1password

For about a year, I avoided giving agents real permissions. Not because I doubted their utility, but because I didn’t trust the blast radius. If an agent can’t do anything meaningful, it’s a toy. If it can do everything, it’s a liability. The useful zone is the uncomfortable middle: enough capability to do real work, inside an environment that is aggressively constrained. OpenClaw is what finally got me across that line. If you haven’t used it, think of it as one operational surface for agent CLI execution, browser control, scheduled jobs, and chat-based control loops. Its bet is CLIs over MCP servers. Agents handle text-based back-and-forth well, and the context cost is way lower than JSON tool schemas. ...

It was 11pm on a Friday. Deploy failed. Missing environment variable. After twenty minutes of debugging, I found it: I’d added a secret to CI but forgot to add it to the server. Two-minute fix, twenty-minute hunt. I’d been burned enough times to finally fix this properly. The Core Insight One source of truth for production secrets. 1Password holds the secrets. Kamal fetches them. GitHub Actions triggers the deploy. No scattered env files on servers, no secrets in CI config. ...