Replace remaining op item get calls with op read

Migrate all remaining `op item get --fields` usage to `op read` URI
syntax across docs, READMEs, and YAML comments. Simplify the guidance
note in CLAUDE.md now that the migration is complete.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CLAUDE.md

@@ -96,4 +96,4 @@ mise run blumeops-tasks  # fetch from Todoist, sorted by priority
 
 Root store is 1Password. Never grab directly - use existing patterns (ansible pre_tasks, external-secrets, scripts with `op` CLI). Warn user before any credential access.
 
-**`op read` vs `op item get`:** Always use `op read "op://vault/item/field"` to retrieve secret values. `op item get --fields` wraps multi-line values in quotes, corrupting them. Use `op item get` only for listing item metadata (title, vault, field names), never for reading actual secret values in scripts or IaC. Look for existing uses of `op item get --fields` in Ansible/scripts and suggest replacing with `op read`.
+Prefer `op read "op://vault/item/field"` over `op item get --fields` to avoid quoting issues with multi-line values.

argocd/apps/teslamate.yaml

@@ -8,8 +8,8 @@
 #   op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f -
 #
 # Then create the database:
-#   PGPASSWORD=$(op --vault blumeops item get <eblume-item-id> --fields password --reveal) \
-#     psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
+#   PGPASSWORD=$(op read "op://blumeops/postgres/password") \
+#     psql -h pg.ops.eblu.me -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
 #
 # After syncing, access the TeslaMate UI at https://tesla.tail8d86e.ts.net to complete
 # Tesla API authentication via OAuth flow.

argocd/manifests/databases/README.md

@@ -54,7 +54,7 @@ After the cluster is healthy:
 psql -h k8s-pg.tail8d86e.ts.net -U eblume -W -d miniflux
 
 # Or with password from 1Password
-PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
+PGPASSWORD=$(op read "op://blumeops/guxu3j7ajhjyey6xxl2ovsl2ui/password") \
   psql -h k8s-pg.tail8d86e.ts.net -U eblume -d miniflux
 
 # Get miniflux app credentials (for applications)
@@ -73,7 +73,7 @@ Alternative if Tailscale service is unavailable:
 kubectl -n databases port-forward svc/blumeops-pg-rw 5432:5432
 
 # Terminal 2: Connect as eblume
-PGPASSWORD=$(op --vault blumeops item get guxu3j7ajhjyey6xxl2ovsl2ui --fields password --reveal) \
+PGPASSWORD=$(op read "op://blumeops/guxu3j7ajhjyey6xxl2ovsl2ui/password") \
   psql -h localhost -U eblume -d miniflux
 ```
 

argocd/manifests/teslamate/README.md

@@ -36,8 +36,8 @@ op inject -i argocd/manifests/teslamate/secret-db.yaml.tpl | kubectl apply -f -
 After the teslamate user exists in PostgreSQL (sync blumeops-pg first):
 
 ```bash
-PGPASSWORD=$(op --vault blumeops item get <eblume-item-id> --fields password --reveal) \
-  psql -h pg.tail8d86e.ts.net -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
+PGPASSWORD=$(op read "op://blumeops/postgres/password") \
+  psql -h pg.ops.eblu.me -U eblume -c "CREATE DATABASE teslamate OWNER teslamate;"
 ```
 
 ## Deployment

docs/how-to/gandi-operations.md

@@ -32,7 +32,7 @@ Both tasks fetch the Gandi PAT from 1Password automatically.
 To run Pulumi directly:
 
 ```bash
-export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie)
+export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat")
 cd pulumi/gandi
 pulumi preview
 pulumi up --yes

docs/how-to/troubleshooting.md

@@ -69,7 +69,7 @@ kubectl --context=minikube-indri -n <namespace> get pods --field-selector=status
 
 **ArgoCD login expired:**
 ```bash
-argocd login argocd.ops.eblu.me --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)"
+argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"
 ```
 
 ### kubectl connection refused

pulumi/gandi/README.md

@@ -70,7 +70,7 @@ mise run dns-preview   # Preview only
 Or manually:
 
 ```bash
-export GANDI_PERSONAL_ACCESS_TOKEN=$(op item get mco6ka3dc3rmw7zkg2dhia5d2m --field pat --reveal --vault vg6xf6vvfmoh5hqjjhlhbeoaie)
+export GANDI_PERSONAL_ACCESS_TOKEN=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/mco6ka3dc3rmw7zkg2dhia5d2m/pat")
 pulumi up
 ```