op CLI with biometric unlock using Polkit not working

Hi,
I'm using 1Password 8.6.1-1 and CLI 2.0.0-4 from the Arch User Repo. I usually use i3-gnome-flashback, but I see the same problem under GNOME on Wayland, or GNOME Flashback. I appreciate the i3 setup is a bit niche, and am happy to fix that myself if anyone can help me getting it working under a plain old GNOME + Wayland or Xorg session. :)

Here's some info about my installation:

shell
$ pacman -Qi 1password 1password-cli | grep -iE '^(Name|Version)'
Name : 1password
Version : 8.6.1-1
Name : 1password-cli
Version : 2.0.0-4
$ pacman -Ql 1password | grep -i polkit
1password /usr/share/polkit-1/
1password /usr/share/polkit-1/actions/
1password /usr/share/polkit-1/actions/com.1password.1Password.policy
$ op --version
2.0.0
$ 1password --version
8.6.1
$ ls -lL $( which op )
-rwxr-sr-x 1 root onepassword-cli 12664832 Mar 30 16:41 /usr/bin/op
$ ls -lL $( which 1password )
-rwxr-xr-x 1 root root 149375632 Mar 30 16:42 /usr/bin/1password
$ getent group | grep onepassword
onepassword-cli:x:1011:
onepassword:x:1012:
$ ss --listening | grep -i pass | column -t ; ls -la ${XDG_RUNTIME_DIR}/1Password-BrowserSupport.sock
nl UNCONN 0 0 uevent:keepassxc/53952 *
nl UNCONN 0 0 uevent:keepassxc/53952 *
u_str LISTEN 0 50 /tmp/qtsingleapp-Enpass-216b-3ed 25210 * 0
srw------- 1 my_username my_username 0 Mar 31 15:08 /run/user/my_uid/1Password-BrowserSupport.sock


Using the old method of adding an account manually works. Using e.g. eval $( secret-tool lookup provider 1Password profile work | op signin --account work) makes creds in my work vault available to the CLI using op item get etc. I would like to switch to the "biometric" (Polkit) unlock.

The 1Password GUI client setting Unlock using system authentication service works: I haven't ever had a problem with this.

I have read and followed https://developer.1password.com/docs/cli/about-biometric-unlock and https://developer.1password.com/docs/cli/get-started#sign-in. Whether the GUI client is running and unlocked or not, I do not get prompted to choose an account (I only have one). Instead, I get this:

```shell
$ op vault ls
No accounts configured for use with 1Password CLI.

You can either:
- Sign in with biometric unlock; see https://developer.1password.com/docs/cli/get-started/#sign-in for details.
- Add an account manually with op account add; see op account add --help for details.

Do you want to add an account manually now? [Y/n]
```

I saw the issues with the group ID being under 1000, and ensured that was not the case. The Polkit actions template appears to have been rendered correctly: in any case, if I manually install the template, replacing the placeholders with unix-user:my_username, I still see this issue. Other Polkit actions and rules work fine, e.g. GParted prompts me to enter credentials, then runs as expected.

Please let me know if I can provide more information for troubleshooting.

---

1Password Version: 8.6.1
Extension Version: 2.3.2
OS Version: Arch Linux (rolling)