opencode-1password-auth 1.0.0

package/README.md

@@ -0,0 +1,174 @@
+# OpenCode 1Password Auth Plugin
+
+Authenticate LLM providers and inject MCP server secrets from 1Password environments.
+
+## Features
+
+- **Provider Authentication**: Automatically authenticate OpenCode providers (MiniMax, DeepSeek, OpenCode, etc.) from 1Password
+- **MCP Secret Injection**: Inject secrets into MCP server environments from 1Password
+- **.env Access Warning**: Warns when .env files are accessed
+
+## Prerequisites
+
+### 1. 1Password Account
+
+- 1Password account (西牙, Business, or Teams plan for service accounts)
+- Ability to create environments and service accounts
+
+### 2. 1Password Service Account
+
+Create a service account in 1Password:
+1. Go to **Settings > Service Accounts** in 1Password
+2. Create a new service account with **Read** permissions to your vaults
+3. Copy the token - you'll need it for `OP_SERVICE_ACCOUNT_TOKEN`
+
+### 3. 1Password Environments
+
+Create these environments in 1Password:
+
+**Config Environment** (holds environment IDs):
+- `OPENCODE_PROVIDERS_ENV_ID` - Environment ID containing provider API keys
+- `OPENCODE_MCPS_ENV_ID` - Environment ID containing MCP server secrets
+
+**Providers Environment** (holds API keys):
+- Provider IDs as variable names (e.g., `MINIMAX_CODING_PLAN`, `DEEPSEEK`, `OPENCODE`)
+- API keys as values
+
+**MCPS Environment** (holds MCP secrets):
+- Secret names matching your MCP server config (e.g., `MINIMAX_API_KEY`, `MINIMAX_API_HOST`)
+
+## Setup
+
+### 1. Run Setup Script
+
+Use the provided setup script to configure environment variables:
+
+**Windows:**
+```powershell
+.\setup.ps1
+```
+
+**macOS/Linux:**
+```bash
+./setup.sh
+```
+
+The script will:
+- Prompt for your 1Password service account token
+- Prompt for your bootstrap environment ID
+- Save environment variables to your system
+- Verify the 1Password connection works
+- Show a full audit of your configuration
+
+**Script Options:**
+- `.\setup.ps1 -Audit` - View current configuration
+- `.\setup.ps1 -Uninstall` - Remove environment variables
+
+### 2. Install Plugin
+
+Add to your `opencode.json`:
+
+```json
+{
+  "plugin": ["opencode-1password-auth"]
+}
+```
+
+OpenCode will automatically install the plugin on next startup.
+
+## Architecture: Config as Index
+
+The plugin uses a **config environment as an index** to your other environments. This design:
+
+- Keeps your actual secrets isolated in dedicated environments
+- Allows you to switch configurations by changing only `OP_CONFIG_ENV_ID`
+- Enables different configs for dev/staging/prod
+
+### Config Environment
+```
+opencode-config
+├── OPENCODE_PROVIDERS_ENV_ID = abc123... (ID of providers env)
+├── OPENCODE_MCPS_ENV_ID = def456... (ID of mcps env)
+└── OPENCODE_PLUGINS_ENV_ID = ghi789... (ID of plugins env, optional)
+```
+
+To change configurations, simply update `OP_CONFIG_ENV_ID` to point to a different config environment.
+
+### Providers Environment
+```
+opencode-providers
+├── MINIMAX_CODING_PLAN = your-minimax-api-key
+├── DEEPSEEK = your-deepseek-api-key
+└── OPENCODE = your-opencode-api-key
+```
+
+### MCPS Environment
+```
+opencode-mcps
+├── MINIMAX_API_KEY = your-minimax-api-key
+└── MINIMAX_API_HOST = https://api.minimax.io
+```
+
+## MCP Configuration
+
+In your `opencode.json`, use `{env:VARIABLE_NAME}` syntax to reference injected secrets:
+
+```json
+{
+  "mcp": {
+    "MiniMax": {
+      "type": "local",
+      "command": ["uvx", "minimax-coding-plan-mcp"],
+      "environment": {
+        "MINIMAX_API_KEY": "{env:MINIMAX_API_KEY}",
+        "MINIMAX_API_HOST": "{env:MINIMAX_API_HOST}"
+      }
+    }
+  }
+}
+```
+
+## How It Works
+
+1. On `server.connected` event, the plugin initializes the 1Password SDK
+2. Reads environment IDs from your config environment
+3. Authenticates providers using `client.auth.set()`
+4. Injects MCP secrets via the `shell.env` hook
+
+## Requirements
+
+- OpenCode
+- 1Password account with service account token
+- Windows/macOS/Linux with environment variables set
+
+## Troubleshooting
+
+**Plugin not loading?**
+- Ensure environment variables are set system-wide (not just in terminal)
+- Restart OpenCode completely after setting environment variables
+
+**Can't read 1Password environments?**
+- Verify service account has access to the vaults containing your environments
+- Check that environment IDs in config are correct
+
+## Roadmap
+
+The following features are planned for future releases:
+
+### Phase 2 - Enhanced Scripting
+- [ ] **Automated service account creation** - Guide users through creating service accounts with correct permissions via 1Password API
+- [ ] **Bootstrap environment management via scripts** - Add, list, remove environment references from the bootstrap environment through CLI
+
+### Phase 3 - Advanced Plugin Features
+- [ ] **Dynamic environment detection** - Plugin automatically detects new environments added to bootstrap and integrates them
+- [ ] **Config file injection** - Plugin replaces hardcoded API keys in OpenCode config files with `{env:VAR}` references
+- [ ] **Custom environment support** - Support for additional environments beyond the standard opencode-providers, opencode-plugins, opencode-mcps pattern
+- [ ] **Write support** - Ability to store secrets back to 1Password environments
+
+### Phase 4 - polish
+- [ ] **Uninstall script** - Clean removal of environment variables and plugin configuration
+- [ ] **Configuration validation** - Validate OpenCode config files reference correct environment variables
+
