docs(notion-writer): document 1Password credential handling, deprecate .env

Plaintext .env storage of NOTION_API_KEY is unnecessary risk — Notion
integration tokens grant write access to every connected page/database
and have no expiry. Document the 1Password CLI fetch pattern as the
preferred path; .env becomes a discouraged fallback for environments
without `op`.

SKILL.md adds a Credential handling section covering:
- One-shot inline fetch via `op read 'op://Development/Notion - Claude Agent/api-key'`
- Subshell-scoped export pattern for repeated use without shell-history exposure
- 1Password field-name conventions (api-key for the token)
- Anti-patterns to avoid (echo, CLI args, git commits, chat paste)
- Token rotation procedure

notion_writer.py error message updated to point at the 1Password recipe
when NOTION_API_KEY is missing, instead of telling users to create a .env.

Tested end-to-end: pushed a 22 KB markdown report (16 tables, 120 nested
checkboxes) using the inline 1Password fetch. Bot identity verified, all
markdown blocks rendered as native Notion blocks.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-28 19:14:48 +09:00
parent 69526d345a
commit e1bd799672
2 changed files with 72 additions and 4 deletions

View File

@@ -788,8 +788,12 @@ Examples:
args = parser.parse_args()
if not NOTION_TOKEN:
print("Error: NOTION_API_KEY not set in .env file")
print("Get your integration token from: https://www.notion.so/my-integrations")
print("Error: NOTION_API_KEY not set in environment.")
print("Preferred: fetch from 1Password at runtime —")
print(" NOTION_API_KEY=\"$(op read 'op://Development/Notion - Claude Agent/api-key')\" \\")
print(" python notion_writer.py …")
print("See SKILL.md → 'Credential handling' for full guidance.")
print("Token source: https://www.notion.so/my-integrations")
sys.exit(1)
notion = compat.make_client(NOTION_TOKEN)