@phnx-labs/agents-cli 1.16.0 → 1.17.1

package/dist/commands/import.js

@@ -0,0 +1,203 @@
+/**
+ * `agents import` — adopt an existing unmanaged agent install into agents-cli.
+ *
+ * Three forms:
+ *
+ *   agents import openclaw
+ *     Auto-detect via the binary on PATH. Resolves the npm package directory,
+ *     reads its version, and registers it under
+ *     ~/.agents/.history/versions/<agent>/<version>/.
+ *
+ *   agents import openclaw --version 2026.3.8
+ *     Same auto-detect, but pin the version label rather than reading it from
+ *     the package. Useful when the package metadata is stale or you want a
+ *     canonical name.
+ *
+ *   agents import openclaw --from-path /opt/homebrew/lib/node_modules/openclaw
+ *     Skip detection entirely. The given path must be a directory containing
+ *     a valid package.json with a `bin` entry.
+ *
+ * In all forms, the agent's config dir (e.g. ~/.openclaw) is also moved under
+ * management — same behavior as the first-run `agents setup` import flow.
+ */
+import chalk from 'chalk';
+import ora from 'ora';
+import * as fs from 'fs';
+import * as path from 'path';
+import { confirm } from '@inquirer/prompts';
+import { ALL_AGENT_IDS } from '../lib/agents.js';
+import { AGENTS, getCliPath, getCliVersion, agentLabel } from '../lib/agents.js';
+import { getVersionDir } from '../lib/versions.js';
+import { finalizeImport, importAgentBinary, importAgentConfig, resolvePackageDirFromBinary, } from '../lib/import.js';
+import { isPromptCancelled, isInteractiveTerminal } from './utils.js';
+function isValidAgentId(value) {
+    return ALL_AGENT_IDS.includes(value);
+}
+async function runImport(agentArg, opts) {
+    if (!isValidAgentId(agentArg)) {
+        console.error(chalk.red(`Unknown agent: ${agentArg}`));
+        console.error(chalk.gray(`Known agents: ${ALL_AGENT_IDS.join(', ')}`));
+        process.exit(1);
+    }
+    const agentId = agentArg;
+    const agent = AGENTS[agentId];
+    // Reject agents that don't ship via npm before we spin up PATH lookups and
+    // prompts. cursor/kiro/goose/roo all have npmPackage='' and use custom
+    // install scripts — the symlink-farm import doesn't apply to them.
+    if (!agent.npmPackage) {
+        console.error(chalk.red(`${agentLabel(agentId)} doesn't install via npm — \`agents import\` only handles npm-style packages.`));
+        console.error(chalk.gray(`Use \`agents add ${agentId}\` to install via its native script.`));
+        process.exit(1);
+    }
+    let globalPath = null;
+    if (opts.fromPath) {
+        globalPath = path.resolve(opts.fromPath);
+        if (!fs.existsSync(globalPath)) {
+            console.error(chalk.red(`Path does not exist: ${globalPath}`));
+            process.exit(1);
+        }
+    }
+    else {
+        const binary = await getCliPath(agentId);
+        if (!binary) {
+            // Use || (not ??) so empty-string npmPackage falls back to cliCommand.
+            // Defensive: agents with empty npmPackage are rejected above, but keep
+            // the operator correct in case that early check is ever relaxed.
+            const installName = agent.npmPackage || agent.cliCommand;
+            console.error(chalk.red(`No "${agent.cliCommand}" found on PATH.`));
+            console.error(chalk.gray(`Install it first (e.g. \`npm i -g ${installName}\`) or pass --from-path.`));
+            process.exit(1);
+        }
+        globalPath = resolvePackageDirFromBinary(binary);
+        if (!globalPath) {
+            console.error(chalk.red(`Could not resolve npm package for binary: ${binary}`));
+            console.error(chalk.gray('Pass --from-path <dir> with the package directory explicitly.'));
+            process.exit(1);
+        }
+    }
+    let version = opts.version;
+    if (!version) {
+        try {
+            const pkg = JSON.parse(fs.readFileSync(path.join(globalPath, 'package.json'), 'utf8'));
+            version = typeof pkg.version === 'string' ? pkg.version : undefined;
+        }
+        catch {
+            /* fall through */
+        }
+        // Only fall back to running the PATH binary's --version when we're
+        // auto-detecting. With --from-path, the PATH binary may belong to a
+        // different install entirely; reporting its version here would silently
+        // mis-attribute the imported version.
+        if (!version && !opts.fromPath) {
+            const detected = await getCliVersion(agentId);
+            version = detected ?? undefined;
+        }
+    }
+    if (!version) {
+        console.error(chalk.red(`Could not determine version for ${agentLabel(agentId)}.`));
+        console.error(chalk.gray('Pass --version <version> explicitly.'));
+        process.exit(1);
+    }
+    const versionDir = getVersionDir(agentId, version);
