From 57fd88b2698e87b5767d90c1a82151b1db87f446 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 22 May 2026 21:50:43 -0700
Subject: [PATCH] C0: fix op item edit syntax in zot key rotation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The pbpaste | op item edit ... "field[password]=-" stdin syntax is
rejected by op 2.34 as "invalid JSON" — recent op versions treat
piped input as a full JSON template, not a single field value.
Procedure now uses an inline assignment via a local fish variable.
---
 docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md | 1 +
 docs/reference/services/zot.md                     | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md

diff --git a/docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md b/docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md
new file mode 100644
index 0000000..ec8834f
--- /dev/null
+++ b/docs/changelog.d/+zot-ci-rotation-op-syntax.doc.md
@@ -0,0 +1 @@
+Fixed the `op item edit` invocation in the [[zot]] API-key rotation procedure: the previous `pbpaste | op item edit ... "field[password]=-"` stdin syntax is rejected by op 2.34 as "invalid JSON" (recent op versions treat piped input as a full JSON template, not a single field value). Procedure now reads the clipboard into a local fish variable and passes it as an inline assignment.
diff --git a/docs/reference/services/zot.md b/docs/reference/services/zot.md
index d00a200..b01a6ce 100644
--- a/docs/reference/services/zot.md
+++ b/docs/reference/services/zot.md
@@ -56,8 +56,9 @@ The `zot-ci` API key expires every **90 days**. To rotate:
 5. Generate a new API key, copy it to clipboard
 6. Update 1Password:
    ```fish
-   pbpaste | op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=-"
+   set -l NEWKEY (pbpaste); op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=$NEWKEY"; set -e NEWKEY
    ```
+   The value is briefly visible to other `ps`-readers on this machine (single-user mac, acceptable tradeoff). The older `pbpaste | op item edit ... "field[password]=-"` stdin syntax was rejected by op 2.34 as "invalid JSON" — recent op versions treat piped input as a full JSON template.
 7. Sync to Forgejo: `mise run provision-indri -- --tags forgejo_actions_secrets`
 
 ## Related