@qui-cli/env 5.1.0 → 5.1.1

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [5.1.1](https://github.com/battis/qui-cli/compare/env/5.1.0...env/5.1.1) (2026-01-21)
+
+
+### Bug Fixes
+
+* configure 1Password before looking up secret references ([7046af5](https://github.com/battis/qui-cli/commit/7046af55ed2720b7b74bd437f335fe49fa8bc00f))
+
 ## [5.1.0](https://github.com/battis/qui-cli/compare/env/5.0.4...env/5.1.0) (2026-01-19)
 
 

package/dist/1Password/1Password.d.ts

@@ -1,12 +1,36 @@
 import * as Plugin from '@qui-cli/plugin';
-import { OPConfiguration } from './Configuration.js';
-export declare const name = "1password support";
-export declare function configure(proposal?: OPConfiguration): Promise<void>;
-export declare function options(): Plugin.Options;
-export declare function init({ values }: Plugin.ExpectedArguments<typeof options>): Promise<void>;
-export declare function get(ref: string): Promise<string>;
-/** Requires a service account with write privileges */
-export declare function set({ ref, value }: {
-    ref: string;
-    value: string;
-}): Promise<void>;
+import * as Base from './Base.js';
+import * as Secrets from './Secrets.js';
+export type Configuration = Plugin.Configuration & {
+    /**
+     * 1Password service account token; will use the environment variable OP_TOKEN
+     * if present
+     */
+    opToken?: string;
+    /**
+     * Name or ID of the 1Password API Credential item storing the 1Password
+     * service account token; will use environment variable OP_ITEM if present
+     */
+    opItem?: string;
+    /**
+     * 1Password account to use (if signed into multiple); will use environment
+     * variable OP_ACCOUNT if present
+     */
+    opAccount?: string;
+};
+export declare class OP implements Base.Plugin {
+    [key: string]: unknown;
+    readonly name = "env.1password";
+    private config;
+    private _client;
+    private getClient;
+    configure(proposal?: Configuration): void;
+    private configureFromEnv;
+    options(): Plugin.Options;
+    init({ values }: Plugin.ExpectedArguments<typeof this.options>): Promise<void>;
+    get({ ref, env }: Base.GetOptions): Promise<string>;
+    isSecretReference: typeof Secrets.isRef;
+    private itemFrom;
+    /** Requires a service account with write privileges */
+    set({ ref, value, env }: Base.SetOptions): Promise<void>;
+}

package/dist/1Password/1Password.js

@@ -5,153 +5,152 @@ import { Log } from '@qui-cli/log';
 import { Shell } from '@qui-cli/shell';
 import path from 'node:path';
 import ora from 'ora';
-export const name = '1password support';
-const config = {};
-let _client = undefined;
-async function getClient() {
-    if (!_client) {
-        const spinner = ora('Loading 1Password').start();
-        if (config.opItem && !config.opToken) {
-            const silent = Shell.isSilent();
-            const showCommands = Shell.commandsShown();
-            const logging = Shell.isLogging();
-            Shell.configure({ silent: true, showCommands: false, logging: false });
-            if (/(\d+\.)+\d/.test(Shell.exec('op -v').stdout)) {
-                const { stdout, stderr } = Shell.exec(`op item get ${config.opAccount ? `--account "${config.opAccount}" ` : ''}--reveal --fields credential "${config.opItem}"`);
-                if (stdout.length) {
-                    config.opToken = stdout.trim();
+import * as Secrets from './Secrets.js';
+export class OP {
+    name = 'env.1password';
+    config = {};
+    _client = undefined;
+    async getClient() {
+        if (!this._client) {
+            const spinner = ora('Loading 1Password').start();
+            if (this.config.opItem && !this.config.opToken) {
+                const silent = Shell.isSilent();
+                const showCommands = Shell.commandsShown();
+                const logging = Shell.isLogging();
+                Shell.configure({ silent: true, showCommands: false, logging: false });
+                if (/(\d+\.)+\d/.test(Shell.exec('op -v').stdout)) {
+                    const { stdout, stderr } = Shell.exec(`op item get ${this.config.opAccount ? `--account "${this.config.opAccount}" ` : ''}--reveal --fields credential "${this.config.opItem}"`);
+                    if (stdout.length) {
+                        this.config.opToken = stdout.trim();
+                    }
+                    else {
+                        Log.fatal(stderr);
+                        process.exit(1);
+                    }
                 }
                 else {
-                    Log.fatal(stderr);
-                    process.exit(1);
+                    throw new Error(`Looking up a 1Password service account token by item identifier requires the 1Password CLI (${Colors.url('https://developer.1password.com/docs/cli')}).`);
                 }
+                Shell.configure({ silent, showCommands, logging });
+            }
+            if (this.config.opToken) {
+                const pkg = await importLocal(path.join(import.meta.dirname, '../../package.json'));
+                this._client = await createClient({
+                    auth: this.config.opToken,
+                    integrationName: pkg
+                        .name.replace(/^(\/|@)/, '')
+                        .replace(/[/@]+/g, '-'),
+                    integrationVersion: pkg.version
+                });
+                spinner.succeed('1Password loaded');
             }
             else {
-                throw new Error(`Looking up a 1Password service account token by item identifier requires the 1Password CLI (${Colors.url('https://developer.1password.com/docs/cli')}).`);
+                spinner.fail();
+                throw new Error('A 1Password service account token was not provided.');
             }
-            Shell.configure({ silent, showCommands, logging });
-        }
-        if (config.opToken) {
-            const pkg = await importLocal(path.join(import.meta.dirname, '../../package.json'));
-            _client = await createClient({
-                auth: config.opToken,
-                integrationName: pkg
-                    .name.replace(/^(\/|@)/, '')
-                    .replace(/[/@]+/g, '-'),
-                integrationVersion: pkg.version
-            });
-            spinner.succeed('1Password loaded');
-        }
-        else {
-            const message = 'A 1Password service account token was not provided.';
-            spinner.fail(message);
-            throw new Error('A 1Password service account token was not provided.');
         }
+        return this._client;
     }
-    return _client;
-}
-export async function configure(proposal = {}) {
-    for (const key in proposal) {
-        if (proposal[key] !== undefined) {
-            config[key] = proposal[key];
+    configure(proposal = {}) {
+        for (const key in proposal) {
+            if (proposal[key] !== undefined) {
+                this.config[key] = proposal[key];
+            }
         }
     }
-}
-export function options() {
-    return {
-        man: [
-            {
-                level: 1,
-                text: '1Password environment integration'
-            },
-            {
-                text: `If 1Password secret references are stored in the environment, a ` +
-                    `1Password service account token is required to access the secret ` +
-                    `values.`
-            }
-        ],
-        opt: {
-            opAccount: {
-                description: `1Password account to use (if signed into multiple); will use ` +
-                    `environment variable ${Colors.varName('OP_ACCOUNT')} if present`,
-                hint: 'example.1password.com',
-                default: config.opAccount
-            },
-            opItem: {
-                description: `Name or ID of the 1Password API Credential item storing the ` +
-                    `1Password service account token; will use environment variable ` +
-                    `${Colors.varName('OP_ITEM')} if present. Requires the 1Password ` +
-                    `CLI tool (${Colors.url('https://developer.1password.com/docs/cli')})`,
-                hint: '1Password unique identifier',
-                default: config.opItem
-            },
-            opToken: {
-                description: `1Password service account token; will use environment variable ` +
-                    `${Colors.varName('OP_TOKEN')} if present`,
-                hint: 'token value',
-                secret: true,
-                default: config.opToken
+    configureFromEnv(env) {
+        this.configure({
+            opAccount: env.OP_ACCOUNT,
+            opItem: env.OP_ITEM,
+            opToken: env.OP_TOKEN
+        });
+    }
+    options() {
+        return {
+            man: [
+                {
+                    level: 1,
+                    text: '1Password environment integration'
+                },
+                {
+                    text: `If 1Password secret references are stored in the environment, a ` +
+                        `1Password service account token is required to access the secret ` +
+                        `values.`
+                }
+            ],
+            opt: {
+                opAccount: {
+                    description: `1Password account to use (if signed into multiple); will use ` +
+                        `environment variable ${Colors.varName('OP_ACCOUNT')} if present`,
+                    hint: 'example.1password.com',
+                    default: this.config.opAccount
+                },
+                opItem: {
+                    description: `Name or ID of the 1Password API Credential item storing the ` +
+                        `1Password service account token; will use environment variable ` +
+                        `${Colors.varName('OP_ITEM')} if present. Requires the 1Password ` +
+                        `CLI tool (${Colors.url('https://developer.1password.com/docs/cli')})`,
+                    hint: '1Password unique identifier',
+                    default: this.config.opItem
+                },
+                opToken: {
+                    description: `1Password service account token; will use environment variable ` +
+                        `${Colors.varName('OP_TOKEN')} if present`,
+                    hint: 'token value',
+                    secret: true,
+                    default: this.config.opToken
+                }
             }
-        }
-    };
-}
-export async function init({ values }) {
-    const { opAccount = process.env.OP_ACCOUNT, opItem = process.env.OP_ITEM, opToken = process.env.OP_TOKEN } = values;
-    await configure({ ...values, opAccount, opItem, opToken });
-}
-export async function get(ref) {
-    const client = await getClient();
-    return await client.secrets.resolve(ref);
-}
-function explodeSecretReference(secretReference) {
-    // eslint-disable-next-line prefer-const
-    let [vault, item, section, field] = secretReference
-        .replace(/^op:\/\//, '')
-        .split('/');
-    if (field === undefined) {
-        field = section;
-        section = '';
+        };
     }
-    return { vault, item, section, field };
-}
-async function itemFrom(parts) {
-    const client = await getClient();
-    const vault = (await client.vaults.list())
-        .filter((vault) => vault.title == parts.vault)
-        .shift();
-    if (vault) {
-        const item = (await client.items.list(vault.id))
-            .filter((item) => item.title === parts.item || item.id === parts.item)
+    async init({ values }) {
+        await this.configure(values);
+    }
+    async get({ ref, env }) {
+        this.configureFromEnv(env);
+        return await (await this.getClient()).secrets.resolve(ref);
+    }
+    isSecretReference = Secrets.isRef;
+    async itemFrom(parts) {
+        const client = await this.getClient();
+        const vault = (await client.vaults.list())
+            .filter((vault) => vault.title == parts.vault)
             .shift();
-        if (item) {
-            return await client.items.get(vault.id, item.id);
+        if (vault) {
+            const item = (await client.items.list(vault.id))
+                .filter((item) => item.title === parts.item || item.id === parts.item)
+                .shift();
+            if (item) {
+                return await client.items.get(vault.id, item.id);
+            }
         }
     }
-}
-/** Requires a service account with write privileges */
-export async function set({ ref, value }) {
-    const client = await getClient();
-    const parts = explodeSecretReference(ref);
-    const item = await itemFrom(parts);
-    if (item) {
-        const updated = {
-            ...item,
-            fields: item.fields.map((field) => {
-                const section = item.sections.find((s) => s.id === field.sectionId);
-                if (parts.field === field.title || parts.field === field.id) {
-                    if ((!parts.section &&
-                        (field.sectionId === '' || field.sectionId === 'add more')) ||
-                        parts.section === section?.title ||
-                        parts.section === section?.id) {
-                        return { ...field, value };
+    /** Requires a service account with write privileges */
+    async set({ ref, value, env }) {
+        this.configureFromEnv(env);
+        const client = await this.getClient();
+        const parts = Secrets.explodeRef(ref);
+        const item = await this.itemFrom(parts);
+        if (item) {
+            const updated = {
+                ...item,
+                fields: item.fields.map((field) => {
+                    const section = item.sections.find((s) => s.id === field.sectionId);
+                    if (parts.field === field.title || parts.field === field.id) {
+                        if ((!parts.section &&
+                            (field.sectionId === '' || field.sectionId === 'add more')) ||
+                            parts.section === section?.title ||
+                            parts.section === section?.id) {
+                            return { ...field, value };
+                        }
                     }
-                }
-                return field;
-            })
-        };
-        await client.items.put(updated);
-    }
-    else {
-        throw new Error('1Password item could not be found');
+                    return field;
+                })
+            };
+            await client.items.put(updated);
+        }
+        else {
+            throw new Error('1Password item could not be found');
+        }
     }
 }