+    console.log(chalk.bold(`\nImport ${agentLabel(agentId)} v${version}`));
+    console.log(`  from: ${chalk.gray(globalPath)}`);
+    console.log(`  into: ${chalk.gray(versionDir)}`);
+    const configDirExists = fs.existsSync(agent.configDir);
+    let configAlreadyManaged = false;
+    if (configDirExists) {
+        const stat = fs.lstatSync(agent.configDir);
+        if (stat.isSymbolicLink()) {
+            configAlreadyManaged = true;
+            console.log(`  config: ${chalk.gray(`${agent.configDir} (already managed — will skip)`)}`);
+        }
+        else {
+            console.log(`  config: ${chalk.gray(`${agent.configDir} (will be moved into version home)`)}`);
+        }
+    }
+    else {
+        console.log(`  config: ${chalk.gray(`${agent.configDir} (does not exist — will skip)`)}`);
+    }
+    if (!opts.yes && isInteractiveTerminal()) {
+        console.log();
+        const proceed = await confirm({
+            message: `Import ${agentLabel(agentId)} v${version} into agents-cli?`,
+            default: true,
+        }).catch((err) => {
+            if (isPromptCancelled(err))
+                return false;
+            throw err;
+        });
+        if (!proceed) {
+            console.log(chalk.gray('Aborted.'));
+            return;
+        }
+    }
+    // Order: config first, then binary, then finalize. Config does the
+    // user-visible side effect (renaming ~/.<agent>/), so if it fails we don't
+    // want a stranded symlink farm. Binary registration is cheap and reversible
+    // — if it fails after config, the next `agents import` call retries cleanly.
+    const willImportConfig = configDirExists && !configAlreadyManaged;
+    if (willImportConfig) {
+        const cfgSpinner = ora(`Importing config dir for ${agentLabel(agentId)} v${version}...`).start();
+        const cfgResult = await importAgentConfig(agentId, version);
+        if (cfgResult.success) {
+            cfgSpinner.succeed(`Config imported (${agent.configDir} -> ${versionDir}/home/.${agentId})`);
+        }
+        else if (cfgResult.skipped) {
+            cfgSpinner.warn(`Config: ${cfgResult.error}`);
+        }
+        else {
+            cfgSpinner.fail(`Config: ${cfgResult.error}`);
+            process.exit(1);
+        }
+    }
+    const binSpinner = ora(`Registering ${agentLabel(agentId)} v${version} binary...`).start();
+    const binResult = importAgentBinary({ agentId, npmPackage: agent.npmPackage, cliCommand: agent.cliCommand }, version, globalPath, versionDir);
+    if (binResult.success) {
+        binSpinner.succeed(`Binary registered (${agent.cliCommand} -> ${globalPath})`);
+    }
+    else if (binResult.skipped) {
+        binSpinner.warn(`Binary: ${binResult.error}`);
+    }
+    else {
+        binSpinner.fail(`Binary: ${binResult.error}`);
+        process.exit(1);
+    }
+    // Wire the imported version into the resolver: global default, main shim,
+    // versioned alias, home-file symlinks. Idempotent — safe to call even if
+    // importAgentConfig already set the global default.
+    const finalizeSpinner = ora(`Wiring ${agentLabel(agentId)} v${version} as the active version...`).start();
+    try {
+        finalizeImport(agentId, version);
+        finalizeSpinner.succeed(`${agentLabel(agentId)} v${version} set as default with shim + alias`);
+    }
+    catch (err) {
+        finalizeSpinner.fail(`Finalize: ${err.message}`);
+        process.exit(1);
+    }
+    console.log();
+    console.log(chalk.green(`${agentLabel(agentId)} v${version} is now managed.`));
+    console.log(chalk.gray(`Verify: agents view ${agentId}`));
+}
+export function registerImportCommand(program) {
+    program
+        .command('import')
+        .argument('<agent>', 'Agent id (e.g. openclaw, claude, codex)')
+        .description('Import an existing unmanaged agent install into agents-cli')
+        .option('--version <version>', 'Pin a version label (otherwise read from package.json)')
+        .option('--from-path <path>', 'Path to the npm package dir (otherwise auto-detected from PATH)')
+        .option('-y, --yes', 'Skip the confirmation prompt')
+        .addHelpText('after', `
+Examples:
+  $ agents import openclaw                          Auto-detect via PATH
+  $ agents import openclaw --version 2026.3.8       Pin a version label
+  $ agents import openclaw --from-path /opt/homebrew/lib/node_modules/openclaw
+
+When to use:
+  When an agent CLI is already installed globally via npm or homebrew and you
+  want to bring it under agents-cli management without reinstalling. Creates a
+  symlink farm pointing at the existing install — nothing is copied or moved
+  (except the agent's config dir, which is moved into the version's home).
+`)
+        .action(runImport);
+}

