Skip to content

[DRAFT] feat(plugin) : Add Apono plugin#625

Draft
rr3khan wants to merge 5 commits into
1Password:mainfrom
rr3khan:rr3khan/add-apono-plugin
Draft

[DRAFT] feat(plugin) : Add Apono plugin#625
rr3khan wants to merge 5 commits into
1Password:mainfrom
rr3khan:rr3khan/add-apono-plugin

Conversation

@rr3khan

@rr3khan rr3khan commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Overview

Adds a shell plugin for the Apono CLI (apono), which requests and receives just-in-time access to services, databases, and applications.

Apono personal API tokens are created in the Apono web UI (Settings → Personal API Token) and are long-lived bearer credentials, so they're a good fit for 1Password storage. This plugin:

  • Stores the Personal API Token credential in 1Password (credname.PersonalAPIToken, single Token field).
  • Provisions it as the --personal-token flag of apono login via a custom arg provisioner, scoped with needsauth.ForCommand("login").
  • Imports existing tokens from the CLI's config.json (~/Library/Application Support/apono-cli/config.json on macOS, ~/.config/apono-cli/config.json on Linux), one candidate per profile that has a personal_token set, skipping OAuth-only profiles.

Why the provisioner targets apono login instead of environment variables

The Apono CLI currently reads no credentials from environment variables and has no per-command token flag — the only token injection point is apono login --personal-token <TOKEN>, which validates the token and persists it to the CLI's own config.json. This plugin therefore keeps the token out of shell history and clipboards and enables 1Password import/storage, but after login the CLI still stores the token on disk by its own design.

apono-io/apono-cli#116 (draft) adds APONO_PERSONAL_TOKEN support to the CLI. Once that ships, this plugin can switch to a standard provision.EnvVars provisioner covering every apono command per-invocation, with nothing written to disk. Happy to do that as a follow-up here.

ManagementURL is intentionally omitted for now; will add the exact settings-page URL once confirmed.

Type of change

  • Created a new plugin
  • Improved an existing plugin
  • Fixed a bug in an existing plugin
  • Improved contributor utilities or experience

Related Issue(s)

How To Test

  1. Create a personal API token in the Apono web UI (Settings → Personal API Token).
  2. make apono/build && op plugin init apono and save the token as a Personal API Token item.
  3. Run apono login — the token should be injected as --personal-token and the CLI should create a profile without opening a browser.
  4. Run apono access list to confirm the authenticated session works.
  5. Importer: with an existing config.json containing a personal_token, op plugin init apono should offer to import it.

Unit tests: go test ./plugins/apono/...; schema: make apono/validate (all checks pass; single warning for the omitted management URL).

Changelog

Authenticate the Apono CLI using Touch ID and other unlock options with 1Password Shell Plugins.

@rr3khan rr3khan changed the title Rr3khan/add apono plugin feat(plugin) : Add apono plugin Jul 16, 2026
@rr3khan rr3khan changed the title feat(plugin) : Add apono plugin [DRAFT] feat(plugin) : Add apono plugin Jul 16, 2026
@rr3khan rr3khan changed the title [DRAFT] feat(plugin) : Add apono plugin [DRAFT] feat(plugin) : Add Apono plugin Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant