feat(ssh): per-role 1Password SSH agent allowlist

technicalpickles · claude · technicalpickles · commit 7ef4d49a7ab9 · 2026-05-04T11:28:23.000-04:00
By default 1Password's SSH agent offers every key in the unlocked vault
to every ssh request. On the work laptop that surfaced 7 keys, including
personal keys and the personal-agent key from ADR 31 (which is in the
vault as a backup but should not be offered, since claude-agent uses the
on-disk + Keychain path).

Add a role-aware agent.toml managed in dotfiles. config/1password/
agent.toml.&lt;role&gt; defines the allowlist, sshconfig.sh symlinks the file
matching $DOTPICKLES_ROLE into ~/.config/1Password/ssh/agent.toml when
the 1Password agent socket is present.

Verified on the work laptop: ssh-add -l against the 1Password socket
went from 7 keys to 3 (Gusto only).

ADR 33 documents the decision and tradeoffs.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -33,6 +33,7 @@ When making significant architectural changes, create a new ADR.
 - `~/.gitconfig.d/1password`: Generated during git config setup
 - `~/.ssh/config`: Managed by [sshconfig.sh](sshconfig.sh) -- edit `ssh/config.d/` instead
 - `~/.ssh/config.d/colima`: Generated by [sshconfig.sh](sshconfig.sh)
+- `~/.config/1Password/ssh/agent.toml`: Managed by [sshconfig.sh](sshconfig.sh) -- edit `config/1password/agent.toml.<role>` instead (see [ADR 0033](doc/adr/0033-1password-ssh-agent-allowlist.md))
 - Any symlinked files -- edit the source in `home/` or `config/` instead
 
