cloudflare · sd0xdev · Jan 30, 2026 · Jan 30, 2026
diff --git a/.dev.vars.example b/.dev.vars.example
@@ -24,3 +24,6 @@ MOLTBOT_GATEWAY_TOKEN=dev-token-change-in-prod
 # CDP (Chrome DevTools Protocol) configuration for browser automation
 # CDP_SECRET=shared-secret-for-cdp-auth
 # WORKER_URL=https://your-worker.example.com
+
+# 1Password Service Account auth (optional)
+# OP_SERVICE_ACCOUNT_TOKEN=ops_...
diff --git a/README.md b/README.md
@@ -381,6 +381,7 @@ The `AI_GATEWAY_*` variables take precedence over `ANTHROPIC_*` if both are set.
 | `SLACK_APP_TOKEN` | No | Slack app token |
 | `CDP_SECRET` | No | Shared secret for CDP endpoint authentication (see [Browser Automation](#optional-browser-automation-cdp)) |
 | `WORKER_URL` | No | Public URL of the worker (required for CDP) |
+| `OP_SERVICE_ACCOUNT_TOKEN` | No | 1Password Service Account token for `op` CLI inside the container |
 
 ## Security Considerations
 

diff --git a/src/gateway/env.test.ts b/src/gateway/env.test.ts
@@ -110,6 +110,12 @@ describe('buildEnvVars', () => {
     expect(result.SLACK_APP_TOKEN).toBe('slack-app');
   });
 
+  it('includes OP_SERVICE_ACCOUNT_TOKEN when set', () => {
+    const env = createMockEnv({ OP_SERVICE_ACCOUNT_TOKEN: 'ops_test_token' });
+    const result = buildEnvVars(env);
+    expect(result.OP_SERVICE_ACCOUNT_TOKEN).toBe('ops_test_token');
+  });
+
   it('maps DEV_MODE to CLAWDBOT_DEV_MODE for container', () => {
     const env = createMockEnv({
       DEV_MODE: 'true',

diff --git a/src/gateway/env.ts b/src/gateway/env.ts
@@ -56,5 +56,8 @@ export function buildEnvVars(env: MoltbotEnv): Record<string, string> {
   if (env.CDP_SECRET) envVars.CDP_SECRET = env.CDP_SECRET;
   if (env.WORKER_URL) envVars.WORKER_URL = env.WORKER_URL;
 
+  // 1Password Service Account token for `op` CLI inside the container
+  if (env.OP_SERVICE_ACCOUNT_TOKEN) envVars.OP_SERVICE_ACCOUNT_TOKEN = env.OP_SERVICE_ACCOUNT_TOKEN;
+
   return envVars;
 }
diff --git a/src/types.ts b/src/types.ts
@@ -37,6 +37,10 @@ export interface MoltbotEnv {
   BROWSER?: Fetcher;
   CDP_SECRET?: string; // Shared secret for CDP endpoint authentication
   WORKER_URL?: string; // Public URL of the worker (for CDP endpoint)
+
+  // 1Password Service Account authentication
+  // If set, the `op` CLI inside the container can authenticate non-interactively.
+  OP_SERVICE_ACCOUNT_TOKEN?: string;
 }
 
 /**

diff --git a/start-moltbot.sh b/start-moltbot.sh
@@ -268,7 +268,19 @@ if (isOpenAI) {
 // Write updated config
 fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
 console.log('Configuration updated successfully');
-console.log('Config:', JSON.stringify(config, null, 2));
+
+// Avoid logging secrets (tokens, bot tokens, api keys, etc.)
+const redacted = JSON.parse(JSON.stringify(config));
+try {
+    if (redacted.gateway?.auth?.token) redacted.gateway.auth.token = '<redacted>';
+    if (redacted.channels?.telegram?.botToken) redacted.channels.telegram.botToken = '<redacted>';
+    if (redacted.channels?.discord?.token) redacted.channels.discord.token = '<redacted>';
+    if (redacted.channels?.slack?.botToken) redacted.channels.slack.botToken = '<redacted>';
+    if (redacted.channels?.slack?.appToken) redacted.channels.slack.appToken = '<redacted>';
+    if (redacted.models?.providers?.anthropic?.apiKey) redacted.models.providers.anthropic.apiKey = '<redacted>';
+    if (redacted.models?.providers?.openai?.apiKey) redacted.models.providers.openai.apiKey = '<redacted>';
+} catch {}
+console.log('Config (redacted):', JSON.stringify(redacted, null, 2));
 EOFNODE
 
 # ============================================================