npm - opencode-1password-auth - Versions diffs - 1.0.0 → 1.0.3 - Mend

opencode-1password-auth 1.0.0 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/index.ts CHANGED Viewed

@@ -9,10 +9,33 @@ interface OpenCodeConfig {
   mcp?: Record<string, MCPServerConfig>;
 }
-export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
+interface ProviderAuth {
+  type: string;
+  key: string;
+}
+interface AuthJson {
+  [providerId: string]: ProviderAuth;
+}
+export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
   let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
   let mcpsEnvId: string | undefined;
+  const getHomeDir = (): string => {
+    return process.env.HOME || process.env.USERPROFILE || "";
+  };
+  const getAuthJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.local/share/opencode/auth.json`;
+  };
+  const getOpenCodeJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.config/opencode/opencode.json`;
+  };
   const initClient = async () => {
     const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
     if (!token) {
@@ -55,6 +78,91 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
     return secrets;
   };
+  const updateAuthJson = async (providerEnvId: string): Promise<void> => {
+    const authJsonPath = getAuthJsonPath();
+    try {
+      // Read current auth.json using cat
+      const catResult = await $`cat "${authJsonPath}"`;
+      const content = catResult.stdout;
+      let auth: AuthJson;
+      try {
+        auth = JSON.parse(content);
+      } catch {
+        console.log("1Password: auth.json is not valid JSON, skipping");
+        return;
+      }
+      let modified = false;
+      for (const [providerId, authConfig] of Object.entries(auth)) {
+        if (authConfig.key && !authConfig.key.startsWith("{env:")) {
+          // Replace hardcoded key with env var reference
+          authConfig.key = `{env:${providerId}}`;
+          modified = true;
+          console.log(`1Password: Updated auth.json - ${providerId} -> {env:${providerId}}`);
+        }
+      }
+      if (modified) {
+        // Write updated content using a temp file and mv
+        const newContent = JSON.stringify(auth, null, 2);
+        // Use node to write the file since $ heredocs can be tricky
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
+        console.log("1Password: auth.json updated to use environment variables");
+      }
+    } catch (err) {
+      console.error("1Password: Failed to update auth.json:", err);
+    }
+  };
+  const updateOpenCodeJsonMCP = async (mcpEnvId: string): Promise<void> => {
+    const openCodeJsonPath = getOpenCodeJsonPath();
+    try {
+      // Read current opencode.json using cat
+      const catResult = await $`cat "${openCodeJsonPath}"`;
+      const content = catResult.stdout;
+      let config: OpenCodeConfig;
+      try {
+        config = JSON.parse(content);
+      } catch {
+        console.log("1Password: opencode.json is not valid JSON, skipping");
+        return;
+      }
+      if (!config.mcp) {
+        console.log("1Password: No MCP configuration found, skipping");
+        return;
+      }
+      let modified = false;
+      for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
+        if (serverConfig?.environment) {
+          for (const [key, value] of Object.entries(serverConfig.environment)) {
+            if (typeof value === "string" && !value.startsWith("{env:") && !value.startsWith("$")) {
+              // Replace hardcoded value with env var reference
+              serverConfig.environment[key] = `{env:${key}}`;
+              modified = true;
+              console.log(`1Password: Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
+            }
+          }
+        }
+      }
+      if (modified) {
+        // Write updated content
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
+        console.log("1Password: opencode.json MCP config updated to use environment variables");
+      }
+    } catch (err) {
+      console.error("1Password: Failed to update opencode.json:", err);
+    }
+  };
   const authenticateProviders = async (providerEnvId: string): Promise<void> => {
     if (!opClient) return;
@@ -64,7 +172,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
       if (!apiKey) continue;
       try {
-        await ctx.client.auth.set({
+        await client.auth.set({
           path: { id: providerId },
           body: { type: "api", key: apiKey },
         });
@@ -79,7 +187,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
     const vars = new Set<string>();
     try {
-      const config = ctx.config as OpenCodeConfig;
+      const config = client.config as OpenCodeConfig;
       if (config?.mcp) {
         for (const [, serverConfig] of Object.entries(config.mcp)) {
           if (serverConfig?.environment) {
@@ -146,12 +254,15 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
         const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
         if (providersEnvId) {
+          // First update the config files to use env var references
+          await updateAuthJson(providersEnvId);
           await authenticateProviders(providersEnvId);
         }
         const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
         if (mcpEnvIdFromConfig) {
           mcpsEnvId = mcpEnvIdFromConfig;
+          await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
           const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
           if (Object.keys(toInject).length > 0) {
             console.log(`1Password: Injected ${Object.keys(toInject).join(", ")} for MCP`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-1password-auth",
-  "version": "1.0.0",
+  "version": "1.0.3",
   "description": "1Password integration for OpenCode - authenticate providers and inject MCP secrets from 1Password environments",
   "type": "module",
   "main": "index.ts",

package/setup.ps1 CHANGED Viewed

@@ -3,7 +3,8 @@
 param(
     [switch]$Uninstall,
-    [switch]$Audit
+    [switch]$Audit,
+    [switch]$UpdateConfig
 )
 # Colors for output
@@ -65,31 +66,184 @@ function Remove-RegistryValue {
     }
 }
-function Test-1PasswordConnection {
-    param([string]$Token)
+function Get-OpenCodeAuthJsonPath {
+    $home = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$home/.local/share/opencode/auth.json"
+}
+function Get-OpenCodeConfigJsonPath {
+    $home = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$home/.config/opencode/opencode.json"
+}
+function Update-ConfigFiles {
+    param([string]$Token, [string]$ProvidersEnvId, [string]$McpsEnvId)
-    try {
-        # Create a temporary Node.js script to test the SDK
-        $testScript = @"
-const sdk = require('@1password/sdk');
+    $nodeModulesPath = Get-OpenCodeNodeModulesPath
+    if (-not $nodeModulesPath) {
+        Write-Error "Could not find @1password/sdk in any node_modules directory"
+        return
+    }
+    $sdkPath = ($nodeModulesPath -replace '\\', '/') + "/@1password/sdk/dist/sdk.js"
+    # Get provider secrets from 1Password
+    Write-Info "Reading provider secrets from 1Password..."
+    $script = @"
+const sdk = require('${sdkPath}');
-async function test() {
+async function getSecrets() {
     const client = await sdk.createClient({
-        auth: '$Token',
-        integrationName: 'opencode-1password-setup-test',
+        auth: '${Token}',
+        integrationName: 'opencode-1password-setup',
         integrationVersion: '1.0.0'
     });
-    console.log('SUCCESS');
+    const providers = {};
+    const { variables: providerVars } = await client.environments.getVariables('${ProvidersEnvId}');
+    for (const v of providerVars) {
+        if (v.value) providers[v.name] = v.value;
+    }
+    const mcps = {};
+    if ('${McpsEnvId}') {
+        const { variables: mcpVars } = await client.environments.getVariables('${McpsEnvId}');
+        for (const v of mcpVars) {
+            if (v.value) mcps[v.name] = v.value;
+        }
+    }
+    console.log(JSON.stringify({ providers, mcps }));
 }
-test().catch(err => {
-    console.error('FAILED:', err.message);
-    process.exit(1);
-});
+getSecrets().catch(err => { console.error('FAILED:', err.message); process.exit(1); });
 "@
+    $tempScript = [System.IO.Path]::GetTempFileName() -replace '\.tmp$', '.js'
+    $script | Out-File -FilePath $tempScript -Encoding UTF8 -NoNewline
+    $result = & node $tempScript 2>&1 | Out-String
+    Remove-Item $tempScript -ErrorAction SilentlyContinue
+    if ($result -match "FAILED:") {
+        Write-Error "Failed to read secrets from 1Password: $($result -replace 'FAILED:', '')"
+        return
+    }
+    $secrets = $result | ConvertFrom-Json
+    # Update auth.json
+    $authJsonPath = Get-OpenCodeAuthJsonPath
+    Write-Info "Updating auth.json..."
