OnePassword CLI over Connect

Thanks for the information. I had thought that "service accounts" were just another name for the automation tokens so I'll wait to see what new comes along.
I've noticed our Connect server API does allow downloading file attachments (though not uploading), but the CLI did not previously. I've obtained the latest version and can now successfully download attachments with op read, though of course I'm still limited by being unable to use nonalphanumerics in the secret url and the filename has to match exactly.
In our pipelines, we're trying to read secrets by their name, which for us has a standard form of [app:][user@]hostname[/version]. So searching by the reference is out as this would be problematic to identify in every case. Being able to search would allow us to identify by partial name matches (such as where people created a secret with a nonstandard name format) and give a more helpful error message.
I've tried using escapes and URL encoding on the secret names with op read but this does not appear to be supported. The op item get works as well as op read apart from file attachments, and a JSON output is more flexible anyway. The inefficiency of it doing a local sort may be an issue for any rate limiting though, hopefully the OP_CACHE=true will help with that.
Steve