@phnx-labs/agents-cli 1.15.0 → 1.17.0

package/dist/commands/plugins.js

@@ -8,11 +8,11 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import chalk from 'chalk';
+import { input } from '@inquirer/prompts';
 import { PLUGINS_CAPABLE_AGENTS, agentLabel } from '../lib/agents.js';
-import { discoverPlugins, getPlugin, pluginSupportsAgent, removePluginFromVersion } from '../lib/plugins.js';
+import { discoverPlugins, getPlugin, pluginSupportsAgent, removePluginFromVersion, isPluginSynced, installPlugin, updatePlugin, loadUserConfig, saveUserConfig, checkPluginDependencies, } from '../lib/plugins.js';
 import { listInstalledVersions, syncResourcesToVersion, getGlobalDefault, getVersionHomePath, } from '../lib/versions.js';
-import { isPluginSynced } from '../lib/plugins.js';
-import { isPromptCancelled, isInteractiveTerminal, requireDestructiveArg, requireInteractiveSelection, } from './utils.js';
+import { isPromptCancelled, isInteractiveTerminal, requireDestructiveArg, requireInteractiveSelection, promptRemovalTargets, } from './utils.js';
 import { itemPicker } from '../lib/picker.js';
 import { showResourceList, buildTargetsSection, } from './resource-view.js';
 import { getPluginsDir } from '../lib/state.js';
@@ -255,7 +255,7 @@ Examples:
   # Unsync but keep source directory
   agents plugins remove rush-toolkit --keep-source
 `)
-        .action((nameArg, options) => {
+        .action(async (nameArg, options) => {
         if (!nameArg) {
             requireDestructiveArg({
                 argName: 'name',
@@ -275,35 +275,242 @@ Examples:
             console.log(chalk.red(`Plugin '${name}' not found`));
             process.exit(1);
         }
-        let totalSkills = 0;
-        let totalHooks = 0;
-        let totalPerms = 0;
-        let versionsTouched = 0;
+        // Build list of targets that have this plugin synced
+        const availableTargets = [];
         for (const agentId of PLUGINS_CAPABLE_AGENTS) {
+            if (plugin && !pluginSupportsAgent(plugin, agentId))
+                continue;
             const versions = listInstalledVersions(agentId);
             for (const version of versions) {
                 const versionHome = getVersionHomePath(agentId, version);
-                const r = removePluginFromVersion(name, resolvedRoot, agentId, versionHome);
-                if (r.skills.length > 0 || r.hooks.length > 0 || r.permissions > 0) {
-                    versionsTouched += 1;
-                    totalSkills += r.skills.length;
-                    totalHooks += r.hooks.length;
-                    totalPerms += r.permissions;
-                    console.log(chalk.gray(`  ${agentLabel(agentId)}@${version}: ${r.skills.length} skill(s), ${r.hooks.length} hook(s), ${r.permissions} perm(s)`));
+                if (plugin && isPluginSynced(plugin, agentId, versionHome)) {
+                    availableTargets.push({ agent: agentId, version });
                 }
             }
         }
-        console.log(chalk.green(`Unsynced ${name} from ${versionsTouched} version(s) — ${totalSkills} skills, ${totalHooks} hooks, ${totalPerms} permissions`));
-        if (!options.keepSource) {
+        if (availableTargets.length === 0) {
+            console.log(chalk.yellow(`Plugin '${name}' not synced to any version.`));
+            if (!options.keepSource && fs.existsSync(pluginRoot)) {
+                fs.rmSync(pluginRoot, { recursive: true, force: true });
+                console.log(chalk.green(`Deleted ${formatPath(pluginRoot)}`));
+            }
+            return;
+        }
+        // Show multi-select picker for targets
+        const removalTargets = availableTargets.map((t) => ({
+            agent: t.agent,
+            version: t.version,
+            label: `${agentLabel(t.agent)}@${t.version}`,
+        }));
+        const selectedTargets = await promptRemovalTargets(name, removalTargets);
+        if (selectedTargets.length === 0) {
+            console.log(chalk.gray('Cancelled.'));
+            return;
+        }
+        let totalSkills = 0;
+        let totalCommands = 0;
+        let totalAgentDefs = 0;
+        let totalHooks = 0;
+        let totalPerms = 0;
+        let totalMcp = 0;
+        let versionsTouched = 0;
+        for (const target of selectedTargets) {
+            const versionHome = getVersionHomePath(target.agent, target.version);
+            const r = removePluginFromVersion(name, resolvedRoot, target.agent, versionHome);