+## License
+
+MIT

package/index.ts

@@ -0,0 +1,188 @@
+import type { Plugin } from "@opencode-ai/plugin";
+import * as sdk from "@1password/sdk";
+
+interface MCPServerConfig {
+  environment?: Record<string, string>;
+}
+
+interface OpenCodeConfig {
+  mcp?: Record<string, MCPServerConfig>;
+}
+
+export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
+  let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
+  let mcpsEnvId: string | undefined;
+
+  const initClient = async () => {
+    const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
+    if (!token) {
+      console.error("1Password: Missing OP_SERVICE_ACCOUNT_TOKEN");
+      return null;
+    }
+
+    try {
+      return await sdk.createClient({
+        auth: token,
+        integrationName: "opencode-1password-env",
+        integrationVersion: "1.0.0",
+      });
+    } catch (err) {
+      console.error("1Password: Failed to create client:", err);
+      return null;
+    }
+  };
+
+  const readEnvironmentVariables = async (envId: string) => {
+    if (!opClient) return [];
+
+    try {
+      const { variables } = await opClient.environments.getVariables(envId);
+      return variables || [];
+    } catch (err) {
+      console.error(`1Password: Failed to read environment ${envId}:`, err);
+      return [];
+    }
+  };
+
+  const getSecretsFromEnvironment = async (envId: string): Promise<Record<string, string>> => {
+    const vars = await readEnvironmentVariables(envId);
+    const secrets: Record<string, string> = {};
+    for (const v of vars) {
+      if (v.value) {
+        secrets[v.name] = v.value;
+      }
+    }
+    return secrets;
+  };
+
+  const authenticateProviders = async (providerEnvId: string): Promise<void> => {
+    if (!opClient) return;
+
+    const secrets = await getSecretsFromEnvironment(providerEnvId);
+
+    for (const [providerId, apiKey] of Object.entries(secrets)) {
+      if (!apiKey) continue;
+
+      try {
+        await ctx.client.auth.set({
+          path: { id: providerId },
+          body: { type: "api", key: apiKey },
+        });
+        console.log(`1Password: ✓ ${providerId} authenticated`);
+      } catch (err) {
+        console.error(`1Password: Failed to authenticate ${providerId}:`, err);
+      }
+    }
+  };
+
+  const getConfiguredMCPVars = (): Set<string> => {
+    const vars = new Set<string>();
+
+    try {
+      const config = ctx.config as OpenCodeConfig;
+      if (config?.mcp) {
+        for (const [, serverConfig] of Object.entries(config.mcp)) {
+          if (serverConfig?.environment) {
+            for (const [key] of Object.entries(serverConfig.environment)) {
+              if (key.startsWith("{env:")) {
+                const envVar = key.slice(5, -1);
+                vars.add(envVar);
+              } else {
+                vars.add(key);
+              }
+            }
+          }
+        }
+      }
+    } catch (err) {
+      console.error("1Password: Failed to read MCP config:", err);
+    }
+
+    return vars;
+  };
+
+  const injectMCPSecrets = async (mcpEnvId: string): Promise<Record<string, string>> => {
+    const neededVars = getConfiguredMCPVars();
+    if (neededVars.size === 0) {
+      return {};
+    }
+
+    const secrets = await getSecretsFromEnvironment(mcpEnvId);
+    const toInject: Record<string, string> = {};
+
+    for (const varName of neededVars) {
+      if (secrets[varName]) {
+        toInject[varName] = secrets[varName];
+      }
+    }
+
+    return toInject;
+  };
+
+  return {
+    async event({ event }: { event: { type: string } }) {
+      if (event.type === "server.connected") {
+        console.log("1Password: Initializing...");
+
+        opClient = await initClient();
+        if (!opClient) {
+          console.error("1Password: No client available");
+          return;
+        }
+
+        const configEnvId = process.env.OP_CONFIG_ENV_ID;
+        if (!configEnvId) {
+          console.error("1Password: Missing OP_CONFIG_ENV_ID");
+          return;
+        }
+
+        const vars = await readEnvironmentVariables(configEnvId);
+        const configEnvIds: Record<string, string> = {};
+        for (const v of vars) {
+          if (v.name.endsWith("_ENV_ID") && v.value) {
+            configEnvIds[v.name] = v.value;
+          }
+        }
+
+        const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+        if (providersEnvId) {
+          await authenticateProviders(providersEnvId);
+        }
+
+        const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
+        if (mcpEnvIdFromConfig) {
+          mcpsEnvId = mcpEnvIdFromConfig;
+          const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
+          if (Object.keys(toInject).length > 0) {
+            console.log(`1Password: Injected ${Object.keys(toInject).join(", ")} for MCP`);
+          }
+        }
+
+        console.log("1Password: Initialization complete");
+      }
+    },
+
+    async "shell.env"(input, output) {
+      if (!opClient || !mcpsEnvId) return;
+
+      const toInject = await injectMCPSecrets(mcpsEnvId);
+
+      for (const [varName, value] of Object.entries(toInject)) {
+        output.env[varName] = value;
+      }
+    },
+
+    async "tool.execute.before"(input) {
+      if (input.tool !== "read") return;
+
+      const fileArgs = input.args as { filePath?: string } | undefined;
+      if (fileArgs?.filePath && fileArgs.filePath.includes(".env")) {
+        console.warn(
+          "1Password: Warning - .env file access detected. Consider using 1Password for secrets management."