 ## Working with Nerd Fonts / Special Unicode Characters
diff --git a/config/1password/agent.toml.work b/config/1password/agent.toml.work
@@ -0,0 +1,23 @@
+# 1Password SSH agent allowlist for the work role.
+#
+# 1Password's SSH agent offers every key in the unlocked vault by default.
+# Listing items here makes it an allowlist: only these keys are exposed to
+# ssh, regardless of what else lives in the vault.
+#
+# Personal keys (including the personal-agent key from ADR 0031) stay in
+# the vault for backup/reference but are never offered on the work laptop.
+#
+# Symlinked into ~/.config/1Password/ssh/agent.toml by sshconfig.sh based
+# on $DOTPICKLES_ROLE. See ADR 0033.
+#
+# Item names below are matched against the 1Password item title, not the
+# SSH key comment.
+
+[[ssh-keys]]
+item = "Gusto Laptop id_ed25519"
+
+[[ssh-keys]]
+item = "Gusto Signing Key"
+
+[[ssh-keys]]
+item = "homebrew-gusto_deploy_key"
diff --git a/doc/adr/0033-1password-ssh-agent-allowlist.md b/doc/adr/0033-1password-ssh-agent-allowlist.md
@@ -0,0 +1,134 @@
+# 33. 1Password SSH Agent Allowlist
+
+Date: 2026-05-04
+
+## Status
+
+Accepted
+
+## Context
+
+`ssh/config.d/auth` (see [ADR 26](0026-versioned-ssh-config-with-config-d.md))
+points `Host *`'s `IdentityAgent` at the 1Password agent socket. Every ssh
+connection that doesn't have a more specific `IdentityAgent` lands there, and
+1Password offers up keys from the unlocked vault.
+
+By default, 1Password's agent offers _every_ SSH key item in every vault the
+account can see. On a single-purpose machine that's fine. On a machine with
+both work and personal contexts, it's noisy and occasionally wrong:
+
+- Servers that allow multiple keys for a user may auth with whichever one
+  shows up first, even if it isn't the "right" one
+- 1Password prompts for biometric/system approval per key offer, and offering
+  irrelevant keys means more prompts to dismiss
+- The personal-agent key from [ADR 31](0031-role-scoped-agent-git-identity.md)
+  lives on disk + macOS Keychain by design, but is also stored in 1Password
+  vault as a backup. That entry should never be _offered_ by the 1Password
+  agent (the on-disk + Keychain path is what claude-agent uses), even though
+  it's fine for it to live in the vault for reference.
+
+On the work laptop specifically, `ssh-add -l` against the 1Password socket
+listed seven keys, including the personal-agent key. That's the immediate
+trigger.
+
+## Decision
+
+Manage `~/.config/1Password/ssh/agent.toml` as a role-aware symlink into the
+dotfiles repo. The file in the repo is an allowlist of 1Password items by
+title, scoped per-role.
+
+### Implementation
+
+**`config/1password/agent.toml.<role>`** holds the allowlist for that role.
+On the work laptop, only Gusto-related items are listed:
+
+```toml
+[[ssh-keys]]
+item = "Gusto Laptop id_ed25519"
+
+[[ssh-keys]]
+item = "Gusto Signing Key"
+
+[[ssh-keys]]
+item = "homebrew-gusto_deploy_key"
+```
+
+Listed `[[ssh-keys]]` entries are an allowlist: 1Password offers only those
+items, regardless of what else lives in the vault. `item` matches the
+1Password item title (not the SSH key comment).
+
+**`sshconfig.sh`** appends a section that resolves
+`config/1password/agent.toml.$DOTPICKLES_ROLE` and symlinks it to
+`~/.config/1Password/ssh/agent.toml` if the source file exists and the
+1Password app dir is present. The role-aware path means a new machine joining
+under a different role doesn't accidentally inherit another machine's
+allowlist; it just skips the link until the role's file exists.
+
+**`functions.sh`'s `link_directory_contents`** skip list adds
+`config/1password`. Without that, the auto-linker would try to symlink the
+directory itself to `~/.config/1password` (lowercase), which 1Password
+ignores -- it reads the capital-P path. Listing it as a skip alongside
+`config/fish` matches the existing pattern for "directory managed by its own
+installer."
+
+### Why per-role rather than per-host
+
+1Password's `agent.toml` does support `host = "..."` filters per key, which
+would let one file describe behavior for both work and personal hosts. But
+the dotfiles role system already cleanly partitions "this is a work laptop"
+from "this is a personal laptop," and the simplest mental model is "the
+allowlist is whatever the role file says." A future iteration could add
+host-scoping inside a role file (e.g. work laptop allows the Gusto signing
+key for github.com only) without changing the role-based selection.
+
+### Alternatives Considered
+
+1. **Single allowlist with `host =` filters covering both machines**
+
+   - Pros: one file describes everything
+   - Cons: every machine's vault still has to share the same item titles;
+     a vault rename on one machine breaks behavior on the other; harder to
+     reason about
+   - Rejected: role-based selection is a cleaner cut
+
+2. **Delete the personal-agent key from the 1Password vault**
+
+   - Pros: no allowlist needed; problem disappears
+   - Cons: loses the "key is backed up in 1Password" property, which is the
+     reason it was added in the first place
+   - Rejected: the user wants the key in the vault for reference
+
+3. **Stop using the 1Password agent altogether on the work laptop**
+
+   - Pros: removes a class of identity-leak issues
+   - Cons: defeats 1Password as the auth UX for the entire flow, including
+     non-agent uses; significantly larger change for one annoyance
+   - Rejected: too broad
+
+## Consequences
+
+### Positive
+
+- 1Password offers only the keys relevant to the active role, cutting the
+  work laptop from 7 offered keys to 3
+- The personal-agent key stays in 1Password vault for backup but is not
+  offered by the 1Password agent on any machine, preserving ADR 31's
+  "agent key auth path is on-disk + Keychain only" property
+- A new role file (`agent.toml.<role>`) is a one-file change to add another
+  machine type
+- Existing `link` helper handles the symlink lifecycle (creation, rewriting,
+  conflict prompts) without bespoke shell
+
+### Negative
+
+- One more file to keep in sync per role. When a new key is added to the
+  vault for that role, it has to be added to the allowlist or it won't be
+  offered. Failure mode is "key isn't found," which is loud rather than
+  silent
+- 1Password item _titles_ are the matching key. Renaming an item in
+  1Password silently breaks the allowlist until the file is updated
+- The capital-P quirk (`~/.config/1Password/` vs the rest of `~/.config/`'s
+  lowercase convention) means the skip list and the explicit symlink in
+  sshconfig.sh are necessary; a reader who doesn't know the quirk might
+  wonder why config/1password isn't auto-linked like everything else under
+  config/
diff --git a/doc/adr/README.md b/doc/adr/README.md
@@ -32,3 +32,4 @@
 - [30. ssh-keychain-loading-at-login](0030-ssh-keychain-loading-at-login.md)
 - [31. role-scoped-agent-git-identity](0031-role-scoped-agent-git-identity.md)
 - [32. use-fnox-for-secrets](0032-use-fnox-for-secrets.md)
+- [33. 1password-ssh-agent-allowlist](0033-1password-ssh-agent-allowlist.md)
diff --git a/functions.sh b/functions.sh
@@ -57,8 +57,9 @@ find_targets() {
 