+    if (Test-Path $authJsonPath) {
+        $authContent = Get-Content $authJsonPath -Raw -Encoding UTF8
+        $auth = $authContent | ConvertFrom-Json
+        $modified = $false
+        foreach ($providerId in $auth.PSObject.Properties.Name) {
+            $authConfig = $auth.$providerId
+            if ($authConfig.key -and -not $authConfig.key.StartsWith("{env:")) {
+                $authConfig.key = "{env:$providerId}"
+                $modified = $true
+                Write-Success "Updated $providerId -> {env:$providerId}"
+            }
+        }
+        if ($modified) {
+            $auth | ConvertTo-Json -Depth 10 | Set-Content $authJsonPath -Encoding UTF8 -NoNewline
+            Write-Success "auth.json updated"
+        } else {
+            Write-Info "auth.json already uses environment variable references"
+        }
+    } else {
+        Write-Info "auth.json not found at $authJsonPath"
+    }
+    # Update opencode.json MCP config
+    $configJsonPath = Get-OpenCodeConfigJsonPath
+    Write-Info "Updating opencode.json MCP config..."
+    if (Test-Path $configJsonPath) {
+        $configContent = Get-Content $configJsonPath -Raw -Encoding UTF8
+        $config = $configContent | ConvertFrom-Json
+        $modified = $false
+        if ($config.mcp) {
+            foreach ($serverName in $config.mcp.PSObject.Properties.Name) {
+                $serverConfig = $config.mcp.$serverName
+                if ($serverConfig.environment) {
+                    foreach ($key in $serverConfig.environment.PSObject.Properties.Name) {
+                        $value = $serverConfig.environment.$key
+                        if ($value -and -not $value.StartsWith("{env:") -and -not $value.StartsWith("$")) {
+                            $serverConfig.environment.$key = "{env:$key}"
+                            $modified = $true
+                            Write-Success "Updated $serverName.$key -> {env:$key}"
+                        }
+                    }
+                }
+            }
+        }
+        if ($modified) {
+            $config | ConvertTo-Json -Depth 10 | Set-Content $configJsonPath -Encoding UTF8 -NoNewline
+            Write-Success "opencode.json updated"
+        } else {
+            Write-Info "opencode.json already uses environment variable references"
+        }
+    } else {
+        Write-Info "opencode.json not found at $configJsonPath"
+    }
+}
+function Get-OpenCodeNodeModulesPath {
+    $paths = @(
+        "$env:USERPROFILE\.cache\opencode\node_modules",
+        "$env:USERPROFILE\.config\opencode\node_modules",
+        "$env:APPDATA\opencode\node_modules"
+    )
+    foreach ($path in $paths) {
+        if (Test-Path "$path\@1password\sdk") {
+            return $path
+        }
+    }
+    return $null
+}
+function Test-1PasswordConnection {
+    param([string]$Token)
+    try {
+        $nodeModulesPath = Get-OpenCodeNodeModulesPath
+        if (-not $nodeModulesPath) {
+            Write-Error "Could not find @1password/sdk in any node_modules directory"
+            return $false
+        }
+        $sdkPath = ($nodeModulesPath -replace '\\', '/') + "/@1password/sdk/dist/sdk.js"
+        # Create a temporary Node.js script file
+        $tempScript = [System.IO.Path]::GetTempFileName() -replace '\.tmp$', '.js'
+        $testScript = 'const sdk = require("' + $sdkPath + '");' + "`n" +
+            'async function test() {' + "`n" +
+            '    const client = await sdk.createClient({' + "`n" +
+            '        auth: "' + $Token + '",' + "`n" +
+            '        integrationName: "opencode-1password-setup-test",' + "`n" +
+            '        integrationVersion: "1.0.0"' + "`n" +
+            '    });' + "`n" +
+            '    console.log("SUCCESS");' + "`n" +
+            '}' + "`n" +
+            'test().catch(err => { console.error("FAILED:", err.message); process.exit(1); });'
+        $testScript | Out-File -FilePath $tempScript -Encoding UTF8 -NoNewline
+        $result = & node $tempScript 2>&1
+        Remove-Item $tempScript -ErrorAction SilentlyContinue
-        $result = node -e $testScript 2>&1
         return $result -match "SUCCESS"
     } catch {
         return $false
@@ -100,36 +254,37 @@ function Get-1PasswordAudit {
     param([string]$Token, [string]$ConfigEnvId)
     try {
-        $script = @"
-const sdk = require('@1password/sdk');
-async function audit() {
-    const client = await sdk.createClient({
-        auth: '$Token',
-        integrationName: 'opencode-1password-setup-test',
-        integrationVersion: '1.0.0'
-    });
-    // Read bootstrap environment
-    const { variables: configVars } = await client.environments.getVariables('$ConfigEnvId');
-    const envIds = {};
-    for (const v of configVars) {
-        if (v.name.endsWith('_ENV_ID') && v.value) {
-            envIds[v.name] = v.value;
+        $nodeModulesPath = Get-OpenCodeNodeModulesPath
+        if (-not $nodeModulesPath) {
+            Write-Error "Could not find @1password/sdk in any node_modules directory"
+            return $null
         }
-    }
-    console.log(JSON.stringify(envIds));
-}
-audit().catch(err => {
-    console.error('FAILED:', err.message);
-    process.exit(1);
-});
-"@
-        $jsonResult = node -e $script 2>&1 | Out-String
+        $sdkPath = ($nodeModulesPath -replace '\\', '/') + "/@1password/sdk/dist/sdk.js"
+        $script = 'const sdk = require("' + $sdkPath + '");' + "`n" +
+            'async function audit() {' + "`n" +
+            '    const client = await sdk.createClient({' + "`n" +
+            '        auth: "' + $Token + '",' + "`n" +
+            '        integrationName: "opencode-1password-setup-test",' + "`n" +
+            '        integrationVersion: "1.0.0"' + "`n" +
+            '    });' + "`n" +
+            '    const { variables: configVars } = await client.environments.getVariables("' + $ConfigEnvId + '");' + "`n" +
+            '    const envIds = {};' + "`n" +
+            '    for (const v of configVars) {' + "`n" +
+            '        if (v.name.endsWith("_ENV_ID") && v.value) {' + "`n" +
+            '            envIds[v.name] = v.value;' + "`n" +
+            '        }' + "`n" +
+            '    }' + "`n" +
+            '    console.log(JSON.stringify(envIds));' + "`n" +
+            '}' + "`n" +
+            'audit().catch(err => { console.error("FAILED:", err.message); process.exit(1); });'
+        $tempScript = [System.IO.Path]::GetTempFileName() -replace '\.tmp$', '.js'
+        $script | Out-File -FilePath $tempScript -Encoding UTF8 -NoNewline
+        $jsonResult = & node $tempScript 2>&1 | Out-String
+        Remove-Item $tempScript -ErrorAction SilentlyContinue
         return $jsonResult | ConvertFrom-Json
     } catch {
         return $null
@@ -139,6 +294,8 @@ audit().catch(err => {
 function Show-AuditReport {
     param([string]$Token, [hashtable]$EnvIds)
+    $nodeModulesPath = Get-OpenCodeNodeModulesPath
     Write-Host ""
     Write-Host "========================================" -ForegroundColor Cyan
     Write-Host "  Configuration Audit Report" -ForegroundColor Cyan
@@ -163,30 +320,27 @@ function Show-AuditReport {
         Write-Host "--------------------------------"
         try {
-            $script = @"
-const sdk = require('@1password/sdk');
-async function read() {
-    const client = await sdk.createClient({
-        auth: '$Token',
-        integrationName: 'opencode-1password-setup-test',
-        integrationVersion: '1.0.0'
-    });
-    const { variables } = await client.environments.getVariables('$envId');
-    for (const v of variables) {
-        const masked = v.value ? v.value.substring(0, 8) + '••••••••' : '(empty)';
-        console.log(v.name + '=' + masked);
-    }
-}
-read().catch(err => {
-    console.error('Error:', err.message);
-});
-"@
+        # Use forward slashes to avoid JS escape sequence issues
+        $sdkPath = ($nodeModulesPath -replace '\\', '/') + "/@1password/sdk/dist/sdk.js"
+            $script = 'const sdk = require("' + $sdkPath + '");' + "`n" +
+                'async function read() {' + "`n" +
+                '    const client = await sdk.createClient({' + "`n" +