+        );
+      }
+    },
+  };
+};
+
+export default OnePasswordAuthPlugin;

package/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "opencode-1password-auth",
+  "version": "1.0.0",
+  "description": "1Password integration for OpenCode - authenticate providers and inject MCP secrets from 1Password environments",
+  "type": "module",
+  "main": "index.ts",
+  "keywords": ["opencode", "opencode-plugin", "1password", "mcp", "secrets"],
+  "author": "",
+  "license": "MIT",
+  "dependencies": {
+    "@1password/sdk": "0.4.1-beta.1"
+  }
+}

package/setup.ps1

@@ -0,0 +1,421 @@
+# OpenCode 1Password Auth Plugin - Setup Script
+# This script helps configure the environment variables needed for the plugin
+
+param(
+    [switch]$Uninstall,
+    [switch]$Audit
+)
+
+# Colors for output
+function Write-Banner {
+    Write-Host ""
+    Write-Host "========================================" -ForegroundColor Cyan
+    Write-Host "  OpenCode 1Password Auth Setup" -ForegroundColor Cyan
+    Write-Host "========================================" -ForegroundColor Cyan
+    Write-Host ""
+}
+
+function Write-Success {
+    param([string]$Message)
+    Write-Host "[OK] " -ForegroundColor Green -NoNewline
+    Write-Host $Message
+}
+
+function Write-Error {
+    param([string]$Message)
+    Write-Host "[ERROR] " -ForegroundColor Red -NoNewline
+    Write-Host $Message
+}
+
+function Write-Info {
+    param([string]$Message)
+    Write-Host "[INFO] " -ForegroundColor Yellow -NoNewline
+    Write-Host $Message
+}
+
+function Get-RegistryValue {
+    param([string]$Name, [string]$Scope)
+    
+    if ($Scope -eq "Machine") {
+        return [System.Environment]::GetEnvironmentVariable($Name, "Machine")
+    } else {
+        return [System.Environment]::GetEnvironmentVariable($Name, "User")
+    }
+}
+
+function Set-RegistryValue {
+    param([string]$Name, [string]$Value, [string]$Scope)
+    
+    try {
+        [System.Environment]::SetEnvironmentVariable($Name, $Value, $Scope)
+        return $true
+    } catch {
+        return $false
+    }
+}
+
+function Remove-RegistryValue {
+    param([string]$Name, [string]$Scope)
+    
+    try {
+        [System.Environment]::SetEnvironmentVariable($Name, $null, $Scope)
+        return $true
+    } catch {
+        return $false
+    }
+}
+
+function Test-1PasswordConnection {
+    param([string]$Token)
+    
+    try {
+        # Create a temporary Node.js script to test the SDK
+        $testScript = @"
+const sdk = require('@1password/sdk');
+
+async function test() {
+    const client = await sdk.createClient({
+        auth: '$Token',
+        integrationName: 'opencode-1password-setup-test',
+        integrationVersion: '1.0.0'
+    });
+    
+    console.log('SUCCESS');
+}
+
+test().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+"@
+        
+        $result = node -e $testScript 2>&1
+        return $result -match "SUCCESS"
+    } catch {
+        return $false
+    }
+}
+
+function Get-1PasswordAudit {
+    param([string]$Token, [string]$ConfigEnvId)
+    
+    try {
+        $script = @"
+const sdk = require('@1password/sdk');
+
+async function audit() {
+    const client = await sdk.createClient({
+        auth: '$Token',
+        integrationName: 'opencode-1password-setup-test',
+        integrationVersion: '1.0.0'
+    });
+    
+    // Read bootstrap environment
+    const { variables: configVars } = await client.environments.getVariables('$ConfigEnvId');
+    
+    const envIds = {};
+    for (const v of configVars) {
+        if (v.name.endsWith('_ENV_ID') && v.value) {
+            envIds[v.name] = v.value;
+        }
+    }
+    
+    console.log(JSON.stringify(envIds));
+}
+
+audit().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+"@
+        
+        $jsonResult = node -e $script 2>&1 | Out-String
+        return $jsonResult | ConvertFrom-Json
+    } catch {
+        return $null
+    }
+}
+
+function Show-AuditReport {
+    param([string]$Token, [hashtable]$EnvIds)
+    
+    Write-Host ""
+    Write-Host "========================================" -ForegroundColor Cyan
+    Write-Host "  Configuration Audit Report" -ForegroundColor Cyan
+    Write-Host "========================================" -ForegroundColor Cyan
+    Write-Host ""
+    
+    # Display bootstrap environment IDs
+    Write-Host "Bootstrap Environment References:" -ForegroundColor White
+    Write-Host "--------------------------------"
+    
+    foreach ($key in $EnvIds.Keys) {
+        Write-Host "  $($key) = $($EnvIds[$key].Substring(0, 10))..." -ForegroundColor Gray
+    }
+    Write-Host ""
+    
+    # For each referenced environment, show its contents
+    foreach ($key in $EnvIds.Keys) {
+        $envId = $EnvIds[$key]
+        $envName = ($key -replace 'OPENCODE_', '') -replace '_ENV_ID', ''
+        
+        Write-Host "$envName Environment:" -ForegroundColor White
+        Write-Host "--------------------------------"
+        
+        try {
+            $script = @"
+const sdk = require('@1password/sdk');
+
+async function read() {
+    const client = await sdk.createClient({
+        auth: '$Token',
+        integrationName: 'opencode-1password-setup-test',
+        integrationVersion: '1.0.0'
+    });
+    
+    const { variables } = await client.environments.getVariables('$envId');
+    
+    for (const v of variables) {
+        const masked = v.value ? v.value.substring(0, 8) + '••••••••' : '(empty)';
+        console.log(v.name + '=' + masked);
+    }
+}
+
+read().catch(err => {
+    console.error('Error:', err.message);
+});
+"@
+            
+            $result = node -e $script 2>&1
+            foreach ($line in $result) {
+                if ($line -and $line -notmatch "^(Error|Error:)") {
+                    Write-Host "  $line" -ForegroundColor Gray
+                } elseif ($line -match "Error:") {
+                    Write-Host "  $line" -ForegroundColor Red
+                }
+            }
+        } catch {
+            Write-Host "  Could not read environment" -ForegroundColor Red
+        }
+        Write-Host ""
+    }
+}
+
+# Main script execution
+Write-Banner
+
+if ($Uninstall) {
+    # Uninstall mode
+    Write-Host "Uninstall Mode" -ForegroundColor Yellow
+    Write-Host "--------------" -ForegroundColor Yellow
+    Write-Host ""
+    
+    $currentToken = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine"
+    $currentConfigId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine"
+    
+    if (-not $currentToken -and -not $currentConfigId) {
+        $currentToken = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User"
+        $currentConfigId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User"
+    }
+    
+    if (-not $currentToken -and -not $currentConfigId) {
+        Write-Info "No environment variables found. Nothing to uninstall."
+        exit 0
+    }
+    
+    Write-Host "Found the following environment variables:" -ForegroundColor White
+    if ($currentToken) { Write-Host "  OP_SERVICE_ACCOUNT_TOKEN = $($currentToken.Substring(0, 8))..." -ForegroundColor Gray }
+    if ($currentConfigId) { Write-Host "  OP_CONFIG_ENV_ID = $($currentConfigId.Substring(0, 8))..." -ForegroundColor Gray }
+    Write-Host ""
+    
+    $confirm = Read-Host "Remove these environment variables? (y/N)"
+    
+    if ($confirm -eq 'y' -or $confirm -eq 'Y') {
+        $removed = 0
+        
+        if ($currentToken) {
+            if (Remove-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine") { $removed++ }
+            if (Remove-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User") { $removed++ }
+        }
+        
+        if ($currentConfigId) {
+            if (Remove-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine") { $removed++ }
+            if (Remove-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User") { $removed++ }
+        }
+        
+        Write-Success "Removed $removed environment variable(s)."
+        Write-Info "Please restart any OpenCode sessions for changes to take effect."
+    } else {
+        Write-Info "Uninstall cancelled."
+    }
+    
+    exit 0
+}
+
+if ($Audit) {
+    # Audit mode
+    Write-Host "Audit Mode" -ForegroundColor Yellow
+    Write-Host "----------" -ForegroundColor Yellow
+    Write-Host ""
+    
+    $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine"
+    $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine"
+    
+    if (-not $token) {
+        $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User"
+        $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User"
+    }
+    
+    if (-not $token -or -not $configId) {
+        Write-Error "Environment variables not set. Run setup first."
+        exit 1
+    }
+    
+    Write-Info "Testing 1Password connection..."
+    
+    if (Test-1PasswordConnection -Token $token) {
+        Write-Success "1Password connection successful!"
+    } else {
+        Write-Error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    }
+    
+    Write-Info "Reading configuration from 1Password..."
+    
+    $envIds = Get-1PasswordAudit -Token $token -ConfigEnvId $configId
+    
+    if ($envIds) {
+        $hashtable = @{}
+        foreach ($prop in $envIds.PSObject.Properties) {
+            $hashtable[$prop.Name] = $prop.Value
+        }
+        Show-AuditReport -Token $token -EnvIds $hashtable
+    } else {
+        Write-Error "Failed to read bootstrap environment."
+        exit 1
+    }
+    
+    exit 0
+}
+
+# Setup mode (default)
+Write-Host "Setup Mode" -ForegroundColor Yellow
+Write-Host "----------" -ForegroundColor Yellow
+Write-Host ""
+
+# Check existing values
+$existingToken = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine"
+$existingConfigId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine"
+
+if (-not $existingToken) {
+    $existingToken = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User"
+    $existingConfigId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User"
+}
+
+$isUpdate = $existingToken -and $existingConfigId
+
+if ($isUpdate) {
+    Write-Host "Found existing configuration:" -ForegroundColor White
+    Write-Host "  OP_SERVICE_ACCOUNT_TOKEN = $($existingToken.Substring(0, 8))..." -ForegroundColor Gray
+    Write-Host "  OP_CONFIG_ENV_ID = $($existingConfigId.Substring(0, 8))..." -ForegroundColor Gray
+    Write-Host ""
+    
+    $confirm = Read-Host "Update existing values? (y/N)"
+    
+    if ($confirm -ne 'y' -and $confirm -ne 'Y') {
+        Write-Info "Setup cancelled."
+        exit 0
+    }
+}
+
+# Prompt for new values
+Write-Host "Enter your 1Password credentials:" -ForegroundColor White
+Write-Host ""
+
+if (-not $isUpdate) {
+    $token = Read-Host -AsSecureString "  OP_SERVICE_ACCOUNT_TOKEN (service account token)"
+    $token = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token))
+} else {
+    $token = Read-Host -AsSecureString "  OP_SERVICE_ACCOUNT_TOKEN (leave blank to keep existing)"
+    $token = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($token))
+    if (-not $token) { $token = $existingToken }
+}
+
+if (-not $isUpdate) {
+    $configId = Read-Host "  OP_CONFIG_ENV_ID (bootstrap environment ID)"
+} else {
+    $configId = Read-Host "  OP_CONFIG_ENV_ID (leave blank to keep existing)"
+    if (-not $configId) { $configId = $existingConfigId }
+}
+
+if (-not $token -or -not $configId) {
+    Write-Error "Both token and config ID are required."
+    exit 1
+}
+
+Write-Host ""
+Write-Host "Summary:" -ForegroundColor White
+Write-Host "  OP_SERVICE_ACCOUNT_TOKEN = $($token.Substring(0, 8))..." -ForegroundColor Gray
+Write-Host "  OP_CONFIG_ENV_ID = $($configId.Substring(0, 8))..." -ForegroundColor Gray
+Write-Host ""
+
+# Ask about scope
+Write-Host "Where should these be saved?" -ForegroundColor White
+Write-Host "  [1] Current user only (no admin required)"
+Write-Host "  [2] System-wide (requires administrator privileges)"
+$scopeChoice = Read-Host "Choice"
+
+if ($scopeChoice -eq "2") {
+    $scope = "Machine"
+} else {
+    $scope = "User"
+}
+
+Write-Host ""
+Write-Info "Saving to $scope scope..."
+
+if (Set-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Value $token -Scope $scope) {
+    Write-Success "Saved OP_SERVICE_ACCOUNT_TOKEN"
+} else {
+    Write-Error "Failed to save OP_SERVICE_ACCOUNT_TOKEN"
+    exit 1
+}
+
+if (Set-RegistryValue -Name "OP_CONFIG_ENV_ID" -Value $configId -Scope $scope) {
+    Write-Success "Saved OP_CONFIG_ENV_ID"
+} else {
+    Write-Error "Failed to save OP_CONFIG_ENV_ID"
+    exit 1
+}
+
+Write-Host ""
+Write-Info "Testing 1Password connection..."
+
+if (Test-1PasswordConnection -Token $token) {
+    Write-Success "1Password connection successful!"
+} else {
+    Write-Error "Failed to connect to 1Password. Check your service account token."
+    Write-Info "Environment variables were saved. You may need to restart your terminal."
+    exit 1
+}
+
+Write-Info "Reading configuration..."
+
+$envIds = Get-1PasswordAudit -Token $token -ConfigEnvId $configId
+
+if ($envIds) {
+    $hashtable = @{}
+    foreach ($prop in $envIds.PSObject.Properties) {
+        $hashtable[$prop.Name] = $prop.Value
+    }
+    Show-AuditReport -Token $token -EnvIds $hashtable
+}
+
+Write-Host ""
+Write-Success "Setup complete!"
+Write-Info "Restart OpenCode to activate the plugin."