package/dist/commands/plugins.js

@@ -8,10 +8,10 @@
 import * as fs from 'fs';
 import * as path from 'path';
 import chalk from 'chalk';
+import { input } from '@inquirer/prompts';
 import { PLUGINS_CAPABLE_AGENTS, agentLabel } from '../lib/agents.js';
-import { discoverPlugins, getPlugin, pluginSupportsAgent, removePluginFromVersion } from '../lib/plugins.js';
+import { discoverPlugins, getPlugin, pluginSupportsAgent, removePluginFromVersion, isPluginSynced, installPlugin, updatePlugin, loadUserConfig, saveUserConfig, checkPluginDependencies, } from '../lib/plugins.js';
 import { listInstalledVersions, syncResourcesToVersion, getGlobalDefault, getVersionHomePath, } from '../lib/versions.js';
-import { isPluginSynced } from '../lib/plugins.js';
 import { isPromptCancelled, isInteractiveTerminal, requireDestructiveArg, requireInteractiveSelection, promptRemovalTargets, } from './utils.js';
 import { itemPicker } from '../lib/picker.js';
 import { showResourceList, buildTargetsSection, } from './resource-view.js';
@@ -308,21 +308,45 @@ Examples:
             return;
         }
         let totalSkills = 0;
+        let totalCommands = 0;
+        let totalAgentDefs = 0;
         let totalHooks = 0;
         let totalPerms = 0;
+        let totalMcp = 0;
         let versionsTouched = 0;
         for (const target of selectedTargets) {
             const versionHome = getVersionHomePath(target.agent, target.version);
             const r = removePluginFromVersion(name, resolvedRoot, target.agent, versionHome);
-            if (r.skills.length > 0 || r.hooks.length > 0 || r.permissions > 0) {
+            const anyRemoved = r.skills.length > 0 || r.commands.length > 0 || r.agentDefs.length > 0 ||
+                r.bin.length > 0 || r.hooks.length > 0 || r.permissions > 0 || r.mcp > 0;
+            if (anyRemoved) {
                 versionsTouched += 1;
                 totalSkills += r.skills.length;
+                totalCommands += r.commands.length;
+                totalAgentDefs += r.agentDefs.length;
                 totalHooks += r.hooks.length;
                 totalPerms += r.permissions;
-                console.log(`  ${chalk.red('-')} ${target.label}: ${r.skills.length} skill(s), ${r.hooks.length} hook(s), ${r.permissions} perm(s)`);
+                totalMcp += r.mcp;
+                const parts = [
+                    r.skills.length > 0 ? `${r.skills.length} skill(s)` : null,
+                    r.commands.length > 0 ? `${r.commands.length} command(s)` : null,
+                    r.agentDefs.length > 0 ? `${r.agentDefs.length} agent def(s)` : null,
+                    r.hooks.length > 0 ? `${r.hooks.length} hook(s)` : null,
+                    r.permissions > 0 ? `${r.permissions} perm(s)` : null,
+                    r.mcp > 0 ? `${r.mcp} MCP server(s)` : null,
+                ].filter(Boolean);
+                console.log(`  ${chalk.red('-')} ${target.label}: ${parts.join(', ')}`);
             }
         }
-        console.log(chalk.green(`\nUnsynced ${name} from ${versionsTouched} version(s) — ${totalSkills} skills, ${totalHooks} hooks, ${totalPerms} permissions`));
+        const summary = [
+            totalSkills > 0 ? `${totalSkills} skills` : null,
+            totalCommands > 0 ? `${totalCommands} commands` : null,
+            totalAgentDefs > 0 ? `${totalAgentDefs} agent defs` : null,
+            totalHooks > 0 ? `${totalHooks} hooks` : null,
+            totalPerms > 0 ? `${totalPerms} permissions` : null,
+            totalMcp > 0 ? `${totalMcp} MCP servers` : null,
+        ].filter(Boolean).join(', ') || 'nothing';
+        console.log(chalk.green(`\nUnsynced ${name} from ${versionsTouched} version(s) — ${summary}`));
         // Only delete source if ALL targets were selected
         if (!options.keepSource && selectedTargets.length === availableTargets.length) {
             if (fs.existsSync(pluginRoot)) {
@@ -337,6 +361,156 @@ Examples:
             console.log(chalk.gray(`Kept source at ${formatPath(pluginRoot)}`));
         }
     });
+    // agents plugins install <spec>
+    pluginsCmd
+        .command('install <spec>')
+        .description('Install a plugin from a git URL or local path (format: name@source or source)')
+        .addHelpText('after', `
+Examples:
+  # Install from a git URL
+  agents plugins install my-plugin@https://github.com/user/my-plugin.git
+
+  # Install from a local path
+  agents plugins install /path/to/plugin
+
+  # Named install from a local path
+  agents plugins install rush-toolkit@~/Projects/rush-toolkit
+`)
+        .action(async (spec) => {
+        console.log(chalk.gray(`Installing plugin from: ${spec}`));
+        let name;
+        let root;
+        try {
+            const result = await installPlugin(spec);
+            name = result.name;
+            root = result.root;
+        }
+        catch (err) {
+            console.log(chalk.red(`Install failed: ${err.message}`));
+            process.exit(1);
+        }
+        const plugin = getPlugin(name);
+        if (!plugin) {
+            console.log(chalk.red(`Installed but could not load plugin '${name}'`));
+            process.exit(1);
+        }
+        // Check dependencies
+        const missingDeps = checkPluginDependencies(plugin.manifest);
+        if (missingDeps.length > 0) {
+            console.log(chalk.yellow(`Warning: missing dependencies: ${missingDeps.join(', ')}`));
+            console.log(chalk.gray('Install them with: agents plugins install <name>@<source>'));
+        }
+        // Prompt for userConfig fields
+        if (plugin.manifest.userConfig && plugin.manifest.userConfig.length > 0 && isInteractiveTerminal()) {
+            const existingConfig = loadUserConfig(name);
+            const newConfig = await promptUserConfig(plugin.manifest, existingConfig);
+            if (Object.keys(newConfig).length > 0) {
+                saveUserConfig(name, { ...existingConfig, ...newConfig });
+                console.log(chalk.gray('User config saved.'));
+            }
+        }
+        // Sync to all supported installed versions
+        console.log();
+        let synced = 0;
+        for (const agentId of PLUGINS_CAPABLE_AGENTS) {
+            if (!pluginSupportsAgent(plugin, agentId))
+                continue;
+            const versions = listInstalledVersions(agentId);
+            if (versions.length === 0)
+                continue;
+            const defaultVer = getGlobalDefault(agentId);
+            const targetVersions = defaultVer ? [defaultVer] : [versions[versions.length - 1]];
+            for (const version of targetVersions) {
+                const syncResult = syncResourcesToVersion(agentId, version, { plugins: [name] });
+                if (syncResult.plugins.length > 0) {
+                    console.log(chalk.green(`  Synced to ${agentLabel(agentId)}@${version}`));
+                    synced++;
+                }
+            }
+        }
+        if (synced === 0) {
+            console.log(chalk.gray('  No supported agent versions installed — run "agents use <agent>@<version>" to sync.'));
+        }
+        console.log(chalk.bold(`\nInstalled ${plugin.name} v${plugin.manifest.version} to ${formatPath(root)}`));
+    });
+    // agents plugins update [name]
+    pluginsCmd
+        .command('update [name]')
+        .description('Re-pull a plugin from its original source and re-sync to all versions')
+        .addHelpText('after', `
+Examples:
+  # Update a specific plugin
+  agents plugins update rush-toolkit
+
+  # Update all plugins
+  agents plugins update
+`)
+        .action(async (nameArg) => {
+        const plugins = nameArg ? [getPlugin(nameArg)].filter(Boolean) : discoverPlugins();
+        if (nameArg && plugins.length === 0) {
+            console.log(chalk.red(`Plugin '${nameArg}' not found`));
+            process.exit(1);
+        }
+        if (plugins.length === 0) {
+            console.log(chalk.gray('No plugins installed.'));
+            return;
+        }
+        for (const plugin of plugins) {
+            process.stdout.write(`Updating ${plugin.name}... `);
+            const result = await updatePlugin(plugin.name);
+            if (!result.success) {
+                console.log(chalk.red(`failed — ${result.error || 'unknown error'}`));
+                continue;
+            }
+            console.log(chalk.green('done'));
+            // Re-sync to all supported installed versions
+            for (const agentId of PLUGINS_CAPABLE_AGENTS) {
+                if (!pluginSupportsAgent(plugin, agentId))
+                    continue;
+                const versions = listInstalledVersions(agentId);
+                const defaultVer = getGlobalDefault(agentId);
+                const targetVersions = defaultVer ? [defaultVer] : versions.slice(-1);
+                for (const version of targetVersions) {
+                    const syncResult = syncResourcesToVersion(agentId, version, { plugins: [plugin.name] });
+                    if (syncResult.plugins.length > 0) {
+                        console.log(chalk.gray(`  Re-synced to ${agentLabel(agentId)}@${version}`));
+                    }
+                }
+            }
+        }
+    });
+}
+/**
+ * Prompt for missing or empty userConfig fields interactively.
+ * Only prompts for fields not already present in existingConfig.
+ */
+async function promptUserConfig(manifest, existingConfig = {}) {
+    const result = {};
+    const fields = manifest.userConfig || [];
+    for (const field of fields) {
+        if (existingConfig[field.key] !== undefined)
+            continue;
+        const defaultValue = field.default ?? '';
+        try {
+            const value = await input({
+                message: field.description + (field.required ? ' (required)' : ' (optional)'),
+                default: defaultValue || undefined,
+                required: field.required ?? false,
+            });
+            if (value) {
+                result[field.key] = value;
+            }
+            else if (defaultValue) {
+                result[field.key] = defaultValue;
+            }
+        }
+        catch (err) {
+            if (isPromptCancelled(err))
+                break;
+            throw err;
+        }
+    }
+    return result;
 }
 /** Convert discovered plugins into rows suitable for the resource list view. */
 function buildPluginRows(plugins) {

package/dist/commands/prune.js

@@ -404,12 +404,18 @@ Examples:
   # Full sweep: orphan resources + duplicate versions for current defaults
   agents prune
 
+  # Preview what a full sweep would remove
+  agents prune --dry-run
+
   # Just orphan skills
   agents prune skills
 
   # Just version dedup
   agents prune versions
 
+  # Deduplicate versions for one agent only
+  agents prune claude
+
   # Sweep every installed version's orphans, not only the defaults
   agents prune --all
 

package/dist/commands/secrets.js

@@ -9,6 +9,7 @@ import chalk from 'chalk';
 import * as fs from 'fs';
 import { bundleExists, deleteBundle, describeBundle, keychainItemsForBundle, keychainRef, listBundles, migrateLegacyBundles, parseDotenv, readBundle, rotateBundleSecret, validateBundleName, validateEnvKey, validateExpiresFutureDated, validateSecretType, writeBundle, } from '../lib/secrets/bundles.js';
 import { deleteKeychainToken, getKeychainToken, hasKeychainToken, secretsKeychainItem, setKeychainToken, } from '../lib/secrets/index.js';
+import { assertOpAvailable, createPasswordItem, deleteItemByTitle, extractSecrets, itemExistsByTitle, listItems, listVaults, } from '../lib/onepassword.js';
 import { registerCommandGroups } from '../lib/help.js';
 import { isInteractiveTerminal, isPromptCancelled } from './utils.js';
 /** Prompt the user for a secret value with masked input. Requires an interactive TTY. */
@@ -91,6 +92,24 @@ async function promptKeyName(bundleName) {
         },
     });
 }
+/** Resolve a 1Password vault name — use the provided value, or prompt interactively. */
+async function resolveVault(vaultOpt) {
+    if (vaultOpt)
+        return vaultOpt;
+    const vaults = listVaults();
+    if (vaults.length === 0)
+        throw new Error('No 1Password vaults found. Make sure you are signed in: op signin');
+    if (vaults.length === 1)
+        return vaults[0].name;
+    if (!isInteractiveTerminal()) {
+        throw new Error(`Multiple vaults found. Pass --vault <name> (available: ${vaults.map((v) => v.name).join(', ')})`);
+    }
+    const { select } = await import('@inquirer/prompts');
+    return await select({
+        message: 'Which 1Password vault?',
+        choices: vaults.map((v) => ({ name: v.name, value: v.name })),
+    });
+}
 /** Read all available data from stdin synchronously, trimmed. */
 function readStdinSync() {
     const chunks = [];
@@ -268,6 +287,13 @@ Examples:
   # Import an entire .env file straight into keychain
   agents secrets import prod --from .env.prod
 
+  # Import secrets from a 1Password vault
+  agents secrets import prod --from-1password --vault "Rush Prod"
+
+  # Push a bundle back to 1Password (vault migration, backup)
+  agents secrets export prod --to-1password --vault "Rush Prod"
+  agents secrets export prod --to-1password --vault "Rush Prod" --force
+
   # See what's in a bundle (values masked)
   agents secrets view prod
 
