Travel Credential Cache¶
Pre-travel preparation script that ensures all background services can operate without Touch ID while the CEO is away from the Mac.
Problem it solves¶
40 launchd background services (com.ecomonetize.*) depend on API keys and secrets stored in 1Password. The credential cache system (refresh-credential-cache.sh) pulls these into local files so scripts can read them without 1Password being unlocked. But the cache refresh itself requires Touch ID via the 1Password CLI (op). If the CEO is traveling and the cache expires or was never populated, background services silently fail — dashboards don't update, syncs stop, monitors go dark.
What it does¶
- Checks 1Password CLI status — verifies
opis installed and signed in. If not signed in, prompts for signin (Touch ID required — must run interactively). - Refreshes the credential cache — calls
refresh-credential-cache.shto pull ~45 secrets from 1Password vaults (Production, Development, Infrastructure) into~/.ecomonetize/credential-cache/as individual files (chmod 600). - Verifies cache completeness — checks every cached file for: exists, non-empty, not stale (>24 hours old). Reports pass/fail/warn per credential.
- Tests key service credentials — spot-checks the most critical cached keys (Monday.com, Supabase, GitHub, Gemini, OpenAI, Apollo, Make.com, Deepgram, AWS).
- Reports launchd agent status — counts running, idle, and errored background services so you know if anything is already broken before you leave.
- Prints a travel readiness summary — green/red overall status with specific action items if anything needs fixing.
Usage¶
# Full refresh + verification (run before traveling)
~/.ecomonetize/scripts/travel-credential-cache.sh
# Check-only mode (verify cache without refreshing — no Touch ID needed)
~/.ecomonetize/scripts/travel-credential-cache.sh --check
When to run¶
- Before any trip where you'll be away from the Mac for 24+ hours
- Before any extended overnight work session where agents run unattended
- After a Mac restart — the credential cache survives restarts, but
op signindoes not. Run the script after rebooting to re-authenticate the CLI and refresh the cache. - If dashboards or syncs stop updating — run
--checkfirst to see if stale credentials are the cause
Prerequisites¶
- 1Password app must be open and unlocked
- 1Password CLI (
op) installed (brew install 1password-cli) - 1Password Settings → Developer → "Integrate with 1Password CLI" must be ON
- Must run from an interactive terminal (Touch ID prompt cannot be relayed through Claude Code or non-interactive shells)
Known non-critical failures¶
These credentials are expected to fail and are not blocking:
| Credential | Reason |
|---|---|
| openrouter-council-key | Vault item may be renamed or removed |
| openrouter-ops-tools | Same |
| openrouter-cost-tools | Same |
| azure-teams-client-id | Azure Teams integration not active |
| azure-teams-client-secret | Same |
| azure-teams-tenant-id | Same |
A successful run with 39/45 cached credentials (6 non-critical failures) is normal and travel-ready.
Related scripts¶
refresh-credential-cache.sh— the underlying cache refresh (called by this script)credential-cachelaunchd agent — runs at boot, retries every 5 min if 1Password is locked (this is what causes the repeated Touch ID prompts)
File locations¶
| Item | Path |
|---|---|
| This script | ~/.ecomonetize/scripts/travel-credential-cache.sh |
| Cache refresh script | ~/.ecomonetize/scripts/refresh-credential-cache.sh |
| Cached credentials | ~/.ecomonetize/credential-cache/ (chmod 700) |
| Launchd agent (boot trigger) | ~/Library/LaunchAgents/com.ecomonetize.credential-cache.plist |
| Refresh log | /tmp/credential-cache-refresh.log |
| Travel script log | /tmp/travel-credential-cache.log |