+Write-Host ""
+Write-Host "Usage:" -ForegroundColor White
+Write-Host "  ./setup.ps1 -Audit    Show current configuration"
+Write-Host "  ./setup.ps1 -Uninstall Remove environment variables"
+Write-Host ""

package/setup.sh

@@ -0,0 +1,444 @@
+#!/bin/bash
+
+# OpenCode 1Password Auth Plugin - Setup Script
+# This script helps configure the environment variables needed for the plugin
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+GRAY='\033[0;90m'
+NC='\033[0m' # No Color
+
+# Functions
+log_banner() {
+    echo ""
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}  OpenCode 1Password Auth Setup${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+}
+
+log_success() {
+    echo -e "${GREEN}[OK]${NC} $1"
+}
+
+log_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+log_info() {
+    echo -e "${YELLOW}[INFO]${NC} $1"
+}
+
+get_existing_values() {
+    if [[ "$OSTYPE" == "darwin"* ]] || [[ "$OSTYPE" == "linux-gnu"* ]]; then
+        OP_SERVICE_ACCOUNT_TOKEN="${OP_SERVICE_ACCOUNT_TOKEN:-}"
+        OP_CONFIG_ENV_ID="${OP_CONFIG_ENV_ID:-}"
+        
+        # Check shell RC files
+        if [[ -f "$HOME/.zshrc" ]] && grep -q "OP_SERVICE_ACCOUNT_TOKEN" "$HOME/.zshrc" 2>/dev/null; then
+            source "$HOME/.zshrc" 2>/dev/null
+        fi
+        if [[ -f "$HOME/.bashrc" ]] && grep -q "OP_SERVICE_ACCOUNT_TOKEN" "$HOME/.bashrc" 2>/dev/null; then
+            source "$HOME/.bashrc" 2>/dev/null
+        fi
+        if [[ -f "$HOME/.bash_profile" ]] && grep -q "OP_SERVICE_ACCOUNT_TOKEN" "$HOME/.bash_profile" 2>/dev/null; then
+            source "$HOME/.bash_profile" 2>/dev/null
+        fi
+    fi
+}
+
+save_to_rc() {
+    local var_name="$1"
+    local var_value="$2"
+    local rc_file="$3"
+    
+    # Remove existing entry if present
+    if [[ -f "$rc_file" ]]; then
+        sed -i.bak "/export ${var_name}=/d" "$rc_file"
+    fi
+    
+    # Add new entry
+    echo "export ${var_name}='${var_value}'" >> "$rc_file"
+    log_success "Added ${var_name} to ${rc_file}"
+}
+
+remove_from_rc() {
+    local var_name="$1"
+    local rc_file="$2"
+    
+    if [[ -f "$rc_file" ]]; then
+        sed -i.bak "/export ${var_name}=/d" "$rc_file"
+        log_success "Removed ${var_name} from ${rc_file}"
+    fi
+}
+
+test_connection() {
+    local token="$1"
+    
+    # Create temporary test script
+    cat > /tmp/test_1p_$$.js << 'EOF'
+const sdk = require('@1password/sdk');
+
+async function test() {
+    const token = process.argv[1];
+    const client = await sdk.createClient({
+        auth: token,
+        integrationName: 'opencode-1password-setup-test',
+        integrationVersion: '1.0.0'
+    });
+    console.log('SUCCESS');
+}
+
+test().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+EOF
+    
+    result=$(node /tmp/test_1p_$$.js "$token" 2>&1)
+    rm -f /tmp/test_1p_$$.js
+    
+    if [[ "$result" == "SUCCESS" ]]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+get_audit_data() {
+    local token="$1"
+    local config_id="$2"
+    
+    cat > /tmp/audit_1p_$$.js << 'EOF'
+const sdk = require('@1password/sdk');
+
+async function audit() {
+    const token = process.argv[1];
+    const configId = process.argv[2];
+    
+    const client = await sdk.createClient({
+        auth: token,
+        integrationName: 'opencode-1password-setup-test',
+        integrationVersion: '1.0.0'
+    });
+    
+    const { variables } = await client.environments.getVariables(configId);
+    
+    const envIds = {};
+    for (const v of variables) {
+        if (v.name.endsWith('_ENV_ID') && v.value) {
+            envIds[v.name] = v.value;
+        }
+    }
+    
+    console.log(JSON.stringify(envIds));
+}
+
+audit().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+EOF
+    
+    result=$(node /tmp/audit_1p_$$.js "$token" "$config_id" 2>&1)
+    rm -f /tmp/audit_1p_$$.js
+    echo "$result"
+}
+
+show_audit_report() {
+    local token="$1"
+    local env_ids_json="$2"
+    
+    echo ""
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}  Configuration Audit Report${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+    
+    echo -e "${WHITE}Bootstrap Environment References:${NC}"
+    echo "--------------------------------"
+    
+    # Parse JSON manually (macOS doesn't have jq by default)
+    echo "$env_ids_json" | sed 's/[{}"]//g' | tr ',' '\n' | while IFS=':' read -r key value; do
+        if [[ -n "$key" && -n "$value" ]]; then
+            masked="${value:0:10}..."