package/dist/1Password/Base.d.ts

@@ -0,0 +1,18 @@
+import { Base } from '@qui-cli/plugin/dist/Plugin.js';
+import { isRef } from './Secrets.js';
+type Environment = Record<string, string>;
+export type GetOptions = {
+    ref: string;
+    env: Environment;
+};
+export type SetOptions = {
+    ref: string;
+    value: string;
+    env: Environment;
+};
+export interface Plugin extends Base {
+    isSecretReference: typeof isRef;
+    get(options: GetOptions): Promise<string | undefined>;
+    set(options: SetOptions): Promise<void>;
+}
+export {};

package/dist/1Password/Secrets.d.ts

@@ -0,0 +1,8 @@
+export type Reference = {
+    vault: string;
+    item: string;
+    section?: string;
+    field: string;
+};
+export declare function isRef(value: unknown): boolean;
+export declare function explodeRef(ref: string): Reference;

package/dist/1Password/Secrets.js

@@ -0,0 +1,15 @@
+export function isRef(value) {
+    return (!!value &&
+        value !== null &&
+        typeof value === 'string' &&
+        /^op:\/\//.test(value));
+}
+export function explodeRef(ref) {
+    // eslint-disable-next-line prefer-const
+    let [vault, item, section, field] = ref.replace(/^op:\/\//, '').split('/');
+    if (field === undefined) {
+        field = section;
+        section = '';
+    }
+    return { vault, item, section, field };
+}

package/dist/1Password/index.d.ts

@@ -1,3 +1,6 @@
-export * from './1Password.js';
-export * from './Configuration.js';
-export * from './isSecretReference.js';
+import { Plugin } from './Base.js';
+export declare const OP: {
+    isSecretReference: (value: unknown) => boolean;
+    get?: Plugin['get'];
+    set?: Plugin['set'];
+};

package/dist/1Password/index.js

@@ -1,3 +1,17 @@
-export * from './1Password.js';
-export * from './Configuration.js';
-export * from './isSecretReference.js';
+import { register } from '@qui-cli/plugin';
+import { isRef } from './Secrets.js';
+export const OP = {
+    isSecretReference: isRef
+};
+try {
+    await import('@1password/sdk');
+    const opModule = await import('./1Password.js');
+    const plugin = new opModule.OP();
+    OP.set = plugin.set.bind(plugin);
+    OP.get = plugin.get.bind(plugin);
+    await register(plugin);
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+}
+catch (_) {
+    //
+}

package/dist/Env.d.ts

@@ -1,6 +1,5 @@
 import * as Plugin from '@qui-cli/plugin';
 import dotenv from 'dotenv';
-import { OPConfiguration } from './1Password/Configuration.js';
 export type Configuration = Plugin.Configuration & {
     /**
      * Optional root for calculating relative paths to `.env` files. If undefined,
@@ -15,11 +14,10 @@ export type Configuration = Plugin.Configuration & {
     load?: boolean;
     /** Path to desired `.env` file relative to `root`. Defaults to `'.env'`; */
     path?: string;
-} & OPConfiguration;
+};
 export declare const name = "env";
 export declare function configure(proposal?: Configuration): Promise<void>;
-export declare function options(): Promise<Plugin.Options>;
-export declare function init(args: Plugin.ExpectedArguments<typeof options>): Promise<void>;
+export declare function init(): Promise<void>;
 export type ParsedResult = dotenv.DotenvParseOutput;
 export declare function parse(file?: string | undefined): Promise<ParsedResult>;
 export type GetOptions = {

package/dist/Env.js

@@ -2,16 +2,7 @@ import { Root } from '@qui-cli/root';
 import dotenv from 'dotenv';
 import fs from 'node:fs';
 import path from 'node:path';
-import { isSecretReference } from './1Password/isSecretReference.js';
-let OP = undefined;
-try {
-    await import('@1password/sdk');
-    OP = await import('./1Password/index.js');
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-}
-catch (_) {
-    // @1password/sdk not present
-}
+import { OP } from './1Password/index.js';
 export const name = 'env';
 const config = {
     load: true,
@@ -23,30 +14,11 @@ export async function configure(proposal = {}) {
             config[key] = proposal[key];
         }
     }
-    if (OP?.configure) {
-        OP.configure({
-            opAccount: config.opAccount,
-            opItem: config.opItem,
-            opToken: config.opToken
-        });
-    }
     if (config.load) {
         await parse();
     }
 }
-export async function options() {
-    if (OP?.options) {
-        return await OP.options();
-    }
-    else {
-        return {};
-    }
-}
-export async function init(args) {
-    if (OP?.init) {
-        await OP.init(args);
-    }
-    await configure(args.values);
+export async function init() {
     parse();
 }
 function toFilePath(file = '.env') {
@@ -66,9 +38,9 @@ export async function parse(file = config.path) {
 export async function get({ key, file = config.path || '.env' }) {
     if (fs.existsSync(toFilePath(file))) {
         const env = await parse(file);
-        if (isSecretReference(env[key])) {
-            if (OP?.get) {
-                return OP?.get(env[key]);
+        if (OP.isSecretReference(env[key])) {
+            if (OP.get) {
+                return await OP.get({ ref: env[key], env });
             }
             else {
                 throw new Error(`Attempt to read environment variable ${key} that is a 1Password secret reference without @1password/sdk installed.`);
@@ -86,11 +58,12 @@ export async function exists({ key, file = config.path }) {
 }
 export async function set({ key, value, file = config.path, comment, ifNotExists = false }) {
     const filePath = toFilePath(file);
-    const { [key]: prev } = dotenv.config({ path: filePath, quiet: true }).parsed || {};
+    const env = dotenv.config({ path: filePath, quiet: true }).parsed || {};
+    const { [key]: prev } = env;
     if (ifNotExists === false || !prev) {
-        if (prev && isSecretReference(prev)) {
-            if (OP?.set) {
-                OP.set({ ref: prev, value });
+        if (prev && OP.isSecretReference(prev)) {
+            if (OP.set) {
+                await OP.set({ ref: prev, value, env });
             }
             else {
                 throw new Error(`Attmept to update environment variable ${key} that is a 1Password secret reference without installing @1password/sdk`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qui-cli/env",
-  "version": "5.1.0",
+  "version": "5.1.1",
   "description": "@qui-cli Plugin: Standardized environment configuration",
   "homepage": "https://github.com/battis/qui-cli/tree/main/packages/env#readme",
   "repository": {

package/dist/1Password/Configuration.d.ts

@@ -1,18 +0,0 @@
-import * as Plugin from '@qui-cli/plugin';
-export type OPConfiguration = Plugin.Configuration & {
-    /**
-     * 1Password service account token; will use the environment variable OP_TOKEN
-     * if present
-     */
-    opToken?: string;
-    /**
-     * Name or ID of the 1Password API Credential item storing the 1Password
-     * service account token; will use environment variable OP_ITEM if present
-     */
-    opItem?: string;
-    /**
-     * 1Password account to use (if signed into multiple); will use environment
-     * variable OP_ACCOUNT if present
-     */
-    opAccount?: string;
-};

package/dist/1Password/isSecretReference.d.ts

@@ -1 +0,0 @@
-export declare function isSecretReference(value: unknown): unknown;

package/dist/1Password/isSecretReference.js

@@ -1,6 +0,0 @@
-export function isSecretReference(value) {
-    return (value &&
-        value !== null &&
-        typeof value === 'string' &&
-        /^op:\/\//.test(value));
-}