+                '        auth: "' + $Token + '",' + "`n" +
+                '        integrationName: "opencode-1password-setup-test",' + "`n" +
+                '        integrationVersion: "1.0.0"' + "`n" +
+                '    });' + "`n" +
+                '    const { variables } = await client.environments.getVariables("' + $envId + '");' + "`n" +
+                '    for (const v of variables) {' + "`n" +
+                '        const masked = v.value ? v.value.substring(0, 8) + "••••••••" : "(empty)";' + "`n" +
+                '        console.log(v.name + "=" + masked);' + "`n" +
+                '    }' + "`n" +
+                '}' + "`n" +
+                'read().catch(err => { console.error("Error:", err.message); });'
-            $result = node -e $script 2>&1
+            $tempScript = [System.IO.Path]::GetTempFileName() -replace '\.tmp$', '.js'
+            $script | Out-File -FilePath $tempScript -Encoding UTF8 -NoNewline
+            $result = & node $tempScript 2>&1
+            Remove-Item $tempScript -ErrorAction SilentlyContinue
             foreach ($line in $result) {
                 if ($line -and $line -notmatch "^(Error|Error:)") {
                     Write-Host "  $line" -ForegroundColor Gray
@@ -298,6 +452,66 @@ if ($Audit) {
     exit 0
 }
+if ($UpdateConfig) {
+    # Update Config mode
+    Write-Host "Update Config Mode" -ForegroundColor Yellow
+    Write-Host "------------------" -ForegroundColor Yellow
+    Write-Host ""
+    $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine"
+    $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine"
+    if (-not $token) {
+        $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User"
+        $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User"
+    }
+    if (-not $token -or -not $configId) {
+        Write-Error "Environment variables not set. Run setup first."
+        exit 1
+    }
+    Write-Info "Testing 1Password connection..."
+    if (Test-1PasswordConnection -Token $token) {
+        Write-Success "1Password connection successful!"
+    } else {
+        Write-Error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    }
+    Write-Info "Reading configuration from 1Password..."
+    $envIds = Get-1PasswordAudit -Token $token -ConfigEnvId $configId
+    if ($envIds) {
+        $providersEnvId = $null
+        $mcpsEnvId = $null
+        foreach ($prop in $envIds.PSObject.Properties) {
+            if ($prop.Name -eq "OPENCODE_PROVIDERS_ENV_ID") {
+                $providersEnvId = $prop.Value
+            } elseif ($prop.Name -eq "OPENCODE_MCPS_ENV_ID") {
+                $mcpsEnvId = $prop.Value
+            }
+        }
+        if ($providersEnvId) {
+            Write-Info "Updating config files to use environment variables..."
+            Update-ConfigFiles -Token $token -ProvidersEnvId $providersEnvId -McpsEnvId $mcpsEnvId
+            Write-Success "Config update complete!"
+        } else {
+            Write-Error "Could not find OPENCODE_PROVIDERS_ENV_ID in bootstrap environment"
+            exit 1
+        }
+    } else {
+        Write-Error "Failed to read bootstrap environment."
+        exit 1
+    }
+    exit 0
+}
 # Setup mode (default)
 Write-Host "Setup Mode" -ForegroundColor Yellow
 Write-Host "----------" -ForegroundColor Yellow
@@ -416,6 +630,7 @@ Write-Success "Setup complete!"
 Write-Info "Restart OpenCode to activate the plugin."
 Write-Host ""
 Write-Host "Usage:" -ForegroundColor White
-Write-Host "  ./setup.ps1 -Audit    Show current configuration"
-Write-Host "  ./setup.ps1 -Uninstall Remove environment variables"
+Write-Host "  ./setup.ps1 -Audit         Show current configuration"
+Write-Host "  ./setup.ps1 -UpdateConfig  Update config files to use {env:VAR} references"
+Write-Host "  ./setup.ps1 -Uninstall    Remove environment variables"
 Write-Host ""

package/setup.sh CHANGED Viewed

@@ -221,9 +221,161 @@ EOFINNER
     done
 }
+update_config_files() {
+    local token="$1"
+    local providers_env_id="$2"
+    local mcps_env_id="$3"
+    log_info "Reading secrets from 1Password..."
+    # Get provider and MCP secrets
+    cat > /tmp/update_config_$$.js << 'EOF'
+const sdk = require('@1password/sdk');
+async function getSecrets() {
+    const token = process.argv[1];
+    const providersEnvId = process.argv[2];
+    const mcpsEnvId = process.argv[3];
+    const client = await sdk.createClient({
+        auth: token,
+        integrationName: 'opencode-1password-setup',
+        integrationVersion: '1.0.0'
+    });
+    const providers = {};
+    const { variables: providerVars } = await client.environments.getVariables(providersEnvId);
+    for (const v of providerVars) {
+        if (v.value) providers[v.name] = v.value;
+    }
+    const mcps = {};
+    if (mcpsEnvId) {
+        const { variables: mcpVars } = await client.environments.getVariables(mcpsEnvId);
+        for (const v of mcpVars) {
+            if (v.value) mcps[v.name] = v.value;
+        }
+    }
+    console.log(JSON.stringify({ providers, mcps }));
+}
+getSecrets().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+EOF
+    result=$(node /tmp/update_config_$$.js "$token" "$providers_env_id" "$mcps_env_id" 2>&1)
+    rm -f /tmp/update_config_$$.js
+    if [[ "$result" == "FAILED:"* ]]; then
+        log_error "Failed to read secrets from 1Password: $result"
+        return 1
+    fi
+    # Get home directory
+    home="${HOME:-}"
+    if [[ -z "$home" ]]; then
+        home=$(eval echo ~)
+    fi
+    # Update auth.json
+    auth_json_path="$home/.local/share/opencode/auth.json"
+    log_info "Updating auth.json..."
+    if [[ -f "$auth_json_path" ]]; then
+        # Read auth.json and update
+        auth_content=$(cat "$auth_json_path")
+        # Use node to parse and update JSON
+        cat > /tmp/update_auth_$$.js << 'EOFJ'
+const fs = require('fs');
+const authPath = process.argv[1];
+const auth = JSON.parse(fs.readFileSync(authPath, 'utf8'));
+let modified = false;
+for (const [providerId, authConfig] of Object.entries(auth)) {
+    if (authConfig.key && !authConfig.key.startsWith('{env:')) {
+        authConfig.key = '{env:' + providerId + '}';
+        modified = true;
+        console.log('Updated ' + providerId + ' -> {env:' + providerId + '}');
+    }
+}
+if (modified) {
+    fs.writeFileSync(authPath, JSON.stringify(auth, null, 2));
+    console.log('auth.json updated');
+} else {
+    console.log('auth.json already uses environment variable references');
+}
+EOFJ
+        update_result=$(node /tmp/update_auth_$$.js "$auth_json_path" 2>&1)
+        rm -f /tmp/update_auth_$$.js
+        echo "$update_result" | while read line; do
+            if [[ "$line" == Updated* ]] || [[ "$line" == *updated* ]]; then
+                log_success "$(echo "$line" | sed 's/Updated/Updated/')"
+            else
+                log_info "$line"
+            fi
+        done
+    else
+        log_info "auth.json not found at $auth_json_path"
+    fi
+    # Update opencode.json MCP config
+    config_json_path="$home/.config/opencode/opencode.json"
+    log_info "Updating opencode.json MCP config..."