+            echo -e "  ${key} = ${masked}"
+        fi
+    done
+    
+    echo ""
+    
+    # For each referenced environment, show its contents
+    echo "$env_ids_json" | sed 's/[{}"]//g' | tr ',' '\n' | while IFS=':' read -r key value; do
+        if [[ -n "$key" && -n "$value" && "$key" != *"{"* ]]; then
+            env_id="$value"
+            env_name=$(echo "$key" | sed 's/OPENCODE_//' | sed 's/_ENV_ID//')
+            
+            echo -e "${WHITE}${env_name} Environment:${NC}"
+            echo "--------------------------------"
+            
+            # Read and display this environment
+            cat > /tmp/read_env_$$.js << 'EOFINNER'
+const sdk = require('@1password/sdk');
+
+async function readEnv() {
+    const token = process.argv[1];
+    const envId = process.argv[2];
+    
+    const client = await sdk.createClient({
+        auth: token,
+        integrationName: 'opencode-1password-setup-test',
+        integrationVersion: '1.0.0'
+    });
+    
+    const { variables } = await client.environments.getVariables(envId);
+    
+    for (const v of variables) {
+        const masked = v.value ? v.value.substring(0, 8) + '••••••••' : '(empty)';
+        console.log(v.name + '=' + masked);
+    }
+}
+
+readEnv().catch(err => {
+    console.error('Error:', err.message);
+});
+EOFINNER
+            
+            node /tmp/read_env_$$.js "$token" "$env_id" 2>&1 | while IFS='=' read -r name masked; do
+                if [[ -n "$name" ]]; then
+                    echo -e "  ${name}=${masked}"
+                fi
+            done
+            
+            rm -f /tmp/read_env_$$.js
+            echo ""
+        fi
+    done
+}
+
+# Parse arguments
+UNINSTALL=false
+AUDIT=false
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        -u|--uninstall)
+            UNINSTALL=true
+            shift
+            ;;
+        -a|--audit)
+            AUDIT=true
+            shift
+            ;;
+        *)
+            echo "Usage: $0 [--uninstall|--audit]"
+            exit 1
+            ;;
+    esac
+done
+
+# Main script execution
+log_banner
+
+if [[ "$UNINSTALL" == true ]]; then
+    echo -e "${YELLOW}Uninstall Mode${NC}"
+    echo -e "${YELLOW}------------${NC}"
+    echo ""
+    
+    get_existing_values
+    
+    if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" && -z "$OP_CONFIG_ENV_ID" ]]; then
+        log_info "No environment variables found. Nothing to uninstall."
+        exit 0
+    fi
+    
+    echo "Found the following environment variables:"
+    if [[ -n "$OP_SERVICE_ACCOUNT_TOKEN" ]]; then
+        echo "  OP_SERVICE_ACCOUNT_TOKEN = ${OP_SERVICE_ACCOUNT_TOKEN:0:8}..."
+    fi
+    if [[ -n "$OP_CONFIG_ENV_ID" ]]; then
+        echo "  OP_CONFIG_ENV_ID = ${OP_CONFIG_ENV_ID:0:8}..."
+    fi
+    echo ""
+    
+    read -p "Remove these environment variables? (y/N) " -n 1 -r
+    echo ""
+    
+    if [[ $REPLY =~ ^[Yy]$ ]]; then
+        # Remove from all RC files
+        for rc in "$HOME/.zshrc" "$HOME/.bashrc" "$HOME/.bash_profile"; do
+            if [[ -f "$rc" ]]; then
+                remove_from_rc "OP_SERVICE_ACCOUNT_TOKEN" "$rc"
+                remove_from_rc "OP_CONFIG_ENV_ID" "$rc"
+            fi
+        done
+        
+        # Unset in current session
+        unset OP_SERVICE_ACCOUNT_TOKEN OP_CONFIG_ENV_ID
+        
+        log_success "Removed environment variables."
+        log_info "Please restart any OpenCode sessions for changes to take effect."
+    else
+        log_info "Uninstall cancelled."
+    fi
+    
+    exit 0
+fi
+
+if [[ "$AUDIT" == true ]]; then
+    echo -e "${YELLOW}Audit Mode${NC}"
+    echo -e "${YELLOW}----------${NC}"
+    echo ""
+    
+    get_existing_values
+    
+    if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" || -z "$OP_CONFIG_ENV_ID" ]]; then
+        log_error "Environment variables not set. Run setup first."
+        exit 1
+    fi
+    
+    log_info "Testing 1Password connection..."
+    
+    if test_connection "$OP_SERVICE_ACCOUNT_TOKEN"; then
+        log_success "1Password connection successful!"
+    else
+        log_error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    fi
+    
+    log_info "Reading configuration..."
+    
+    env_ids_json=$(get_audit_data "$OP_SERVICE_ACCOUNT_TOKEN" "$OP_CONFIG_ENV_ID")
+    
+    if [[ -n "$env_ids_json" && "$env_ids_json" != "FAILED:"* ]]; then
+        show_audit_report "$OP_SERVICE_ACCOUNT_TOKEN" "$env_ids_json"
+    else
+        log_error "Failed to read bootstrap environment."
