Expand description
op:// backend for hasp.
Grammar:
- 3-segment form
op://vault/item/fieldforget/put/delete/exists. All three segments non-empty; no query parameters. - Vault-only form
op://vaultforlist. Host only, no path.
Supported operations: get, put, list, delete, exists.
put issues op item edit and falls back to op item create on
NotFound. delete removes the entire item; the URL’s field
segment is ignored on delete. list emits Entry URLs keyed by
the item UUID when op item list --format=json carries id.
PermissionDenied is unreachable from op read because 1Password’s
server returns 404 for both missing and no-permission cases (deliberate
authorization-aware design preventing existence oracles). These map to
NotFound.
Authentication is ambient only (no auth-bootstrap flows):
OP_SERVICE_ACCOUNT_TOKEN, OP_SESSION_*, or OP_CONNECT_TOKEN +
OP_CONNECT_HOST. If none are present, every operation fails fast with
AuthenticationFailed before spawning the op binary, preventing
indefinite hangs in headless contexts.
Every op subprocess invocation carries a wall-clock timeout (15s for
get, 10s for exists) because op has no --no-prompt flag — the
only mitigation against biometric or desktop-app hangs.
Connect HTTP backend mode is deferred. It would recover 401/403/404 distinction but requires name-to-UUID resolution and a separate feature gate. Service-account direct HTTP is not technically feasible without reverse-engineering 1Password’s SRP handshake.