CLI keeps prompting for authentication

It strikes me that you should be able to both do Windows Hello and a token at the same time. I saw in another forum discussion that you considered them mutually exclusive, but I don't understand why.

The Git Bash code would then say "export OP_TOKEN=$(op signin --raw)". When you receive this, you BOTH authenticate via Windows Hello, AND you return a code, which then becomes available to child processes of Git Bash. The parent process would already be authenticated with Windows Hello. Child processes would then run commands with --session $OP_TOKEN.

Currently, the only way to do this is to disable the CLI integration, forcing you to type the full password all the time, which incentivizes short passwords.

Secondly, I find that "op run" isn't viable when you have multiple vaults, some of which may not be available for all users. "Op run" stops on the first failure, which is expected for a user without deployment privileges. If you had a --ignore-errors, you would allow just loading the credentials that can be loaded for that user. The rest just wouldn't be loaded, causing later build scripts or CI to fail, which is desired and expected behavior. Build scripts already have error paths, and missing credentials are usually easy to debug. So you just have to ignore the errors and everything works out.

So this is forcing into making my own reader that doesn't stop on errors. I'm reading items as JSON, iterating values and turning them into exported environment variables. I'd much rather use your substitution methods, but it just can't be done if any vault is missing. I've spent all day trying to cook up a workaround, and the only thing I can do is a bit of a behemoth of doing all the reading and exporting myself.

An --ignore-errors flag would be the magic sauce.