+            const anyRemoved = r.skills.length > 0 || r.commands.length > 0 || r.agentDefs.length > 0 ||
+                r.bin.length > 0 || r.hooks.length > 0 || r.permissions > 0 || r.mcp > 0;
+            if (anyRemoved) {
+                versionsTouched += 1;
+                totalSkills += r.skills.length;
+                totalCommands += r.commands.length;
+                totalAgentDefs += r.agentDefs.length;
+                totalHooks += r.hooks.length;
+                totalPerms += r.permissions;
+                totalMcp += r.mcp;
+                const parts = [
+                    r.skills.length > 0 ? `${r.skills.length} skill(s)` : null,
+                    r.commands.length > 0 ? `${r.commands.length} command(s)` : null,
+                    r.agentDefs.length > 0 ? `${r.agentDefs.length} agent def(s)` : null,
+                    r.hooks.length > 0 ? `${r.hooks.length} hook(s)` : null,
+                    r.permissions > 0 ? `${r.permissions} perm(s)` : null,
+                    r.mcp > 0 ? `${r.mcp} MCP server(s)` : null,
+                ].filter(Boolean);
+                console.log(`  ${chalk.red('-')} ${target.label}: ${parts.join(', ')}`);
+            }
+        }
+        const summary = [
+            totalSkills > 0 ? `${totalSkills} skills` : null,
+            totalCommands > 0 ? `${totalCommands} commands` : null,
+            totalAgentDefs > 0 ? `${totalAgentDefs} agent defs` : null,
+            totalHooks > 0 ? `${totalHooks} hooks` : null,
+            totalPerms > 0 ? `${totalPerms} permissions` : null,
+            totalMcp > 0 ? `${totalMcp} MCP servers` : null,
+        ].filter(Boolean).join(', ') || 'nothing';
+        console.log(chalk.green(`\nUnsynced ${name} from ${versionsTouched} version(s) — ${summary}`));
+        // Only delete source if ALL targets were selected
+        if (!options.keepSource && selectedTargets.length === availableTargets.length) {
             if (fs.existsSync(pluginRoot)) {
                 fs.rmSync(pluginRoot, { recursive: true, force: true });
                 console.log(chalk.green(`Deleted ${formatPath(pluginRoot)}`));
             }
         }
+        else if (!options.keepSource && selectedTargets.length < availableTargets.length) {
+            console.log(chalk.gray(`Source kept — plugin still synced to other versions.`));
+        }
         else {
             console.log(chalk.gray(`Kept source at ${formatPath(pluginRoot)}`));
         }
     });
+    // agents plugins install <spec>
+    pluginsCmd
+        .command('install <spec>')
+        .description('Install a plugin from a git URL or local path (format: name@source or source)')
+        .addHelpText('after', `
+Examples:
+  # Install from a git URL
+  agents plugins install my-plugin@https://github.com/user/my-plugin.git
+
+  # Install from a local path
+  agents plugins install /path/to/plugin
+
+  # Named install from a local path
+  agents plugins install rush-toolkit@~/Projects/rush-toolkit
+`)
+        .action(async (spec) => {
+        console.log(chalk.gray(`Installing plugin from: ${spec}`));
+        let name;
+        let root;
+        try {
+            const result = await installPlugin(spec);
+            name = result.name;
+            root = result.root;
+        }
+        catch (err) {
+            console.log(chalk.red(`Install failed: ${err.message}`));
+            process.exit(1);
+        }
+        const plugin = getPlugin(name);
+        if (!plugin) {
+            console.log(chalk.red(`Installed but could not load plugin '${name}'`));
+            process.exit(1);
+        }
+        // Check dependencies
+        const missingDeps = checkPluginDependencies(plugin.manifest);
+        if (missingDeps.length > 0) {
+            console.log(chalk.yellow(`Warning: missing dependencies: ${missingDeps.join(', ')}`));
+            console.log(chalk.gray('Install them with: agents plugins install <name>@<source>'));
+        }
+        // Prompt for userConfig fields
+        if (plugin.manifest.userConfig && plugin.manifest.userConfig.length > 0 && isInteractiveTerminal()) {
+            const existingConfig = loadUserConfig(name);
+            const newConfig = await promptUserConfig(plugin.manifest, existingConfig);
+            if (Object.keys(newConfig).length > 0) {
+                saveUserConfig(name, { ...existingConfig, ...newConfig });
+                console.log(chalk.gray('User config saved.'));
+            }
+        }
+        // Sync to all supported installed versions
+        console.log();
+        let synced = 0;
+        for (const agentId of PLUGINS_CAPABLE_AGENTS) {
+            if (!pluginSupportsAgent(plugin, agentId))
+                continue;
+            const versions = listInstalledVersions(agentId);
+            if (versions.length === 0)
+                continue;
+            const defaultVer = getGlobalDefault(agentId);
+            const targetVersions = defaultVer ? [defaultVer] : [versions[versions.length - 1]];
+            for (const version of targetVersions) {
+                const syncResult = syncResourcesToVersion(agentId, version, { plugins: [name] });
+                if (syncResult.plugins.length > 0) {
+                    console.log(chalk.green(`  Synced to ${agentLabel(agentId)}@${version}`));
+                    synced++;
+                }
+            }
+        }
+        if (synced === 0) {
+            console.log(chalk.gray('  No supported agent versions installed — run "agents use <agent>@<version>" to sync.'));
+        }
+        console.log(chalk.bold(`\nInstalled ${plugin.name} v${plugin.manifest.version} to ${formatPath(root)}`));
+    });
+    // agents plugins update [name]
+    pluginsCmd
+        .command('update [name]')
+        .description('Re-pull a plugin from its original source and re-sync to all versions')
+        .addHelpText('after', `
+Examples:
+  # Update a specific plugin
+  agents plugins update rush-toolkit
+
+  # Update all plugins
+  agents plugins update
+`)
+        .action(async (nameArg) => {
+        const plugins = nameArg ? [getPlugin(nameArg)].filter(Boolean) : discoverPlugins();
+        if (nameArg && plugins.length === 0) {
+            console.log(chalk.red(`Plugin '${nameArg}' not found`));
+            process.exit(1);
+        }
+        if (plugins.length === 0) {
+            console.log(chalk.gray('No plugins installed.'));
+            return;
+        }
+        for (const plugin of plugins) {
+            process.stdout.write(`Updating ${plugin.name}... `);
+            const result = await updatePlugin(plugin.name);
+            if (!result.success) {
+                console.log(chalk.red(`failed — ${result.error || 'unknown error'}`));
+                continue;
+            }
+            console.log(chalk.green('done'));
+            // Re-sync to all supported installed versions
+            for (const agentId of PLUGINS_CAPABLE_AGENTS) {
+                if (!pluginSupportsAgent(plugin, agentId))
+                    continue;
+                const versions = listInstalledVersions(agentId);
+                const defaultVer = getGlobalDefault(agentId);
+                const targetVersions = defaultVer ? [defaultVer] : versions.slice(-1);
+                for (const version of targetVersions) {
+                    const syncResult = syncResourcesToVersion(agentId, version, { plugins: [plugin.name] });
+                    if (syncResult.plugins.length > 0) {
+                        console.log(chalk.gray(`  Re-synced to ${agentLabel(agentId)}@${version}`));
+                    }
+                }
+            }
+        }
+    });
+}
+/**
+ * Prompt for missing or empty userConfig fields interactively.
+ * Only prompts for fields not already present in existingConfig.
+ */
+async function promptUserConfig(manifest, existingConfig = {}) {
+    const result = {};
+    const fields = manifest.userConfig || [];
+    for (const field of fields) {
+        if (existingConfig[field.key] !== undefined)
+            continue;
+        const defaultValue = field.default ?? '';
+        try {
+            const value = await input({
+                message: field.description + (field.required ? ' (required)' : ' (optional)'),
+                default: defaultValue || undefined,
+                required: field.required ?? false,
+            });
+            if (value) {
+                result[field.key] = value;
+            }
+            else if (defaultValue) {
+                result[field.key] = defaultValue;
+            }
+        }
+        catch (err) {
+            if (isPromptCancelled(err))
+                break;
+            throw err;
+        }
+    }
+    return result;
 }
 /** Convert discovered plugins into rows suitable for the resource list view. */
 function buildPluginRows(plugins) {

package/dist/commands/prune.js

@@ -27,6 +27,8 @@ import { confirm } from '@inquirer/prompts';
 import { diffVersionCommands, iterCommandsCapableVersions, removeCommandFromVersion, } from '../lib/commands.js';
 import { diffVersionSkills, iterSkillsCapableVersions, removeSkillFromVersion, } from '../lib/skills.js';
 import { diffVersionHooks, iterHooksCapableVersions, removeHookFromVersion, } from '../lib/hooks.js';
+import { diffVersionPlugins, iterPluginsCapableVersions, removePluginSkillFromVersion, } from '../lib/plugins.js';
+import { diffVersionSubagents, iterSubagentsCapableVersions, removeSubagentFromVersion, } from '../lib/subagents.js';
 import { getGlobalDefault } from '../lib/versions.js';
 import { resolveAgentName, formatAgentError } from '../lib/agents.js';
 import { pruneDuplicates } from './view.js';
@@ -34,7 +36,7 @@ import { isInteractiveTerminal, isPromptCancelled } from './utils.js';
 import { getTrashDir } from '../lib/state.js';
 import { countSessionsOlderThan, deleteSessionsOlderThan } from '../lib/session/db.js';
 import { previewRunsPrune, pruneRuns, countAllRuns } from '../lib/routines.js';
-const RESOURCE_TYPES = ['commands', 'skills', 'hooks'];
+const RESOURCE_TYPES = ['commands', 'skills', 'hooks', 'plugins', 'subagents'];
 const STATE_TYPES = ['trash', 'sessions', 'runs'];
 const ALL_TYPES = [...RESOURCE_TYPES, 'versions', ...STATE_TYPES];
 function scopePairs(pairs, all) {
@@ -68,6 +70,22 @@ function collectOrphans(types, all) {
             }
         }
     }
+    if (types.includes('plugins')) {
+        for (const { agent, version } of scopePairs(iterPluginsCapableVersions(), all)) {
+            const diff = diffVersionPlugins(agent, version);
+            if (diff.orphans.length > 0) {
+                groups.push({ type: 'plugins', agent, version, orphans: diff.orphans });
+            }
+        }
+    }
+    if (types.includes('subagents')) {
+        for (const { agent, version } of scopePairs(iterSubagentsCapableVersions(), all)) {
+            const diff = diffVersionSubagents(agent, version);
+            if (diff.orphans.length > 0) {
+                groups.push({ type: 'subagents', agent, version, orphans: diff.orphans });
+            }
+        }
+    }
     return groups;
 }
 function removeOne(group, name) {
@@ -78,6 +96,10 @@ function removeOne(group, name) {
             return removeSkillFromVersion(group.agent, group.version, name);
         case 'hooks':
             return removeHookFromVersion(group.agent, group.version, name);
+        case 'plugins':
+            return removePluginSkillFromVersion(group.agent, group.version, name);
+        case 'subagents':
+            return removeSubagentFromVersion(group.agent, group.version, name);
     }
 }
 function parseTarget(arg) {
@@ -382,12 +404,18 @@ Examples:
   # Full sweep: orphan resources + duplicate versions for current defaults
   agents prune
 
+  # Preview what a full sweep would remove
+  agents prune --dry-run
+
   # Just orphan skills
   agents prune skills
 
   # Just version dedup
   agents prune versions
 
+  # Deduplicate versions for one agent only
+  agents prune claude
+
   # Sweep every installed version's orphans, not only the defaults
   agents prune --all
 

package/dist/commands/pull.js

@@ -80,12 +80,12 @@ Skip CLI installs with --skip-clis when you only want config updates, not versio
         // auto-syncs the system repo in the background and surfaces upstream
         // changes for user/extra repos as one-line notices. Repo lifecycle is
         // managed under `agents repo`. We keep this command functional today
-        // because `agents init` still invokes it for first-time setup; once
-        // init is refactored to call the bootstrap helpers directly, this
+        // because `agents setup` still invokes it for first-time setup; once
+        // setup is refactored to call the bootstrap helpers directly, this
         // command will hard-error like `agents memory` does.
         if (!options.yes && process.argv[2] === 'pull') {
             process.stderr.write('agents-cli: "agents pull" is deprecated.\n' +
-                '            First-time setup:  agents init\n' +
+                '            First-time setup:  agents setup\n' +
                 '            Force a sync now:  agents repo pull\n' +
                 '            Push your repo:    agents repo push\n\n');
         }

package/dist/commands/repo.js

@@ -257,7 +257,7 @@ Examples:
         const systemStatus = !systemOnDisk
             ? chalk.red('missing')
             : !systemIsGit
-                ? chalk.yellow('not a git repo — run: agents init')
+                ? chalk.yellow('not a git repo — run: agents setup')
                 : chalk.green('cloned');
         const systemCommitLabel = systemCommit ? chalk.gray(`(${systemCommit})`) : '';
         console.log(chalk.bold('System  (~/.agents-system/)'));

package/dist/commands/routines.js

@@ -571,8 +571,8 @@ Examples:
         .action(async (options) => {
         if (options.follow) {
             const { exec: execCb } = await import('child_process');
-            const { getAgentsDir } = await import('../lib/state.js');
-            const logPath = path.join(getAgentsDir(), 'helpers/daemon/logs.jsonl');
+            const { getDaemonDir } = await import('../lib/state.js');
+            const logPath = path.join(getDaemonDir(), 'logs.jsonl');
             const child = execCb(`tail -f "${logPath}"`);
             child.stdout?.pipe(process.stdout);
             child.stderr?.pipe(process.stderr);

package/dist/commands/secrets.js

@@ -9,6 +9,7 @@ import chalk from 'chalk';
 import * as fs from 'fs';
 import { bundleExists, deleteBundle, describeBundle, keychainItemsForBundle, keychainRef, listBundles, migrateLegacyBundles, parseDotenv, readBundle, rotateBundleSecret, validateBundleName, validateEnvKey, validateExpiresFutureDated, validateSecretType, writeBundle, } from '../lib/secrets/bundles.js';
 import { deleteKeychainToken, getKeychainToken, hasKeychainToken, secretsKeychainItem, setKeychainToken, } from '../lib/secrets/index.js';
+import { assertOpAvailable, createPasswordItem, deleteItemByTitle, extractSecrets, itemExistsByTitle, listItems, listVaults, } from '../lib/onepassword.js';
 import { registerCommandGroups } from '../lib/help.js';
 import { isInteractiveTerminal, isPromptCancelled } from './utils.js';
 /** Prompt the user for a secret value with masked input. Requires an interactive TTY. */
@@ -91,6 +92,24 @@ async function promptKeyName(bundleName) {
         },
     });
 }
+/** Resolve a 1Password vault name — use the provided value, or prompt interactively. */
+async function resolveVault(vaultOpt) {
+    if (vaultOpt)
+        return vaultOpt;
+    const vaults = listVaults();
+    if (vaults.length === 0)
+        throw new Error('No 1Password vaults found. Make sure you are signed in: op signin');
+    if (vaults.length === 1)
+        return vaults[0].name;
+    if (!isInteractiveTerminal()) {
+        throw new Error(`Multiple vaults found. Pass --vault <name> (available: ${vaults.map((v) => v.name).join(', ')})`);
+    }
+    const { select } = await import('@inquirer/prompts');
+    return await select({
+        message: 'Which 1Password vault?',
+        choices: vaults.map((v) => ({ name: v.name, value: v.name })),
+    });
+}
 /** Read all available data from stdin synchronously, trimmed. */
 function readStdinSync() {
     const chunks = [];
@@ -268,6 +287,13 @@ Examples:
   # Import an entire .env file straight into keychain
   agents secrets import prod --from .env.prod
 
+  # Import secrets from a 1Password vault
+  agents secrets import prod --from-1password --vault "Rush Prod"
+
+  # Push a bundle back to 1Password (vault migration, backup)
+  agents secrets export prod --to-1password --vault "Rush Prod"
+  agents secrets export prod --to-1password --vault "Rush Prod" --force
+
   # See what's in a bundle (values masked)
   agents secrets view prod
 
@@ -280,6 +306,10 @@ Examples:
   # Eval the bundle into your current shell
   eval "$(agents secrets export prod --plaintext)"
 
