Skip to content

sameh0/op-gate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Sources/op-gate
Sources/op-gate
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
Info.plist
Info.plist
 
 
Package.swift
Package.swift
 
 
README.md
README.md
 
 
entitlements.plist
entitlements.plist
 
 

Repository files navigation

op-gate

Touch ID for every op call. A macOS wrapper that prompts biometric authentication before each 1Password CLI invocation.

$ op-gate read "op://Personal/GitHub/token"
# → Touch ID prompt appears
# → authenticates, then runs: op read "op://Personal/GitHub/token"

Why

The 1Password CLI (op) with desktop app integration authenticates once per terminal session (10-minute window, auto-refreshing). After that, any process in the same session can read any secret silently.

op-gate adds a Touch ID prompt before every op call. No secret is read without your fingerprint.

How it works

op-gate is a signed macOS .app bundle (required for biometric entitlements) that:

  1. Prompts Touch ID via LocalAuthentication
  2. On success, runs op with your arguments and OP_CACHE=false
  3. Passes through stdin, stdout, stderr, and the exit code

It's a transparent wrapper — use it exactly like op.

Requirements

  • macOS 13+
  • 1Password CLI (op) installed
  • Swift toolchain (Xcode or Xcode Command Line Tools)

Install

git clone https://github.com/youruser/op-gate.git
cd op-gate
scripts/install.sh

This builds a release binary, packages it into a signed .app bundle, copies it to ~/Applications/op-gate.app, and symlinks the binary to ~/.local/bin/op-gate.

Make sure ~/.local/bin is in your PATH:

# Add to your .zshrc or .bashrc
export PATH="$HOME/.local/bin:$PATH"

Usage

Same interface as op, just prefixed with op-gate:

# Read a secret
op-gate read "op://Personal/GitHub/token"

# Get a field from an item
op-gate item get MyServer --fields password

# Any op command works
op-gate item list --vault Personal

Shell alias

To gate all op usage behind Touch ID:

alias op="op-gate"

Build from source

# Build + bundle only (no install)
scripts/bundle.sh

# Binary ends up at:
.build/op-gate.app/Contents/MacOS/op-gate

How the signing works

A plain CLI binary can't access Touch ID — macOS requires an .app bundle with entitlements for biometric prompts via LocalAuthentication. op-gate uses ad-hoc signing (codesign --sign -) with hardened runtime, which works for personal use without an Apple Developer account.

For distribution to others, you'd need to sign with a Developer ID and notarize.

Project structure

├── Package.swift          # Swift Package Manager manifest
├── Sources/op-gate/
│   └── op_gate.swift      # All the code (~100 lines)
├── Info.plist             # App bundle metadata
├── entitlements.plist     # Codesigning entitlements
└── scripts/
    ├── bundle.sh          # Build + package + codesign
    └── install.sh         # bundle.sh + copy to ~/Applications + symlink

License

MIT

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages