binbinsh
diff --git a/‎.codex-plugin/plugin.json‎
Lines changed: 3 additions & 4 deletions b/‎.codex-plugin/plugin.json‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 10 deletions b/‎README.md‎
Lines changed: 3 additions & 10 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion b/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎skills/labbook/SKILL.md‎
Lines changed: 2 additions & 2 deletions b/‎skills/labbook/SKILL.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/labbook/auth.py‎
Lines changed: 59 additions & 80 deletions b/‎src/labbook/auth.py‎
Lines changed: 59 additions & 80 deletions
@@ -22,7 +22,7 @@
   "interface": {
     "displayName": "Notion Agent Labbook",
     "shortDescription": "Connect a project to selected Notion pages and data sources with a local Internal Integration secret.",
-    "longDescription": "Notion Agent Labbook handles local Notion configuration and project binding for Codex, Claude Code, and other MCP clients. It uses a Notion Internal Integration secret directly, can open the Notion integrations dashboard for setup, detects whether system keychain and 1Password are available, and stores only non-secret project metadata in `.labbook/`.",
+    "longDescription": "Notion Agent Labbook handles local Notion configuration and project binding for Codex, Claude Code, and other MCP clients. It uses a Notion Internal Integration secret directly, can open the Notion integrations dashboard for setup, detects whether the local system keychain is available, and stores only non-secret project metadata in `.labbook/`.",
     "developerName": "Binbin Shen",
     "category": "Productivity",
     "capabilities": [
@@ -35,9 +35,8 @@
     "termsOfServiceURL": "https://www.notion.so/policies/terms-of-use",
     "defaultPrompt": [
       "Check the current project's Notion status and bound resources before assuming Notion is available.",
-      "If the project is not authenticated, use notion_prepare_internal_integration first so the user can get the Internal Integration Secret and inspect storage_options, storage_default, and storage_choice_required.",
-      "If storage_choice_required is true, ask whether the user wants keychain or 1password before calling notion_configure_internal_integration.",
-      "Use notion_configure_internal_integration to validate and store the secret with the chosen storage value.",
+      "If the project is not authenticated, use notion_prepare_internal_integration first so the user can get the Internal Integration Secret and inspect storage_options and storage_default.",
+      "Use notion_configure_internal_integration to validate and store the secret, or recommend `agent-labbook configure-secret --storage keychain` for a local hidden prompt.",
       "Before choosing a binding UX, inspect notion_status.binding_recommendation and notion_status.binding_options.",
       "Ask whether the user can paste exact Notion links. If yes, prefer notion_bind_resource_urls. If not and the environment is desktop-capable, prefer notion_open_binding_browser. Otherwise use notion_search_resources plus notion_discover_children and then notion_bind_resources.",
       "Use notion_status or doctor for health checks, and return the official Notion API headers and bound resource IDs only when direct API calls are actually needed."
 
@@ -11,7 +11,7 @@ No OAuth, no hosted broker, no cloud worker. You connect Notion once, store the
 
 ## What It Does
 
-- Stores your Notion Internal Integration secret in the system keychain or 1Password
+- Stores your Notion Internal Integration secret in the local system keychain
 - Lets an MCP client search, discover, and bind specific Notion pages or data sources
 - Returns API headers and bound resource IDs for direct Notion API calls
 - Provides a browser-based resource chooser for desktop environments
@@ -36,12 +36,6 @@ Recommended on a workstation:
 uvx agent-labbook configure-secret --storage keychain
 ```
 
-Optional 1Password flow:
-
-```bash
-uvx agent-labbook configure-secret --storage 1password --op-vault Private
-```
-
 CI or temporary override:
 
 ```bash
@@ -51,7 +45,6 @@ export NOTION_AGENT_LABBOOK_TOKEN=secret_xxx
 Default policy:
 
 - `keychain` is the default local backend
-- `1password` is opt-in
 - `NOTION_AGENT_LABBOOK_TOKEN` is for CI or temporary overrides
 
 ## 3. Install The MCP Server
@@ -126,7 +119,7 @@ Typical flow:
 | `notion_open_binding_browser` | Start a local browser-based chooser for selecting Notion roots. | No | No |
 | `notion_list_bindings` | List the Notion resources currently bound to this project. | Yes | No |
 | `notion_get_api_context` | Return the Internal Integration secret, official Notion API headers, and bound resource IDs for direct API calls. | Yes | No |
-| `notion_clear_project_auth` | Remove the saved project-local session and delete the stored keychain or 1Password secret. | No | Yes |
+| `notion_clear_project_auth` | Remove the saved project-local session and delete the stored keychain secret. | No | Yes |
 
 ### Resources (3)
 
@@ -155,7 +148,7 @@ Typical flow:
 | Command | Description |
 |---------|-------------|
 | `agent-labbook mcp` | Run the MCP stdio server. |
-| `agent-labbook configure-secret` | Prompt for the Notion Internal Integration secret and store it locally. Supports `--storage`, `--op-vault`, `--op-item-title`. |
+| `agent-labbook configure-secret` | Prompt for the Notion Internal Integration secret and store it locally. Supports `--storage`. |
 | `agent-labbook doctor` | Inspect local Notion Agent Labbook state and print diagnostics as JSON. |
 | `agent-labbook print-mcp-config` | Print a reusable `uvx`-based MCP server config snippet. |
 
 
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "agent-labbook"
-version = "0.19.9"
+version = "0.19.10"
 description = "Notion Internal Integration binding for Codex, Claude Code, and other MCP clients."
 readme = "README.md"
 requires-python = ">=3.10"
 
@@ -24,7 +24,7 @@ It is not a general Notion wrapper or task-management layer.
 
 1. Call `notion_status` or read `labbook://agent-labbook/project/status`.
 2. If the project is not authenticated, call `notion_prepare_internal_integration`.
-3. Default to `agent-labbook configure-secret --storage keychain` on a workstation. Use `--storage 1password` only when the user explicitly wants 1Password.
+3. Use `agent-labbook configure-secret --storage keychain` on a workstation so the secret is captured via a local hidden prompt and stored in the system keychain.
 4. Use `notion_configure_internal_integration` only when the caller can safely provide the secret directly.
 5. Remind the user to share the target pages or data sources with the integration bot inside Notion.
 6. Prefer `notion_bind_resource_urls` for exact links, `notion_open_binding_browser` on desktop, or `notion_search_resources` plus `notion_discover_children` in headless environments.
@@ -45,4 +45,4 @@ It is not a general Notion wrapper or task-management layer.
 - Do not assume Notion is connected for the current project until `notion_status` confirms it.
 - Do not use `notion_get_api_context` as a health check; prefer `notion_status` and `notion_search_resources`.
 - Reuse aliases from `notion_list_bindings` so later sessions stay consistent.
-- Project-local state lives under `.labbook/` and should never be committed. The integration secret itself should come from system keychain, 1Password, or the process environment, not `.labbook/session.json`.
+- Project-local state lives under `.labbook/` and should never be committed. The integration secret itself should come from the system keychain or the process environment, not `.labbook/session.json`.
@@ -5,6 +5,7 @@
 import json
 import logging
 import os
+import threading
 from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any
@@ -31,10 +32,6 @@
     keychain_delete_token,
     keychain_retrieve_token,
     keychain_store_token,
-    op_backend_status,
-    op_delete_token,
-    op_retrieve_token,
-    op_store_token,
 )
 
 logger = logging.getLogger("labbook.auth")
@@ -48,7 +45,7 @@
 NOTION_INTEGRATION_GUIDE_URL = (
     "https://developers.notion.com/guides/get-started/create-a-notion-integration"
 )
-SUPPORTED_STORAGE_BACKENDS = ("keychain", "1password")
+SUPPORTED_STORAGE_BACKENDS = ("keychain",)
 DEFAULT_PERSISTENT_STORAGE = "keychain"
 
