Skip to content

Instantly share code, notes, and snippets.

@IlyaGulya

IlyaGulya/.claude-settings.json

Created February 10, 2026 08:31
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save IlyaGulya/7e26efad57f3b5f702c47efcbf402c51 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save IlyaGulya/7e26efad57f3b5f702c47efcbf402c51 to your computer and use it in GitHub Desktop.
Download ZIP
Claude Code 1password CLI + macos keychain secret storage
Raw
.claude-settings.json
{
"hooks": {
"SessionStart": [
{
"matcher": "",
"hooks": [
{
"type": "command",
"command": ".claude/hooks/cache-loki-password.sh",
"timeout": 30000
}
]
}
]
}
}
Raw
hook-cache-loki-password.sh
#!/bin/bash
# SessionStart hook: cache Loki password from 1Password into macOS Keychain.
# Touch ID only when Keychain entry is missing. All logcli calls read from Keychain instantly.
KEYCHAIN_SERVICE="some-service-loki-password"
# Check if already cached in Keychain
if security find-generic-password -a "$USER" -s "$KEYCHAIN_SERVICE" -w &>/dev/null; then
cat <<'EOF'
{
"hookSpecificOutput": { "hookEventName": "SessionStart" },
"systemMessage": "Loki password loaded from Keychain"
}
EOF
exit 0
fi
# Not in Keychain — need to fetch from 1Password
if ! command -v op &>/dev/null; then
cat <<'EOF'
{
"hookSpecificOutput": { "hookEventName": "SessionStart" },
"systemMessage": "WARNING: 1Password CLI (op) is not installed and Loki password is not in Keychain. Install with: brew install 1password-cli"
}
EOF
exit 0
fi
PASSWORD=$(op read 'op://53tfffjfzb67nmifffyovg37m/tmqv4kffffffqjzlxgy3bume/devpl-0' 2>/dev/null)
if [ -z "$PASSWORD" ]; then
cat <<'EOF'
{
"hookSpecificOutput": { "hookEventName": "SessionStart" },
"systemMessage": "WARNING: Failed to read Loki password from 1Password. Try: op signin"
}
EOF
exit 0
fi
security add-generic-password -a "$USER" -s "$KEYCHAIN_SERVICE" -w "$PASSWORD" -U 2>/dev/null
cat <<'EOF'
{
"hookSpecificOutput": { "hookEventName": "SessionStart" },
"systemMessage": "Loki password fetched from 1Password and cached in Keychain"
}
EOF
exit 0
Raw
query-SKILL.md
description Query service logs from Loki using logcli
allowed-tools Bash(logcli *)
argument-hint [ --env=dev|prod ] [ filter description ]

Query Logs

Query service logs from Loki using logcli.

Environment Selection

  • --env=dev (default): Development platform logs
  • --env=prod: Production platform logs

Authentication

Password is cached in macOS Keychain (service: some-service-loki-password). The SessionStart hook auto-populates it from 1Password on first run (one Touch ID).

To refresh manually, use /service:logs:refresh.

Base Command

Dev Environment

logcli query '{service_name="some-service"}' \
  --addr="https://loki.some-service.dev" \
  --username="user" \
  --password="$(security find-generic-password -a "$USER" -s some-service-loki-password -w)" \
  --org-id="common" \
  --limit=100 \
  --since=1h

Prod Environment

logcli query '{service_name="some-service"}' \
  --addr="https://loki.some-service.dev" \
  --username="user" \
  --password="$(security find-generic-password -a "$USER" -s some-service-loki-password -w)" \
  --org-id="common" \
  --limit=100 \
  --since=1h

Time Options

Option Description
--since=15m Last 15 minutes
--since=1h Last hour
--since=6h Last 6 hours
--since=24h Last 24 hours
--from="2025-02-05T10:00:00Z" --to="2025-02-05T12:00:00Z" Absolute range

Output Options

Option Description
--output=raw Log lines only (no timestamps/labels)
--output=jsonl JSON format
--quiet Suppress metadata
--limit=N Max entries (0 = unlimited)

LogQL Filter Syntax

Operator Description Example
|= Contains |= "error"
|~ Regex match |~ "error|warning"
!= Not contains != "debug"
!~ Not regex !~ "health"

Related Skills

  • /service:logs:setup - Install and configure logcli
Raw
refresh-SKILL.md
description Refresh Loki password in macOS Keychain from 1Password
allowed-tools Bash(op read *, security add-generic-password *, security delete-generic-password *)
argument-hint

Refresh Loki Password

Re-fetch the Loki password from 1Password and update macOS Keychain. Use this when the password has changed or Keychain entry is missing.

Steps

  1. Delete existing Keychain entry (if any)
  2. Fetch password from 1Password via op read (Touch ID required)
  3. Store in Keychain
security delete-generic-password -a "$USER" -s "some-service-loki-password" 2>/dev/null; \
PASSWORD=$(op read 'op://53tfffjfzb67nmifffyovg37m/tmqv4kffffffqjzlxgy3bume/devpl-0') && \
security add-generic-password -a "$USER" -s "some-service-loki-password" -w "$PASSWORD" -U && \
echo "Loki password refreshed in Keychain"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment