opencode-1password-auth 1.0.1 → 1.0.3

package/index.ts

@@ -1,8 +1,5 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import * as sdk from "@1password/sdk";
-import * as fs from "fs";
-import * as path from "path";
-import * as os from "os";
 
 interface MCPServerConfig {
   environment?: Record<string, string>;
@@ -21,13 +18,24 @@ interface AuthJson {
   [providerId: string]: ProviderAuth;
 }
 
-const AUTH_JSON_PATH = path.join(os.homedir(), ".local", "share", "opencode", "auth.json");
-const OPENCODE_JSON_PATH = path.join(os.homedir(), ".config", "opencode", "opencode.json");
-
-export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
+export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
   let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
   let mcpsEnvId: string | undefined;
 
+  const getHomeDir = (): string => {
+    return process.env.HOME || process.env.USERPROFILE || "";
+  };
+
+  const getAuthJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.local/share/opencode/auth.json`;
+  };
+
+  const getOpenCodeJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.config/opencode/opencode.json`;
+  };
+
   const initClient = async () => {
     const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
     if (!token) {
@@ -71,14 +79,21 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
   };
 
   const updateAuthJson = async (providerEnvId: string): Promise<void> => {
-    if (!fs.existsSync(AUTH_JSON_PATH)) {
-      console.log("1Password: auth.json not found, skipping");
-      return;
-    }
+    const authJsonPath = getAuthJsonPath();
 
     try {
-      const content = fs.readFileSync(AUTH_JSON_PATH, "utf-8");
-      const auth: AuthJson = JSON.parse(content);
+      // Read current auth.json using cat
+      const catResult = await $`cat "${authJsonPath}"`;
+      const content = catResult.stdout;
+      let auth: AuthJson;
+
+      try {
+        auth = JSON.parse(content);
+      } catch {
+        console.log("1Password: auth.json is not valid JSON, skipping");
+        return;
+      }
+
       let modified = false;
 
       for (const [providerId, authConfig] of Object.entries(auth)) {
@@ -91,7 +106,10 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
       }
 
       if (modified) {
-        fs.writeFileSync(AUTH_JSON_PATH, JSON.stringify(auth, null, 2));
+        // Write updated content using a temp file and mv
+        const newContent = JSON.stringify(auth, null, 2);
+        // Use node to write the file since $ heredocs can be tricky
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
         console.log("1Password: auth.json updated to use environment variables");
       }
     } catch (err) {
@@ -100,14 +118,20 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
   };
 
   const updateOpenCodeJsonMCP = async (mcpEnvId: string): Promise<void> => {
-    if (!fs.existsSync(OPENCODE_JSON_PATH)) {
-      console.log("1Password: opencode.json not found, skipping");
-      return;
-    }
+    const openCodeJsonPath = getOpenCodeJsonPath();
 
     try {
-      const content = fs.readFileSync(OPENCODE_JSON_PATH, "utf-8");
-      const config = JSON.parse(content);
+      // Read current opencode.json using cat
+      const catResult = await $`cat "${openCodeJsonPath}"`;
+      const content = catResult.stdout;
+      let config: OpenCodeConfig;
+
+      try {
+        config = JSON.parse(content);
+      } catch {
+        console.log("1Password: opencode.json is not valid JSON, skipping");
+        return;
+      }
 
       if (!config.mcp) {
         console.log("1Password: No MCP configuration found, skipping");
@@ -130,7 +154,8 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
       }
 
       if (modified) {
-        fs.writeFileSync(OPENCODE_JSON_PATH, JSON.stringify(config, null, 2));
+        // Write updated content
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
         console.log("1Password: opencode.json MCP config updated to use environment variables");
       }
     } catch (err) {
@@ -147,7 +172,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
       if (!apiKey) continue;
 
       try {
-        await ctx.client.auth.set({
+        await client.auth.set({
           path: { id: providerId },
           body: { type: "api", key: apiKey },
         });
@@ -162,7 +187,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
     const vars = new Set<string>();
 
     try {
-      const config = ctx.config as OpenCodeConfig;
+      const config = client.config as OpenCodeConfig;
       if (config?.mcp) {
         for (const [, serverConfig] of Object.entries(config.mcp)) {
           if (serverConfig?.environment) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-1password-auth",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "1Password integration for OpenCode - authenticate providers and inject MCP secrets from 1Password environments",
   "type": "module",
   "main": "index.ts",

package/setup.ps1

@@ -3,7 +3,8 @@
 
 param(
     [switch]$Uninstall,
-    [switch]$Audit
+    [switch]$Audit,
+    [switch]$UpdateConfig
 )
 