 
@@ -67,15 +64,13 @@ def setup_guide() -> str:
             "4. Call `notion_get_api_context` only when you are ready to use the official Notion API.",
             "",
             "Default workstation path: keychain.",
-            "Use `--storage 1password` only when you explicitly want 1Password.",
             f"Use `{TOKEN_ENV_VAR}` only for CI or temporary overrides.",
             "",
             "## Security Notes",
             "",
             "- `NOTION_AGENT_LABBOOK_TOKEN` takes precedence over any locally stored secret for the current process and is intended for CI or temporary overrides.",
             "- `agent-labbook configure-secret` uses a local hidden prompt so the secret does not need to be pasted into chat or shell history.",
-            "- When you choose `keychain`, the secret is stored in the local system credential store through Python `keyring`.",
-            "- When you choose `1password`, the secret is stored as a 1Password Password item and retrieved later with `op read`.",
+            "- The secret is stored in the local system credential store through Python `keyring`.",
             "- Treat the integration secret like a password. Do not paste it into chat transcripts, logs, or committed files.",
             "",
             "## Notion Resources",
@@ -115,11 +110,6 @@ def _session_payload(
         "bot_owner_type": bot_owner_type,
         "keyring_service": kw.get("keyring_service"),
         "keyring_account": kw.get("keyring_account"),
-        "op_item_id": kw.get("op_item_id"),
-        "op_item_title": kw.get("op_item_title"),
-        "op_vault": kw.get("op_vault"),
-        "op_vault_id": kw.get("op_vault_id"),
-        "op_ref": kw.get("op_ref"),
         "configured_at": datetime.now(timezone.utc).replace(microsecond=0).isoformat(),
         "notion_version": DEFAULT_NOTION_VERSION,
     }
@@ -131,12 +121,51 @@ def _session_payload(
 
 
 def _available_storage_backends() -> list[dict[str, Any]]:
-    backends = [keychain_backend_status(), op_backend_status()]
+    """Probe keychain availability without blocking the MCP loop.
+
+    The probe runs in a daemon thread and is fenced by the configured
+    probe-timeout budget (``LABBOOK_PROBE_TIMEOUT_SECONDS``) plus a small
+    headroom, so a locked Secret Service / keychain daemon can never stall
+    a ``tools/call`` long enough for the client to close the stdio transport.
+    """
+    from .storage import _probe_timeout_default  # local import to avoid cycles
+
+    timeout = _probe_timeout_default()
+    join_budget = max(0.5, timeout + 1.0)
+
+    result: dict[str, dict[str, Any]] = {}
+
+    def _run_keychain() -> None:
+        try:
+            result["keychain"] = keychain_backend_status(probe_timeout=timeout)
+        except Exception as exc:  # noqa: BLE001 - defensive: never raise past join
+            result["keychain"] = {
+                "backend": "keychain",
+                "display_name": "System Keychain",
+                "available": False,
+                "selected_by_default": False,
+                "reason": f"Keychain probe crashed: {exc}",
+                "details": {"keyring_backend": "unknown"},
+            }
+
+    thread = threading.Thread(
+        target=_run_keychain, name="labbook-probe-keychain", daemon=True
+    )
+    thread.start()
+    thread.join(timeout=join_budget)
+
+    keychain_entry = result.get("keychain") or {
+        "backend": "keychain",
+        "display_name": "System Keychain",
+        "available": False,
+        "selected_by_default": False,
+        "reason": f"System Keychain probe did not finish within {join_budget:.1f}s.",
+        "details": {"probe_timed_out": True},
+    }
+    backends = [keychain_entry]
     available = [b["backend"] for b in backends if b.get("available")]
     recommended = (
-        DEFAULT_PERSISTENT_STORAGE
-        if DEFAULT_PERSISTENT_STORAGE in available
-        else ("1password" if "1password" in available else None)
+        DEFAULT_PERSISTENT_STORAGE if DEFAULT_PERSISTENT_STORAGE in available else None
     )
     for b in backends:
         b["selected_by_default"] = b.get("backend") == recommended
@@ -154,17 +183,12 @@ def _resolve_storage_backend(
     clean = str(requested or "auto").strip().lower() or "auto"
     current = str(current_backend or "").strip().lower() or None
     if clean not in {"auto", *SUPPORTED_STORAGE_BACKENDS}:
-        raise LabbookError("storage must be one of: auto, keychain, 1password.")
+        raise LabbookError("storage must be one of: auto, keychain.")
     if clean == "auto":
         if current in available:
             return current, backends
-        rec = (
-            DEFAULT_PERSISTENT_STORAGE
-            if DEFAULT_PERSISTENT_STORAGE in available
-            else ("1password" if "1password" in available else None)
-        )
-        if rec:
-            return rec, backends
+        if DEFAULT_PERSISTENT_STORAGE in available:
+            return DEFAULT_PERSISTENT_STORAGE, backends
         raise LabbookError(
             f"No supported secret storage backends are available. Set {TOKEN_ENV_VAR} instead."
         )
@@ -182,7 +206,7 @@ def _configured_storage(session_payload: dict[str, Any] | None) -> str | None:
     if not isinstance(session_payload, dict):
         return None
     v = str(session_payload.get("storage") or "").strip().lower()
-    return v if v in {"keychain", "1password"} else None
+    return v if v in set(SUPPORTED_STORAGE_BACKENDS) else None
 
