feat(kiloclaw): add 1Password integration via op CLI

[St0rmz1]

Summary

• Add 1Password as a password manager integration in KiloClaw, following the catalog driven pattern
• Users configure a Service Account Token (ops_...) in Settings; the op CLI (already installed in the Dockerfile at v2.33.0) reads OP_SERVICE_ACCOUNT_TOKEN from the environment automatically
• Bootstrap writes a TOOLS.md section so the agent knows op is available and how to use it
• Fix: replace hardcoded .max(500) Zod cap in patchSecrets with MAX_SECRET_FIELD_LENGTH derived from the catalog (1Password tokens are ~850 chars)
• Add upgrade_required as a new changelog deploy hint type (purple badge), distinct from redeploy_required

Verification

• pnpm run typecheck — passes
• pnpm run format:check — passes
• pnpm run test — 2721 passed, 175 suites
• vitest run bootstrap.test.ts — 44 passed (includes 5 new tests for TOOLS.md 1Password section)
• Manually tested token validation against 3 real 1Password service account tokens (848-852 chars)
• Verified regex matches via new RegExp() in Node to ensure the catalog pattern works at runtime

Visual Changes

• New Password Managers section in Settings tab (between Payments and Productivity)
• 1Password entry with Lock icon, collapsible accordion, and "Setup Guide" dialog with security warning
• New purple Upgrade Required badge in changelog (alongside existing blue/red badges)

Reviewer Notes

• No Dockerfile changes — op CLI is already installed. The controller bootstrap change requires a new image build (CI triggers on controller source change) and users must Upgrade to latest (not just Redeploy) to get the TOOLS.md section
• The token save + env injection works immediately on Redeploy; the agent awareness via TOOLS.md only activates after Upgrade. This is a known gap — the version/upgrade system doesn't currently surface controller-only changes as "update available"
• MAX_SECRET_FIELD_LENGTH is currently 2000 (driven by AgentCard JWT maxLength). This raises the blanket Zod cap from 500 → 2000, which is well within CF Workers/Next.js payload limits
• Service Accounts are available on all 1Password plans (Individual, Family, Teams, Business) with different rate limits. No plan restriction needed
• The validationPattern uses \- in the character class — harmless, matches the style of other catalog patterns (e.g., Discord)

[kilo-code-bot]

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	1
SUGGESTION	0

Fix these issues in Kilo Cloud

Issue Details (click to expand)

No new issues found in the incremental diff. The previously reported problems in src/app/(app)/claw/components/SettingsTab.tsx and kiloclaw/packages/secret-catalog/src/__tests__/catalog.test.ts are resolved.

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
src/routers/kiloclaw-router.ts	136	Initial provision/updateConfig still uses a hardcoded channelsSchema, so catalog-driven tool secrets like 1Password are not accepted through that path even though the catalog/UI now expose them.

Files Reviewed (2 files)

• kiloclaw/packages/secret-catalog/src/__tests__/catalog.test.ts
• src/app/(app)/claw/components/SettingsTab.tsx

---

_{Reviewed by gpt-5.4-20260305 · 318,320 tokens}