docs(notion-writer): document 1Password credential handling, deprecate .env
Plaintext .env storage of NOTION_API_KEY is unnecessary risk — Notion integration tokens grant write access to every connected page/database and have no expiry. Document the 1Password CLI fetch pattern as the preferred path; .env becomes a discouraged fallback for environments without `op`. SKILL.md adds a Credential handling section covering: - One-shot inline fetch via `op read 'op://Development/Notion - Claude Agent/api-key'` - Subshell-scoped export pattern for repeated use without shell-history exposure - 1Password field-name conventions (api-key for the token) - Anti-patterns to avoid (echo, CLI args, git commits, chat paste) - Token rotation procedure notion_writer.py error message updated to point at the 1Password recipe when NOTION_API_KEY is missing, instead of telling users to create a .env. Tested end-to-end: pushed a 22 KB markdown report (16 tables, 120 nested checkboxes) using the inline 1Password fetch. Bot identity verified, all markdown blocks rendered as native Notion blocks. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -788,8 +788,12 @@ Examples:
|
||||
args = parser.parse_args()
|
||||
|
||||
if not NOTION_TOKEN:
|
||||
print("Error: NOTION_API_KEY not set in .env file")
|
||||
print("Get your integration token from: https://www.notion.so/my-integrations")
|
||||
print("Error: NOTION_API_KEY not set in environment.")
|
||||
print("Preferred: fetch from 1Password at runtime —")
|
||||
print(" NOTION_API_KEY=\"$(op read 'op://Development/Notion - Claude Agent/api-key')\" \\")
|
||||
print(" python notion_writer.py …")
|
||||
print("See SKILL.md → 'Credential handling' for full guidance.")
|
||||
print("Token source: https://www.notion.so/my-integrations")
|
||||
sys.exit(1)
|
||||
|
||||
notion = compat.make_client(NOTION_TOKEN)
|
||||
|
||||
Reference in New Issue
Block a user