+    if [[ -f "$config_json_path" ]]; then
+        cat > /tmp/update_mcp_$$.js << 'EOFMCP'
+const fs = require('fs');
+const configPath = process.argv[1];
+const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+let modified = false;
+if (config.mcp) {
+    for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
+        if (serverConfig && serverConfig.environment) {
+            for (const [key, value] of Object.entries(serverConfig.environment)) {
+                if (value && !value.startsWith('{env:') && !value.startsWith('$')) {
+                    serverConfig.environment[key] = '{env:' + key + '}';
+                    modified = true;
+                    console.log('Updated ' + serverName + '.' + key + ' -> {env:' + key + '}');
+                }
+            }
+        }
+    }
+}
+if (modified) {
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+    console.log('opencode.json updated');
+} else {
+    console.log('opencode.json already uses environment variable references');
+}
+EOFMCP
+        update_result=$(node /tmp/update_mcp_$$.js "$config_json_path" 2>&1)
+        rm -f /tmp/update_mcp_$$.js
+        echo "$update_result" | while read line; do
+            if [[ "$line" == Updated* ]] || [[ "$line" == *updated* ]]; then
+                log_success "$(echo "$line" | sed 's/Updated/Updated/')"
+            else
+                log_info "$line"
+            fi
+        done
+    else
+        log_info "opencode.json not found at $config_json_path"
+    fi
+    log_success "Config update complete!"
+}
 # Parse arguments
 UNINSTALL=false
 AUDIT=false
+UPDATE_CONFIG=false
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -235,8 +387,12 @@ while [[ $# -gt 0 ]]; do
             AUDIT=true
             shift
             ;;
+        -c|--update-config)
+            UPDATE_CONFIG=true
+            shift
+            ;;
         *)
-            echo "Usage: $0 [--uninstall|--audit]"
+            echo "Usage: $0 [--uninstall|--audit|--update-config]"
             exit 1
             ;;
     esac
@@ -325,6 +481,51 @@ if [[ "$AUDIT" == true ]]; then
     exit 0
 fi
+if [[ "$UPDATE_CONFIG" == true ]]; then
+    echo -e "${YELLOW}Update Config Mode${NC}"
+    echo -e "${YELLOW}------------------${NC}"
+    echo ""
+    get_existing_values
+    if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" || -z "$OP_CONFIG_ENV_ID" ]]; then
+        log_error "Environment variables not set. Run setup first."
+        exit 1
+    fi
+    log_info "Testing 1Password connection..."
+    if test_connection "$OP_SERVICE_ACCOUNT_TOKEN"; then
+        log_success "1Password connection successful!"
+    else
+        log_error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    fi
+    log_info "Reading configuration from 1Password..."
+    env_ids_json=$(get_audit_data "$OP_SERVICE_ACCOUNT_TOKEN" "$OP_CONFIG_ENV_ID")
+    if [[ -n "$env_ids_json" && "$env_ids_json" != "FAILED:"* ]]; then
+        # Parse JSON to extract env IDs
+        providers_env_id=$(echo "$env_ids_json" | sed -n 's/.*"OPENCODE_PROVIDERS_ENV_ID":"\([^"]*\)".*/\1/p')
+        mcps_env_id=$(echo "$env_ids_json" | sed -n 's/.*"OPENCODE_MCPS_ENV_ID":"\([^"]*\)".*/\1/p')
+        if [[ -n "$providers_env_id" ]]; then
+            log_info "Updating config files to use environment variables..."
+            update_config_files "$OP_SERVICE_ACCOUNT_TOKEN" "$providers_env_id" "$mcps_env_id"
+        else
+            log_error "Could not find OPENCODE_PROVIDERS_ENV_ID in bootstrap environment"
+            exit 1
+        fi
+    else
+        log_error "Failed to read bootstrap environment."
+        exit 1
+    fi
+    exit 0
+fi
 # Setup mode (default)
 echo -e "${YELLOW}Setup Mode${NC}"
 echo -e "${YELLOW}----------${NC}"
@@ -439,6 +640,7 @@ log_success "Setup complete!"
 log_info "Restart OpenCode to activate the plugin."
 echo ""
 echo "Usage:"
-echo "  ./setup.sh --audit    Show current configuration"
-echo "  ./setup.sh --uninstall Remove environment variables"
+echo "  ./setup.sh --audit          Show current configuration"
+echo "  ./setup.sh --update-config  Update config files to use {env:VAR} references"
+echo "  ./setup.sh --uninstall     Remove environment variables"
 echo ""