.0 -S -200
 - Never paste secrets into logs, chat, or code.
 - Prefer `op run` / `op inject` over writing secrets to disk.
 - If sign-in without app integration is needed, use `op account add`.
-- If a command returns "account is not signed in", re-run `op signin` and authorize in the app.
+- If a command returns "account is not signed in", re-run `op signin` inside tmux and authorize in the app.
+- Do not run `op` outside tmux; stop and ask if tmux is unavailable.