@@ -649,35 +675,71 @@ Examples:
     });
     cmd
         .command('import [bundle]')
-        .description('Import keys from a .env file into a bundle. By default every key is stored in keychain.')
-        .requiredOption('--from <path>', 'Path to a .env file')
+        .description('Import keys from a .env file or a 1Password vault into a bundle. By default every key is stored in keychain.')
+        .option('--from <path>', 'Path to a .env file')
+        .option('--from-1password', 'Import secrets from a 1Password vault (requires the op CLI)')
+        .option('--vault <name>', '1Password vault name (used with --from-1password)')
         .option('--all-plaintext', 'Store every imported value as a literal in the bundle metadata (skip keychain item creation)')
         .option('--force', 'Overwrite an existing key in the bundle')
         .action(async (bundleName, opts) => {
         try {
+            if (!opts.from && !opts.from1password) {
+                throw new Error('Pass --from <path> to import a .env file, or --from-1password to import from a 1Password vault.');
+            }
+            if (opts.from && opts.from1password) {
+                throw new Error('--from and --from-1password are mutually exclusive.');
+            }
             const resolvedBundleName = bundleName ?? (await pickBundleName('import into'));
             const bundle = readBundle(resolvedBundleName);
-            const raw = fs.readFileSync(opts.from, 'utf-8');
-            const pairs = parseDotenv(raw);
             let added = 0;
             let skipped = 0;
-            for (const [key, value] of Object.entries(pairs)) {
-                if (!opts.force && key in bundle.vars) {
-                    skipped++;
-                    continue;
+            if (opts.from1password) {
+                assertOpAvailable();
+                const vault = await resolveVault(opts.vault);
+                const items = listItems(vault);
+                const { secrets, skipped: opSkipped } = extractSecrets(items, vault);
+                for (const { envKey, value } of secrets) {
+                    if (!opts.force && envKey in bundle.vars) {
+                        skipped++;
+                        continue;
+                    }
+                    if (opts.allPlaintext) {
+                        bundle.vars[envKey] = { value };
+                    }
+                    else {
+                        const item = secretsKeychainItem(resolvedBundleName, envKey);
+                        setKeychainToken(item, value, bundle.icloud_sync);
+                        bundle.vars[envKey] = keychainRef(envKey);
+                    }
+                    added++;
                 }
-                if (opts.allPlaintext) {
-                    bundle.vars[key] = { value };
+                writeBundle(bundle);
+                if (opSkipped.length) {
+                    console.log(chalk.yellow(`Skipped ${opSkipped.length} item(s) with no importable fields.`));
                 }
-                else {
-                    const item = secretsKeychainItem(resolvedBundleName, key);
-                    setKeychainToken(item, value, bundle.icloud_sync);
-                    bundle.vars[key] = keychainRef(key);
+                console.log(chalk.green(`Imported ${added} key(s) from 1Password vault '${vault}'${skipped ? `, skipped ${skipped} (already set, pass --force)` : ''}.`));
+            }
+            else {
+                const raw = fs.readFileSync(opts.from, 'utf-8');
+                const pairs = parseDotenv(raw);
+                for (const [key, value] of Object.entries(pairs)) {
+                    if (!opts.force && key in bundle.vars) {
+                        skipped++;
+                        continue;