+        exit 1
+    fi
+    
+    exit 0
+fi
+
+# Setup mode (default)
+echo -e "${YELLOW}Setup Mode${NC}"
+echo -e "${YELLOW}----------${NC}"
+echo ""
+
+get_existing_values
+
+IS_UPDATE=false
+if [[ -n "$OP_SERVICE_ACCOUNT_TOKEN" && -n "$OP_CONFIG_ENV_ID" ]]; then
+    IS_UPDATE=true
+    echo "Found existing configuration:"
+    echo "  OP_SERVICE_ACCOUNT_TOKEN = ${OP_SERVICE_ACCOUNT_TOKEN:0:8}..."
+    echo "  OP_CONFIG_ENV_ID = ${OP_CONFIG_ENV_ID:0:8}..."
+    echo ""
+    
+    read -p "Update existing values? (y/N) " -n 1 -r
+    echo ""
+    
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        log_info "Setup cancelled."
+        exit 0
+    fi
+fi
+
+# Prompt for new values
+echo "Enter your 1Password credentials:"
+echo ""
+
+if [[ "$IS_UPDATE" == false ]]; then
+    read -s -p "  OP_SERVICE_ACCOUNT_TOKEN: " OP_SERVICE_ACCOUNT_TOKEN
+else
+    read -s -p "  OP_SERVICE_ACCOUNT_TOKEN (leave blank to keep): " NEW_TOKEN
+    if [[ -n "$NEW_TOKEN" ]]; then
+        OP_SERVICE_ACCOUNT_TOKEN="$NEW_TOKEN"
+    fi
+fi
+echo ""
+
+if [[ "$IS_UPDATE" == false ]]; then
+    read -p "  OP_CONFIG_ENV_ID: " OP_CONFIG_ENV_ID
+else
+    read -p "  OP_CONFIG_ENV_ID (leave blank to keep): " NEW_CONFIG_ID
+    if [[ -n "$NEW_CONFIG_ID" ]]; then
+        OP_CONFIG_ENV_ID="$NEW_CONFIG_ID"
+    fi
+fi
+
+if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" || -z "$OP_CONFIG_ENV_ID" ]]; then
+    log_error "Both token and config ID are required."
+    exit 1
+fi
+
+echo ""
+echo "Summary:"
+echo "  OP_SERVICE_ACCOUNT_TOKEN = ${OP_SERVICE_ACCOUNT_TOKEN:0:8}..."
+echo "  OP_CONFIG_ENV_ID = ${OP_CONFIG_ENV_ID:0:8}..."
+echo ""
+
+# Detect shell and RC file
+if [[ -n "$ZSH_VERSION" ]]; then
+    SHELL_RC="$HOME/.zshrc"
+elif [[ -n "$BASH_VERSION" ]]; then
+    SHELL_RC="$HOME/.bashrc"
+else
+    SHELL_RC="$HOME/.profile"
+fi
+
+echo "Where should these be saved?"
+echo "  [1] Current shell only (no file modification)"
+echo "  [2] Shell RC file (~/.zshrc or ~/.bashrc)"
+read -p "Choice [1]: " scope_choice
+
+if [[ "$scope_choice" == "2" ]]; then
+    log_info "Saving to ${SHELL_RC}..."
+    
+    save_to_rc "OP_SERVICE_ACCOUNT_TOKEN" "$OP_SERVICE_ACCOUNT_TOKEN" "$SHELL_RC"
+    save_to_rc "OP_CONFIG_ENV_ID" "$OP_CONFIG_ENV_ID" "$SHELL_RC"
+    
+    # Also export to current session
+    export OP_SERVICE_ACCOUNT_TOKEN
+    export OP_CONFIG_ENV_ID
+    
+    log_info "Added to ${SHELL_RC}. Restart your shell or run:"
+    echo "  source ${SHELL_RC}"
+else
+    export OP_SERVICE_ACCOUNT_TOKEN
+    export OP_CONFIG_ENV_ID
+    log_info "Exported to current shell only."
+fi
+
+echo ""
+log_info "Testing 1Password connection..."
+
+if test_connection "$OP_SERVICE_ACCOUNT_TOKEN"; then
+    log_success "1Password connection successful!"
+else
+    log_error "Failed to connect to 1Password. Check your service account token."
+    log_info "Environment variables were saved. You may need to restart your terminal."
+    exit 1
+fi
+
+log_info "Reading configuration..."
+
+env_ids_json=$(get_audit_data "$OP_SERVICE_ACCOUNT_TOKEN" "$OP_CONFIG_ENV_ID")
+
+if [[ -n "$env_ids_json" && "$env_ids_json" != "FAILED:"* ]]; then
+    show_audit_report "$OP_SERVICE_ACCOUNT_TOKEN" "$env_ids_json"
+fi
+
+echo ""
+log_success "Setup complete!"
+log_info "Restart OpenCode to activate the plugin."
+echo ""
+echo "Usage:"
+echo "  ./setup.sh --audit    Show current configuration"
+echo "  ./setup.sh --uninstall Remove environment variables"
+echo ""