From a680787bfc783fcbf9fecc8d5af36f8d0224bf86 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 10 Feb 2026 13:09:20 -0800
Subject: [PATCH] Document op read vs op item get convention

op item get --fields wraps multi-line values in quotes, corrupting
them. Use op read for retrieving secret values in scripts and IaC.
Also fixes the argocd login example in CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CLAUDE.md                                       | 4 +++-
 docs/changelog.d/docs-op-read-convention.doc.md | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 docs/changelog.d/docs-op-read-convention.doc.md

diff --git a/CLAUDE.md b/CLAUDE.md
index 60c32b4..9390944 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -53,7 +53,7 @@ Most services run in minikube on indri via ArgoCD (app-of-apps, manual sync).
 
 **Commands:** `argocd app list|get|diff|sync <app>`
 
-**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get srogeebssulhtb6tnqd7ls6qey --fields password --reveal)"`
+**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"`
 
 ### Indri (Ansible)
 
@@ -95,3 +95,5 @@ mise run blumeops-tasks  # fetch from Todoist, sorted by priority
 ## Credentials
 
 Root store is 1Password. Never grab directly - use existing patterns (ansible pre_tasks, external-secrets, scripts with `op` CLI). Warn user before any credential access.
+
+**`op read` vs `op item get`:** Always use `op read "op://vault/item/field"` to retrieve secret values. `op item get --fields` wraps multi-line values in quotes, corrupting them. Use `op item get` only for listing item metadata (title, vault, field names), never for reading actual secret values in scripts or IaC. Look for existing uses of `op item get --fields` in Ansible/scripts and suggest replacing with `op read`.
diff --git a/docs/changelog.d/docs-op-read-convention.doc.md b/docs/changelog.d/docs-op-read-convention.doc.md
new file mode 100644
index 0000000..b343479
--- /dev/null
+++ b/docs/changelog.d/docs-op-read-convention.doc.md
@@ -0,0 +1 @@
+Document `op read` vs `op item get` convention for 1Password secret retrieval