+                    }
+                    if (opts.allPlaintext) {
+                        bundle.vars[key] = { value };
+                    }
+                    else {
+                        const item = secretsKeychainItem(resolvedBundleName, key);
+                        setKeychainToken(item, value, bundle.icloud_sync);
+                        bundle.vars[key] = keychainRef(key);
+                    }
+                    added++;
                 }
-                added++;
+                writeBundle(bundle);
+                console.log(chalk.green(`Imported ${added} key(s)${skipped ? `, skipped ${skipped} (already set, pass --force)` : ''}.`));
             }
-            writeBundle(bundle);
-            console.log(chalk.green(`Imported ${added} key(s)${skipped ? `, skipped ${skipped} (already set, pass --force)` : ''}.`));
         }
         catch (err) {
             if (isPromptCancelled(err))
@@ -688,13 +750,49 @@ Examples:
     });
     cmd
         .command('export [bundle]')
-        .description('Resolve a bundle and print KEY=VALUE lines (for `eval "$(agents secrets export prod)"`). Refuses on a TTY unless --plaintext.')
-        .option('--plaintext', 'Acknowledge that the resolved values will be printed in the clear')
+        .description('Resolve a bundle and print KEY=VALUE lines, or push it to a 1Password vault with --to-1password.')
+        .option('--plaintext', 'Acknowledge that the resolved values will be printed in the clear (shell export mode)')
+        .option('--to-1password', 'Push every key in the bundle as a PASSWORD item in a 1Password vault')
+        .option('--vault <name>', '1Password vault name (used with --to-1password)')
+        .option('--force', 'Overwrite existing 1Password items (used with --to-1password)')
         .action(async (bundleName, opts) => {
         try {
             const { resolveBundleEnv, bundleToEnvPrefix, isReservedEnvName } = await import('../lib/secrets/bundles.js');
             const resolvedBundleName = bundleName ?? (await pickBundleName('export'));
             const bundle = readBundle(resolvedBundleName);
+            if (opts.to1password) {
+                assertOpAvailable();
+                const vault = await resolveVault(opts.vault);
+                const env = resolveBundleEnv(bundle);
+                let created = 0;
+                let overwritten = 0;
+                let skipped = 0;
+                for (const [key, value] of Object.entries(env)) {
+                    const exists = itemExistsByTitle(key, vault);
+                    if (exists) {
+                        if (!opts.force) {
+                            skipped++;
+                            continue;
+                        }
+                        deleteItemByTitle(key, vault);
+                        createPasswordItem(key, value, vault);
+                        overwritten++;
+                    }
+                    else {
+                        createPasswordItem(key, value, vault);
+                        created++;
+                    }
+                }
+                const parts = [];
+                if (created)
+                    parts.push(`${created} created`);
+                if (overwritten)
+                    parts.push(`${overwritten} overwritten`);
+                if (skipped)
+                    parts.push(`${skipped} skipped (already exist, pass --force)`);
+                console.log(chalk.green(`Exported to 1Password vault '${vault}': ${parts.join(', ')}.`));
+                return;
+            }
             if (isInteractiveTerminal() && !opts.plaintext) {
                 console.error(chalk.red('export to a TTY requires --plaintext (prevents shoulder-surfing).'));
                 process.exit(1);