Safe

1Password Connector

Use 1Password as the source of truth while keeping Cuitty Safe references stable.

1Password Connector

The 1Password connector is a pass-through provider. Cuitty Safe stores the Safe index and mapping metadata; 1Password stores the secret value.

Mapping model

acme/dev/database-url -> op://Development/Database/url

The Cuitty reference remains account/safe/secret. Vault names, item titles, field names, and stable 1Password object IDs belong in connector metadata.

Auth modes

ModeUse case
Desktop appLocal development and desktop UI flows with human approval
Service accountCI/CD, headless workers, and automation with scoped vault access
1Password ConnectSelf-hosted deployments that already run Connect and want cached private REST access

Service account auth should load from OP_SERVICE_ACCOUNT_TOKEN unless configured otherwise. Do not ask users to paste a 1Password account password into Cuitty Safe.

Setup sketch

cuitty-safe connector 1password login --account acme
cuitty-safe connector 1password map acme/dev/database-url --op-ref op://Development/Database/url
cuitty-safe connector 1password map acme/ci/github-token --op-ref op://CI/GitHub/token
cuitty-safe connector 1password test --scope acme/dev

The op://... examples above are references, not values.

Least privilege

Marketplace status

The first milestone is a product connector. A 1Password Marketplace listing is a separate partner-readiness track with its own review, docs, support link, logo, and security checklist.