 # Colors for output
@@ -65,6 +66,137 @@ function Remove-RegistryValue {
     }
 }
 
+function Get-OpenCodeAuthJsonPath {
+    $home = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$home/.local/share/opencode/auth.json"
+}
+
+function Get-OpenCodeConfigJsonPath {
+    $home = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$home/.config/opencode/opencode.json"
+}
+
+function Update-ConfigFiles {
+    param([string]$Token, [string]$ProvidersEnvId, [string]$McpsEnvId)
+    
+    $nodeModulesPath = Get-OpenCodeNodeModulesPath
+    if (-not $nodeModulesPath) {
+        Write-Error "Could not find @1password/sdk in any node_modules directory"
+        return
+    }
+    
+    $sdkPath = ($nodeModulesPath -replace '\\', '/') + "/@1password/sdk/dist/sdk.js"
+    
+    # Get provider secrets from 1Password
+    Write-Info "Reading provider secrets from 1Password..."
+    
+    $script = @"
+const sdk = require('${sdkPath}');
+
+async function getSecrets() {
+    const client = await sdk.createClient({
+        auth: '${Token}',
+        integrationName: 'opencode-1password-setup',
+        integrationVersion: '1.0.0'
+    });
+    
+    const providers = {};
+    const { variables: providerVars } = await client.environments.getVariables('${ProvidersEnvId}');
+    for (const v of providerVars) {
+        if (v.value) providers[v.name] = v.value;
+    }
+    
+    const mcps = {};
+    if ('${McpsEnvId}') {
+        const { variables: mcpVars } = await client.environments.getVariables('${McpsEnvId}');
+        for (const v of mcpVars) {
+            if (v.value) mcps[v.name] = v.value;
+        }
+    }
+    
+    console.log(JSON.stringify({ providers, mcps }));
+}
+
+getSecrets().catch(err => { console.error('FAILED:', err.message); process.exit(1); });
+"@
+    
+    $tempScript = [System.IO.Path]::GetTempFileName() -replace '\.tmp$', '.js'
+    $script | Out-File -FilePath $tempScript -Encoding UTF8 -NoNewline
+    
+    $result = & node $tempScript 2>&1 | Out-String
+    Remove-Item $tempScript -ErrorAction SilentlyContinue
+    
+    if ($result -match "FAILED:") {
+        Write-Error "Failed to read secrets from 1Password: $($result -replace 'FAILED:', '')"
+        return
+    }
+    
+    $secrets = $result | ConvertFrom-Json
+    
+    # Update auth.json
+    $authJsonPath = Get-OpenCodeAuthJsonPath
+    Write-Info "Updating auth.json..."
+    
+    if (Test-Path $authJsonPath) {
+        $authContent = Get-Content $authJsonPath -Raw -Encoding UTF8
+        $auth = $authContent | ConvertFrom-Json
+        
+        $modified = $false
+        foreach ($providerId in $auth.PSObject.Properties.Name) {
+            $authConfig = $auth.$providerId
+            if ($authConfig.key -and -not $authConfig.key.StartsWith("{env:")) {
+                $authConfig.key = "{env:$providerId}"
+                $modified = $true
+                Write-Success "Updated $providerId -> {env:$providerId}"
+            }
+        }
+        
+        if ($modified) {
+            $auth | ConvertTo-Json -Depth 10 | Set-Content $authJsonPath -Encoding UTF8 -NoNewline
+            Write-Success "auth.json updated"
+        } else {
+            Write-Info "auth.json already uses environment variable references"
+        }
+    } else {
+        Write-Info "auth.json not found at $authJsonPath"
+    }
+    
+    # Update opencode.json MCP config
+    $configJsonPath = Get-OpenCodeConfigJsonPath
+    Write-Info "Updating opencode.json MCP config..."
+    
+    if (Test-Path $configJsonPath) {
+        $configContent = Get-Content $configJsonPath -Raw -Encoding UTF8
+        $config = $configContent | ConvertFrom-Json
+        
+        $modified = $false
+        if ($config.mcp) {
+            foreach ($serverName in $config.mcp.PSObject.Properties.Name) {
+                $serverConfig = $config.mcp.$serverName
+                if ($serverConfig.environment) {
+                    foreach ($key in $serverConfig.environment.PSObject.Properties.Name) {
+                        $value = $serverConfig.environment.$key
+                        if ($value -and -not $value.StartsWith("{env:") -and -not $value.StartsWith("$")) {
+                            $serverConfig.environment.$key = "{env:$key}"
+                            $modified = $true
+                            Write-Success "Updated $serverName.$key -> {env:$key}"
+                        }
+                    }
+                }
+            }
+        }
+        
+        if ($modified) {
+            $config | ConvertTo-Json -Depth 10 | Set-Content $configJsonPath -Encoding UTF8 -NoNewline
+            Write-Success "opencode.json updated"
+        } else {
+            Write-Info "opencode.json already uses environment variable references"
+        }
+    } else {
+        Write-Info "opencode.json not found at $configJsonPath"
+    }
+}
+
 function Get-OpenCodeNodeModulesPath {
     $paths = @(
         "$env:USERPROFILE\.cache\opencode\node_modules",
@@ -320,6 +452,66 @@ if ($Audit) {
     exit 0
 }
 