+  # Run a command with secrets injected
+  agents secrets exec prod -- ./deploy.sh
+  agents secrets exec hetzner.com -- crabbox list
+
   # Remove one key (purges the keychain item by default)
   agents secrets remove prod STRIPE_API_KEY
 
@@ -297,7 +327,7 @@ Examples:
     registerCommandGroups(cmd, [
         { title: 'Bundle commands', names: ['list', 'view', 'create', 'delete'] },
         { title: 'Secret commands', names: ['add', 'rotate', 'remove', 'import', 'export'] },
-        { title: 'Utilities', names: ['generate'] },
+        { title: 'Utilities', names: ['exec', 'generate'] },
     ]);
     cmd
         .command('list')
@@ -645,35 +675,71 @@ Examples:
     });
     cmd
         .command('import [bundle]')
-        .description('Import keys from a .env file into a bundle. By default every key is stored in keychain.')
-        .requiredOption('--from <path>', 'Path to a .env file')
+        .description('Import keys from a .env file or a 1Password vault into a bundle. By default every key is stored in keychain.')
+        .option('--from <path>', 'Path to a .env file')
+        .option('--from-1password', 'Import secrets from a 1Password vault (requires the op CLI)')
+        .option('--vault <name>', '1Password vault name (used with --from-1password)')
         .option('--all-plaintext', 'Store every imported value as a literal in the bundle metadata (skip keychain item creation)')
         .option('--force', 'Overwrite an existing key in the bundle')
         .action(async (bundleName, opts) => {
         try {
+            if (!opts.from && !opts.from1password) {
+                throw new Error('Pass --from <path> to import a .env file, or --from-1password to import from a 1Password vault.');
+            }
+            if (opts.from && opts.from1password) {
+                throw new Error('--from and --from-1password are mutually exclusive.');
+            }
             const resolvedBundleName = bundleName ?? (await pickBundleName('import into'));
             const bundle = readBundle(resolvedBundleName);
-            const raw = fs.readFileSync(opts.from, 'utf-8');
-            const pairs = parseDotenv(raw);
             let added = 0;
             let skipped = 0;
-            for (const [key, value] of Object.entries(pairs)) {
-                if (!opts.force && key in bundle.vars) {
-                    skipped++;
-                    continue;
+            if (opts.from1password) {
+                assertOpAvailable();
+                const vault = await resolveVault(opts.vault);
+                const items = listItems(vault);
+                const { secrets, skipped: opSkipped } = extractSecrets(items, vault);
+                for (const { envKey, value } of secrets) {
+                    if (!opts.force && envKey in bundle.vars) {
+                        skipped++;
+                        continue;
+                    }
+                    if (opts.allPlaintext) {
+                        bundle.vars[envKey] = { value };
+                    }
+                    else {
+                        const item = secretsKeychainItem(resolvedBundleName, envKey);
+                        setKeychainToken(item, value, bundle.icloud_sync);
+                        bundle.vars[envKey] = keychainRef(envKey);
+                    }
+                    added++;
                 }
-                if (opts.allPlaintext) {
-                    bundle.vars[key] = { value };
+                writeBundle(bundle);
+                if (opSkipped.length) {
+                    console.log(chalk.yellow(`Skipped ${opSkipped.length} item(s) with no importable fields.`));
                 }
-                else {
-                    const item = secretsKeychainItem(resolvedBundleName, key);
-                    setKeychainToken(item, value, bundle.icloud_sync);
-                    bundle.vars[key] = keychainRef(key);
+                console.log(chalk.green(`Imported ${added} key(s) from 1Password vault '${vault}'${skipped ? `, skipped ${skipped} (already set, pass --force)` : ''}.`));
+            }
+            else {
+                const raw = fs.readFileSync(opts.from, 'utf-8');
+                const pairs = parseDotenv(raw);
+                for (const [key, value] of Object.entries(pairs)) {
+                    if (!opts.force && key in bundle.vars) {
+                        skipped++;
+                        continue;
+                    }
+                    if (opts.allPlaintext) {
+                        bundle.vars[key] = { value };
+                    }
+                    else {
+                        const item = secretsKeychainItem(resolvedBundleName, key);
+                        setKeychainToken(item, value, bundle.icloud_sync);
+                        bundle.vars[key] = keychainRef(key);
+                    }
+                    added++;