 
 # ---------------------------------------------------------------------------
@@ -204,18 +228,14 @@ def _token_context(project_root: str | Path | None = None) -> dict[str, Any]:
             "storage": backend,
             "env_token_present": True,
             "keyring_error": None,
-            "onepassword_error": None,
             "storage_error": None,
         }
-    keyring_error = onepassword_error = None
+    keyring_error: str | None = None
     token: str | None = None
     token_source: str | None = None
     if backend == "keychain":
         token, keyring_error = keychain_retrieve_token(session)
         token_source = "keychain" if token else None
-    elif backend == "1password":
-        token, onepassword_error = op_retrieve_token(session)
-        token_source = "1password" if token else None
     return {
         "project_root": root,
         "session": session,
@@ -224,8 +244,7 @@ def _token_context(project_root: str | Path | None = None) -> dict[str, Any]:
         "storage": backend,
         "env_token_present": False,
         "keyring_error": keyring_error,
-        "onepassword_error": onepassword_error,
-        "storage_error": keyring_error or onepassword_error,
+        "storage_error": keyring_error,
     }
 
 
@@ -258,20 +277,12 @@ def _secret_plan(
     token_source = token_context.get("token_source")
     env_token_present = bool(token_context.get("env_token_present"))
 
-    if configured_storage in {"keychain", "1password"} and token_source == configured_storage:
-        if configured_storage == "keychain":
-            return {
-                "mode": "keychain",
-                "reason": (
-                    "This project is already using the local system keychain successfully, "
-                    "so keeping that backend is the least disruptive option."
-                ),
-            }
+    if configured_storage == "keychain" and token_source == "keychain":
         return {
-            "mode": "1password",
+            "mode": "keychain",
             "reason": (
-                "This project is already using 1Password successfully, so keeping that "
-                "backend is the least disruptive option."
+                "This project is already using the local system keychain successfully, "
+                "so keeping that backend is the least disruptive option."
             ),
         }
 
@@ -287,18 +298,6 @@ def _secret_plan(
             )
         return {"mode": "keychain", "reason": reason}
 
-    if storage_default == "1password":
-        reason = (
-            "1Password is the only supported local secret backend detected, so it is "
-            "the best persistent option here."
-        )
-        if env_token_present:
-            reason += (
-                f" The current process is using {TOKEN_ENV_VAR}, but 1Password is the "
-                "better long-lived default."
-            )
-        return {"mode": "1password", "reason": reason}
-
     return {
         "mode": "env",
         "reason": (
@@ -320,9 +319,7 @@ def prepare_internal_integration(
     storage_options = _available_storage_backends()
     available = [b["backend"] for b in storage_options if b.get("available")]
     storage_default = (
-        DEFAULT_PERSISTENT_STORAGE
-        if DEFAULT_PERSISTENT_STORAGE in available
-        else ("1password" if "1password" in available else None)
+        DEFAULT_PERSISTENT_STORAGE if DEFAULT_PERSISTENT_STORAGE in available else None
     )
     cmd = (
         f"uvx agent-labbook configure-secret --storage {storage_default}"
@@ -345,7 +342,7 @@ def prepare_internal_integration(
             "Create a Notion Internal Integration and share the target pages or data sources with it.",
             f"Run `{cmd}` for a local hidden prompt."
             if cmd
-            else f"If no local secret backend is available, use NOTION_AGENT_LABBOOK_TOKEN as a process-scoped override.",
+            else "If no local secret backend is available, use NOTION_AGENT_LABBOOK_TOKEN as a process-scoped override.",
             "Bind the resources you want to use.",
             "Call notion_get_api_context only when you are ready to use the official Notion API.",
         ],
@@ -359,8 +356,6 @@ def configure_internal_integration(
     secret: str,
     project_root: str | Path | None = None,
     storage: str | None = None,
-    op_vault: str | None = None,
-    op_item_title: str | None = None,
 ) -> dict[str, Any]:
     root = resolve_project_root(project_root)
     clean_secret = str(secret or "").strip()
@@ -390,15 +385,6 @@ def configure_internal_integration(
         ks, ka = keychain_store_token(project_root=root, token=clean_secret)
         kw["keyring_service"] = ks
         kw["keyring_account"] = ka
-    elif resolved_backend == "1password":
-        kw.update(
-            op_store_token(
-                project_root=root,
-                token=clean_secret,
-                vault=op_vault,
-                item_title=op_item_title,
-            )
-        )
     else:
         raise LabbookError(f"Unsupported storage backend: {resolved_backend}")
     save_project_session(root, _session_payload(**kw))
@@ -414,8 +400,6 @@ def configure_internal_integration(
         "bot_owner_type": bot_owner_type,
         "storage_options": storage_options,
         "recommended_next_action": "notion_search_resources",
-        "op_vault": kw.get("op_vault"),
-        "op_item_title": kw.get("op_item_title"),
         "keyring_backend": keychain_backend_name(),
     }
 
@@ -434,9 +418,7 @@ def status(project_root: str | Path | None = None) -> dict[str, Any]:
     storage_options = _available_storage_backends()
     available = [b["backend"] for b in storage_options if b.get("available")]
     storage_default = (
-        DEFAULT_PERSISTENT_STORAGE
-        if DEFAULT_PERSISTENT_STORAGE in available
-        else ("1password" if "1password" in available else None)
+        DEFAULT_PERSISTENT_STORAGE if DEFAULT_PERSISTENT_STORAGE in available else None
     )
     secret_plan = _secret_plan(token_context=tc, storage_default=storage_default)
     authenticated = bool(tc["token"])
@@ -457,7 +439,6 @@ def status(project_root: str | Path | None = None) -> dict[str, Any]:
         "env_token_present": tc["env_token_present"],
         "keyring_backend": keychain_backend_name(),
         "keyring_error": tc["keyring_error"],
-        "onepassword_error": tc["onepassword_error"],
         "storage_error": tc["storage_error"],
         "storage_options": storage_options,
         "storage_default": storage_default,
@@ -506,8 +487,6 @@ def clear_project_auth(
     deleted = False
     if storage == "keychain":
         deleted = keychain_delete_token(session)
-    elif storage == "1password":
-        deleted = op_delete_token(session)
     session_cleared = clear_project_session(root)
     bindings_cleared = clear_project_bindings(root) if clear_bindings else False
     return {