+if ($UpdateConfig) {
+    # Update Config mode
+    Write-Host "Update Config Mode" -ForegroundColor Yellow
+    Write-Host "------------------" -ForegroundColor Yellow
+    Write-Host ""
+    
+    $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine"
+    $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine"
+    
+    if (-not $token) {
+        $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User"
+        $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User"
+    }
+    
+    if (-not $token -or -not $configId) {
+        Write-Error "Environment variables not set. Run setup first."
+        exit 1
+    }
+    
+    Write-Info "Testing 1Password connection..."
+    
+    if (Test-1PasswordConnection -Token $token) {
+        Write-Success "1Password connection successful!"
+    } else {
+        Write-Error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    }
+    
+    Write-Info "Reading configuration from 1Password..."
+    
+    $envIds = Get-1PasswordAudit -Token $token -ConfigEnvId $configId
+    
+    if ($envIds) {
+        $providersEnvId = $null
+        $mcpsEnvId = $null
+        
+        foreach ($prop in $envIds.PSObject.Properties) {
+            if ($prop.Name -eq "OPENCODE_PROVIDERS_ENV_ID") {
+                $providersEnvId = $prop.Value
+            } elseif ($prop.Name -eq "OPENCODE_MCPS_ENV_ID") {
+                $mcpsEnvId = $prop.Value
+            }
+        }
+        
+        if ($providersEnvId) {
+            Write-Info "Updating config files to use environment variables..."
+            Update-ConfigFiles -Token $token -ProvidersEnvId $providersEnvId -McpsEnvId $mcpsEnvId
+            Write-Success "Config update complete!"
+        } else {
+            Write-Error "Could not find OPENCODE_PROVIDERS_ENV_ID in bootstrap environment"
+            exit 1
+        }
+    } else {
+        Write-Error "Failed to read bootstrap environment."
+        exit 1
+    }
+    
+    exit 0
+}
+
 # Setup mode (default)
 Write-Host "Setup Mode" -ForegroundColor Yellow
 Write-Host "----------" -ForegroundColor Yellow
@@ -438,6 +630,7 @@ Write-Success "Setup complete!"
 Write-Info "Restart OpenCode to activate the plugin."
 Write-Host ""
 Write-Host "Usage:" -ForegroundColor White
-Write-Host "  ./setup.ps1 -Audit    Show current configuration"
-Write-Host "  ./setup.ps1 -Uninstall Remove environment variables"
+Write-Host "  ./setup.ps1 -Audit         Show current configuration"
+Write-Host "  ./setup.ps1 -UpdateConfig  Update config files to use {env:VAR} references"
+Write-Host "  ./setup.ps1 -Uninstall    Remove environment variables"
 Write-Host ""

