Skip to content

1Password

Purpose

Canonical credential vault for all API keys, tokens, and secrets used across the eco|monetize™ operating system. Primary secret store with CLI integration (op command-line tool) so scripts can resolve secrets at runtime without hardcoding them.

What runs on it

  • Production scriptsmonday_sync.py, subscription pollers, content publisher, etc. resolve API keys via op CLI
  • op_cache.py (at ~/.ecomonetize/scripts/op_cache.py) — shared Python utility for cached secret lookups
  • op-env.sh (at ~/.ecomonetize/scripts/op-env.sh) — shell env setup for 1Password CLI
  • refresh-credential-cache.sh — scheduled cache refresh job
  • Agent authentication — API keys for Apollo, Make.com, AWS, Azure, GCP, Anthropic, OpenAI, OpenRouter, Slack, Monday.com, Airtable, etc.

Architecture decisions

  • All hardcoded creds were removed from scripts/docs during the 2026-02 1Password setup sprint (per Jordan's memory project_1password_setup.md — COMPLETE)
  • CLI-first integration — agents resolve secrets via op commands, not via hardcoded values
  • 4 vaults, 44 items — full inventory in the 1Password account

Cost posture

Paid subscription. Billing owner: CEO. Cost tier: standard team plan (specifics TBD).

Credentials & access

The account itself is secured with a master password held by Rick. Agents access the vault via op CLI which uses device-level authentication. Secrets are resolved on-demand and cached briefly via op_cache.py to reduce API calls.

Backup & disaster recovery

1Password provides its own backup and recovery — vaults sync across devices, and the company has account recovery workflows. No local backup responsibility beyond the Rick-held master password.

Owner

security.ops — as the v1.2 security + credentials owner. security.ops absorbed the former compliance.ops role. Escalates to COO on credential rotation and compliance audit work.

  • [[security.ops]] — primary owner
  • [[coo]] — executive sponsor
  • ~/.ecomonetize/scripts/op_cache.py — shared secret lookup utility
  • ~/.ecomonetize/scripts/op-env.sh — shell env setup
  • ~/.ecomonetize/scripts/refresh-credential-cache.sh — cache refresh automation
  • All scripts that resolve API keys at runtime

Notes

  • 4 vaults, 44 items per 2026-03 setup
  • Outstanding follow-ups from the 1Password setup: rotate old PATs, delete plaintext token files (most done), update monday sync scripts (Dave/Jordan historically owned this)
  • 1Password CLI (op) is the primary integration surface — prefer it over manual copy-paste of secrets