docs: Update handover with session 4 and 1Password SA lessons

- Document service account read-only limitation
- Add session 4 log (1Password token update, task tracking)
- Track expired token fix in cto-executive-system#8

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-02-18 15:50:02 +01:00
parent 1c8ab5939e
commit dfaf019916
2 changed files with 38 additions and 5 deletions
+18
View File
@@ -160,3 +160,21 @@
1. **Simplest mirroring wins** -- Gitea pull mirror is one API call to set up, zero maintenance, and replaces two GitHub Actions workflows plus a monitoring check.
2. **Use `gh auth token` as GitHub token source** -- more reliable than maintaining a separate PAT in 1Password. The `gh` CLI handles token refresh automatically.
## Session: 2026-02-18 -- 1Password Service Account Limitations
### Technical Discoveries
1. **1Password service accounts are read-only by default**
- `op_zesticai_non_prod.sh` sources a SERVICE_ACCOUNT (type visible via `op whoami`)
- Service accounts can `op read` but `op item edit` fails with "Couldn't update the item"
- No specific error about permissions -- just a generic failure message
- Write access must be granted explicitly in 1Password admin settings per vault
### Pitfalls to Avoid
1. **Do not assume `op item edit` works with service accounts** -- test write access before building automation that depends on it. The error message gives no indication that it's a permissions issue.
### Best Practices Discovered
1. **Track infrastructure tasks in a central repo** -- Created issue in `AlexMikhalev/cto-executive-system` to track the token update. This prevents losing track of manual steps that couldn't be automated.