package/setup.sh

@@ -221,9 +221,161 @@ EOFINNER
     done
 }
 
+update_config_files() {
+    local token="$1"
+    local providers_env_id="$2"
+    local mcps_env_id="$3"
+    
+    log_info "Reading secrets from 1Password..."
+    
+    # Get provider and MCP secrets
+    cat > /tmp/update_config_$$.js << 'EOF'
+const sdk = require('@1password/sdk');
+
+async function getSecrets() {
+    const token = process.argv[1];
+    const providersEnvId = process.argv[2];
+    const mcpsEnvId = process.argv[3];
+    
+    const client = await sdk.createClient({
+        auth: token,
+        integrationName: 'opencode-1password-setup',
+        integrationVersion: '1.0.0'
+    });
+    
+    const providers = {};
+    const { variables: providerVars } = await client.environments.getVariables(providersEnvId);
+    for (const v of providerVars) {
+        if (v.value) providers[v.name] = v.value;
+    }
+    
+    const mcps = {};
+    if (mcpsEnvId) {
+        const { variables: mcpVars } = await client.environments.getVariables(mcpsEnvId);
+        for (const v of mcpVars) {
+            if (v.value) mcps[v.name] = v.value;
+        }
+    }
+    
+    console.log(JSON.stringify({ providers, mcps }));
+}
+
+getSecrets().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+EOF
+    
+    result=$(node /tmp/update_config_$$.js "$token" "$providers_env_id" "$mcps_env_id" 2>&1)
+    rm -f /tmp/update_config_$$.js
+    
+    if [[ "$result" == "FAILED:"* ]]; then
+        log_error "Failed to read secrets from 1Password: $result"
+        return 1
+    fi
+    
+    # Get home directory
+    home="${HOME:-}"
+    if [[ -z "$home" ]]; then
+        home=$(eval echo ~)
+    fi
+    
+    # Update auth.json
+    auth_json_path="$home/.local/share/opencode/auth.json"
+    log_info "Updating auth.json..."
+    
+    if [[ -f "$auth_json_path" ]]; then
+        # Read auth.json and update
+        auth_content=$(cat "$auth_json_path")
+        # Use node to parse and update JSON
+        cat > /tmp/update_auth_$$.js << 'EOFJ'
+const fs = require('fs');
+const authPath = process.argv[1];
+const auth = JSON.parse(fs.readFileSync(authPath, 'utf8'));
+
+let modified = false;
+for (const [providerId, authConfig] of Object.entries(auth)) {
+    if (authConfig.key && !authConfig.key.startsWith('{env:')) {
+        authConfig.key = '{env:' + providerId + '}';
+        modified = true;
+        console.log('Updated ' + providerId + ' -> {env:' + providerId + '}');
+    }
+}
+
+if (modified) {
+    fs.writeFileSync(authPath, JSON.stringify(auth, null, 2));
+    console.log('auth.json updated');
+} else {
+    console.log('auth.json already uses environment variable references');
+}
+EOFJ
+        
+        update_result=$(node /tmp/update_auth_$$.js "$auth_json_path" 2>&1)
+        rm -f /tmp/update_auth_$$.js
+        echo "$update_result" | while read line; do
+            if [[ "$line" == Updated* ]] || [[ "$line" == *updated* ]]; then
+                log_success "$(echo "$line" | sed 's/Updated/Updated/')"
+            else
+                log_info "$line"
+            fi
+        done
+    else
+        log_info "auth.json not found at $auth_json_path"
+    fi
+    
+    # Update opencode.json MCP config
+    config_json_path="$home/.config/opencode/opencode.json"
+    log_info "Updating opencode.json MCP config..."
+    
+    if [[ -f "$config_json_path" ]]; then
+        cat > /tmp/update_mcp_$$.js << 'EOFMCP'
+const fs = require('fs');
+const configPath = process.argv[1];
+const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+
+let modified = false;
+if (config.mcp) {
+    for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
+        if (serverConfig && serverConfig.environment) {
+            for (const [key, value] of Object.entries(serverConfig.environment)) {
+                if (value && !value.startsWith('{env:') && !value.startsWith('$')) {
+                    serverConfig.environment[key] = '{env:' + key + '}';
+                    modified = true;
+                    console.log('Updated ' + serverName + '.' + key + ' -> {env:' + key + '}');
+                }
+            }
+        }
+    }
+}
+
+if (modified) {
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+    console.log('opencode.json updated');
+} else {
+    console.log('opencode.json already uses environment variable references');
+}
+EOFMCP
+        
+        update_result=$(node /tmp/update_mcp_$$.js "$config_json_path" 2>&1)
+        rm -f /tmp/update_mcp_$$.js
+        echo "$update_result" | while read line; do
+            if [[ "$line" == Updated* ]] || [[ "$line" == *updated* ]]; then
+                log_success "$(echo "$line" | sed 's/Updated/Updated/')"
+            else
+                log_info "$line"
+            fi
+        done
+    else
+        log_info "opencode.json not found at $config_json_path"
+    fi
+    
+    log_success "Config update complete!"
+}
+
 # Parse arguments
 UNINSTALL=false
 AUDIT=false
+UPDATE_CONFIG=false
 
