Problems with op v2 when integrating with chezmoi

Chezmoi has merged a patch that handles issue 1, although it has not yet been released (the likely version is 2.15.0).

Issue 2 is still going to be a problem, although the documentation will be updated to point out this issue. This may be able to be resolved in code if we can figure out how to use op account list --format=json to map the accounts properly. The loss of the OP_SESSION_<shorthand> is fairly significant, though. It’d be nice if it could come back.

Please note that there is a difference in output for op account list --format=json depending on whether biometric authentication is enabled. IMO, this is a bug.

With biometric authentication enabled, the keys for the account list are url, email, and user_uuid. With biometric authentication disabled, a new key (shorthand) is now available. The lack of shorthand makes it harder to present a uniform data solution in chezmoi.

Most of the questions that are "within" my messages are detailed at https://github.com/twpayne/chezmoi/discussions/1974 and are specifically related to using 1Password with chezmoi, which is a dotfile management tool that can integrate with 1Password and other tools in order to retrieve secrets and documents so that they are not stored in your dotfile repository. Input from 1Password personnel on this discussion would be of great value.

An example of how this would be used would be something like this template where I fill my AWS credentials file from a combination of a static list in my chezmoi.toml configuration file and 1Password documents:

{{- range .aws.credentials }}
{{ if eq .type "1p" -}}
{{ printf "# aws-credentials: %v (from %v %v %v)" .name .type .account .vault }}

{{ onepasswordDocument (printf "aws-credentials: %v" .name) .vault .account }}
{{- end -}}
{{- end -}}

That would turn into something like {{ onepasswordDocument "aws-credentials: personal" "Personal" "myaccount" }}, which turns into an op command that looks like op document get 'aws-credentials: personal' --vault Personal --account myaccount. If I my account is actually named foobarbaz, but I had set the shorthand myaccount, I now have to change my configuration to either use foobarbaz or the UUID…if I’m using biometric authentication. Things get much harder if I’m not, because of the change to the OP_SESSION_* variables.

Now to address your responses:

1. I disagree with your reasoning on this. op signin <account-identifier> is much the same as op document get <document-identifier>, because op signin is using the first parameter. It would be better, IMO, to make it such that op signin works without an identifier (signing into the last used account?), with an identifier (signing into the named account), or with --account identifier. That is, if I have last signed into myaccount, then op signin, op signin myaccount, and op signin --account myaccount should all be equivalent.
2. Chezmoi reads from OP_SESSION_<shorthand> and has no way to look up OP_SESSION_<account_id>, so the change from OP_SESSION_<account_id> to OP_SESSION_<shorthand> is a breaking change, because the session can no longer be retrieved by the shorthand name which has been (optionally) used in the templates. This will force everyone to change their account identifier to the UUID. (The discussion mentioned at the top is a way that we can possibly work around this.)
3. No issues with the biometric item missing OP_SESSION_*. Everything just works.
4. The missing shorthand may be a breaking change for people who had different shorthands than their account names. Its presence would be ideal, and again this is discussed in depth in the Github discussion linked above.