fix(claude-env.sh): capture op stderr to surface actual 1P errors#12
Open
fix(claude-env.sh): capture op stderr to surface actual 1P errors#12
Conversation
Until now, when 1Password retrieval failed, users saw a generic:
ERROR: Failed to retrieve API key from 1Password
Warning: Could not retrieve Claude API key
…with no diagnostic info — `2>/dev/null` discarded op's actual error
message. Real-world causes the user couldn't distinguish from this:
- account mismatch (--account aproorg.1password.eu but signed into a
different account → "found no accounts for filter ...")
- expired op session (1Password app locked → "you are not signed in")
- wrong OP_ITEM shape (full field reference instead of op://Vault/Item
→ "could not find item")
- field name case mismatch (item has "API key" with lowercase k vs
the wrapper's hardcoded "API Key")
Each had identical symptoms. This change makes the error self-diagnose:
- Capture op's stderr to a temp file (mktemp) instead of discarding.
- Track each attempted path with the corresponding stderr lines.
- On final failure, print the full block: account, each path tried,
op's actual error per path, and a list of common remediations
(op signin, op item list, OP_ITEM shape rules, field-name case).
The temp file is reused (truncated with `: >`) between the project-key
lookup and the API-Key fallback so we get fresh stderr per attempt.
Verified with bogus values: the diagnostic block correctly surfaces
op's real error (e.g. 'error initializing client: found no accounts
for filter ...') making the cause obvious without further debugging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
After PR #10 merged (active legacy-wrapper removal), some macOS users still see:
…even after manually removing legacy wrappers. The error has no diagnostic info —
op ... 2>/dev/nulldiscards op's actual error message, so we have to guess at the cause.What
Captures op's stderr to a temp file (mirror of PR #11 for PowerShell) and surfaces it in the failure block. Same pattern, parallel to the Windows fix.
Before
After
Verification
bash -n claude-env.sh)OP_ACCOUNTandOP_ITEM— diagnostic block correctly surfaces op's "found no accounts" errorWhat this is not
This doesn't fix any specific 1P retrieval bug — it makes all of them self-diagnose. After this lands, the next user to hit the issue will see exactly what op is complaining about (account mismatch / expired session / wrong path / field name), and can either fix their setup or paste the diagnostic block for a real fix.
🤖 Generated with Claude Code