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -235,8 +387,12 @@ while [[ $# -gt 0 ]]; do
             AUDIT=true
             shift
             ;;
+        -c|--update-config)
+            UPDATE_CONFIG=true
+            shift
+            ;;
         *)
-            echo "Usage: $0 [--uninstall|--audit]"
+            echo "Usage: $0 [--uninstall|--audit|--update-config]"
             exit 1
             ;;
     esac
@@ -325,6 +481,51 @@ if [[ "$AUDIT" == true ]]; then
     exit 0
 fi
 
+if [[ "$UPDATE_CONFIG" == true ]]; then
+    echo -e "${YELLOW}Update Config Mode${NC}"
+    echo -e "${YELLOW}------------------${NC}"
+    echo ""
+    
+    get_existing_values
+    
+    if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" || -z "$OP_CONFIG_ENV_ID" ]]; then
+        log_error "Environment variables not set. Run setup first."
+        exit 1
+    fi
+    
+    log_info "Testing 1Password connection..."
+    
+    if test_connection "$OP_SERVICE_ACCOUNT_TOKEN"; then
+        log_success "1Password connection successful!"
+    else
+        log_error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    fi
+    
+    log_info "Reading configuration from 1Password..."
+    
+    env_ids_json=$(get_audit_data "$OP_SERVICE_ACCOUNT_TOKEN" "$OP_CONFIG_ENV_ID")
+    
+    if [[ -n "$env_ids_json" && "$env_ids_json" != "FAILED:"* ]]; then
+        # Parse JSON to extract env IDs
+        providers_env_id=$(echo "$env_ids_json" | sed -n 's/.*"OPENCODE_PROVIDERS_ENV_ID":"\([^"]*\)".*/\1/p')
+        mcps_env_id=$(echo "$env_ids_json" | sed -n 's/.*"OPENCODE_MCPS_ENV_ID":"\([^"]*\)".*/\1/p')
+        
+        if [[ -n "$providers_env_id" ]]; then
+            log_info "Updating config files to use environment variables..."
+            update_config_files "$OP_SERVICE_ACCOUNT_TOKEN" "$providers_env_id" "$mcps_env_id"
+        else
+            log_error "Could not find OPENCODE_PROVIDERS_ENV_ID in bootstrap environment"
+            exit 1
+        fi
+    else
+        log_error "Failed to read bootstrap environment."
+        exit 1
+    fi
+    
+    exit 0
+fi
+
 # Setup mode (default)
 echo -e "${YELLOW}Setup Mode${NC}"
 echo -e "${YELLOW}----------${NC}"
@@ -439,6 +640,7 @@ log_success "Setup complete!"
 log_info "Restart OpenCode to activate the plugin."
 echo ""
 echo "Usage:"
-echo "  ./setup.sh --audit    Show current configuration"
-echo "  ./setup.sh --uninstall Remove environment variables"
+echo "  ./setup.sh --audit          Show current configuration"
+echo "  ./setup.sh --update-config  Update config files to use {env:VAR} references"
+echo "  ./setup.sh --uninstall     Remove environment variables"
 echo ""