 link_directory_contents() {
   local directory="$1"
-  # Items managed by their own installer scripts (e.g. fish.sh handles config/fish)
-  local -a skip=(config home config/fish)
+  # Items managed by their own installer scripts (e.g. fish.sh handles config/fish,
+  # sshconfig.sh handles config/1password's role-aware agent.toml symlink)
+  local -a skip=(config home config/fish config/1password)
   for linkable in $(find_targets "${directory}"); do
     local should_skip=false
     for s in "${skip[@]}"; do
diff --git a/ssh/CLAUDE.md b/ssh/CLAUDE.md
@@ -28,8 +28,19 @@ SSH settings use `ssh/config.d/` fragments with SSH's native `Include` directive
 ./sshconfig.sh
 ```
 
+## 1Password SSH Agent Allowlist
+
+`Host *` in `ssh/config.d/auth` points at the 1Password agent. By default 1Password offers every key in the unlocked vault. Per-role allowlists live at `config/1password/agent.toml.<role>` and are symlinked to `~/.config/1Password/ssh/agent.toml` by `sshconfig.sh` based on `$DOTPICKLES_ROLE`. See [ADR 0033](../doc/adr/0033-1password-ssh-agent-allowlist.md).
+
+To check what 1Password is currently offering:
+
+```bash
+SSH_AUTH_SOCK="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ssh-add -l
+```
+
 ## Important
 
 - Edit `ssh/config.d/auth` and `ssh/config.d/term` for versioned changes
 - Never edit `~/.ssh/config` directly -- it's managed by `sshconfig.sh`
 - `~/.ssh/config.d/hosts` is machine-local and gitignored; recreate it per machine
+- Never edit `~/.config/1Password/ssh/agent.toml` directly -- edit `config/1password/agent.toml.<role>` instead
diff --git a/sshconfig.sh b/sshconfig.sh
@@ -24,6 +24,27 @@ if command_available colima; then
   echo "Include ~/.colima/ssh_config" > ~/.ssh/config.d/colima
 fi
 
+# Symlink role-specific 1Password SSH agent allowlist.
+# 1Password reads ~/.config/1Password/ssh/agent.toml (capital P). Without an
+# allowlist, every key in the unlocked vault is offered to ssh on every
+# connection. config/1password/agent.toml.<role> defines which items are
+# offered. See ADR 0033.
+op_role="${DOTPICKLES_ROLE:-personal}"
+op_source="config/1password/agent.toml.${op_role}"
+op_target="$HOME/.config/1Password/ssh/agent.toml"
+op_socket="$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"
+if [ -S "$op_socket" ]; then
+  if [ -f "$DIR/$op_source" ]; then
+    echo "🔑 setting up 1Password SSH agent allowlist (role: $op_role)"
+    mkdir -p "$HOME/.config/1Password/ssh"
+    link "$op_source" "$op_target"
+  else
+    echo "🔑 no 1Password agent.toml for role '$op_role', skipping (expected $op_source)"
+  fi
+else
+  echo "🔑 1Password agent socket not found, skipping agent.toml setup"
+fi
+
 # Ensure ~/.ssh/config starts with Include
 include_line="Include ~/.ssh/config.d/*"
 if [ ! -f ~/.ssh/config ]; then