                 }
-                added++;
+                writeBundle(bundle);
+                console.log(chalk.green(`Imported ${added} key(s)${skipped ? `, skipped ${skipped} (already set, pass --force)` : ''}.`));
             }
-            writeBundle(bundle);
-            console.log(chalk.green(`Imported ${added} key(s)${skipped ? `, skipped ${skipped} (already set, pass --force)` : ''}.`));
         }
         catch (err) {
             if (isPromptCancelled(err))
@@ -684,13 +750,49 @@ Examples:
     });
     cmd
         .command('export [bundle]')
-        .description('Resolve a bundle and print KEY=VALUE lines (for `eval "$(agents secrets export prod)"`). Refuses on a TTY unless --plaintext.')
-        .option('--plaintext', 'Acknowledge that the resolved values will be printed in the clear')
+        .description('Resolve a bundle and print KEY=VALUE lines, or push it to a 1Password vault with --to-1password.')
+        .option('--plaintext', 'Acknowledge that the resolved values will be printed in the clear (shell export mode)')
+        .option('--to-1password', 'Push every key in the bundle as a PASSWORD item in a 1Password vault')
+        .option('--vault <name>', '1Password vault name (used with --to-1password)')
+        .option('--force', 'Overwrite existing 1Password items (used with --to-1password)')
         .action(async (bundleName, opts) => {
         try {
             const { resolveBundleEnv, bundleToEnvPrefix, isReservedEnvName } = await import('../lib/secrets/bundles.js');
             const resolvedBundleName = bundleName ?? (await pickBundleName('export'));
             const bundle = readBundle(resolvedBundleName);
+            if (opts.to1password) {
+                assertOpAvailable();
+                const vault = await resolveVault(opts.vault);
+                const env = resolveBundleEnv(bundle);
+                let created = 0;
+                let overwritten = 0;
+                let skipped = 0;
+                for (const [key, value] of Object.entries(env)) {
+                    const exists = itemExistsByTitle(key, vault);
+                    if (exists) {
+                        if (!opts.force) {
+                            skipped++;
+                            continue;
+                        }
+                        deleteItemByTitle(key, vault);
+                        createPasswordItem(key, value, vault);
+                        overwritten++;
+                    }
+                    else {
+                        createPasswordItem(key, value, vault);
+                        created++;
+                    }
+                }
+                const parts = [];
+                if (created)
+                    parts.push(`${created} created`);
+                if (overwritten)
+                    parts.push(`${overwritten} overwritten`);
+                if (skipped)
+                    parts.push(`${skipped} skipped (already exist, pass --force)`);
+                console.log(chalk.green(`Exported to 1Password vault '${vault}': ${parts.join(', ')}.`));
+                return;
+            }
             if (isInteractiveTerminal() && !opts.plaintext) {
                 console.error(chalk.red('export to a TTY requires --plaintext (prevents shoulder-surfing).'));
                 process.exit(1);
@@ -711,6 +813,38 @@ Examples:
             process.exit(1);
         }
     });
+    cmd
+        .command('exec <bundle> [command...]')
+        .description('Run a command with the bundle\'s secrets injected into the environment')
+        .allowUnknownOption()
+        .action(async (bundleName, commandParts) => {
+        try {
+            if (commandParts.length === 0) {
+                console.error(chalk.red('Usage: agents secrets exec <bundle> -- <command...>'));
+                process.exit(1);
+            }
+            const { resolveBundleEnv } = await import('../lib/secrets/bundles.js');
+            const bundle = readBundle(bundleName);
+            const secretEnv = resolveBundleEnv(bundle);
+            const { spawn } = await import('child_process');
+            const [cmd, ...args] = commandParts;
+            const proc = spawn(cmd, args, {
+                stdio: 'inherit',
+                env: { ...process.env, ...secretEnv },
+            });
+            proc.on('close', (code) => process.exit(code ?? 0));
+            proc.on('error', (err) => {
+                console.error(chalk.red(`Failed to run '${cmd}': ${err.message}`));
+                process.exit(1);
+            });
+        }
+        catch (err) {
+            if (isPromptCancelled(err))
+                return;
+            console.error(chalk.red(err.message));
+            process.exit(1);
+        }
+    });
     cmd
         .command('generate [length]')
         .description('Generate a random password')