Skip to content

feat: forward OP_SERVICE_ACCOUNT_TOKEN to container #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sd0xdev wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: forward OP_SERVICE_ACCOUNT_TOKEN to container #62

sd0xdev wants to merge 2 commits into from
+30 −1

Conversation

@sd0xdev
Copy link

@sd0xdev sd0xdev commented Jan 30, 2026
edited
Loading

Why

When running Moltbot/OpenClaw in the Cloudflare Sandbox container, users often want to use the 1Password CLI (op) inside the container to fetch/inject secrets non-interactively.

The op CLI expects a Service Account token in OP_SERVICE_ACCOUNT_TOKEN, but the worker currently does not forward this variable into the container process environment.

What

  • Add optional OP_SERVICE_ACCOUNT_TOKEN binding to the worker environment type.
  • Whitelist/forward OP_SERVICE_ACCOUNT_TOKEN into the gateway container process env (similar to other allowed vars).
  • Redact secrets when logging the generated config on startup to avoid leaking tokens/API keys in logs.
  • Add a unit test covering the new env forwarding.

Benefits

  • Enables secure, automated 1Password Service Account auth for op inside the container (no interactive signin).
  • Keeps security posture: token value is never logged; startup config logs are redacted.
  • Fully backwards compatible (optional env; no behavior change when unset).

How to use

wrangler secret put OP_SERVICE_ACCOUNT_TOKEN
wrangler deploy

@sd0xdev
Forward OP_SERVICE_ACCOUNT_TOKEN to container
bcbc7d2 
- Add OP_SERVICE_ACCOUNT_TOKEN to MoltbotEnv and forward into container env whitelist
- Document optional OP token in README and dev vars example
- Redact secrets from start-moltbot.sh config logging
@sd0xdev
test: cover OP_SERVICE_ACCOUNT_TOKEN forwarding
d651ecb
@sd0xdev sd0xdev changed the title Forward OP_SERVICE_ACCOUNT_TOKEN to container feat: forward OP_SERVICE_ACCOUNT_TOKEN to container Jan 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sd0xdev