opencode-1password-auth 1.0.1 → 1.0.5

package/README.md

@@ -31,7 +31,9 @@ Create these environments in 1Password:
 - `OPENCODE_MCPS_ENV_ID` - Environment ID containing MCP server secrets
 
 **Providers Environment** (holds API keys):
-- Provider IDs as variable names (e.g., `MINIMAX_CODING_PLAN`, `DEEPSEEK`, `OPENCODE`)
+- Variable names should match provider IDs (case-insensitive, underscores converted to hyphens)
+- Examples: `opencode`, `OPENCODE`, `deepseek`, `DEEPSEEK`, `minimax-coding-plan`, `MINIMAX_CODING_PLAN`
+- The plugin normalizes: lowercase + underscores → hyphens
 - API keys as values
 
 **MCPS Environment** (holds MCP secrets):
@@ -97,9 +99,9 @@ To change configurations, simply update `OP_CONFIG_ENV_ID` to point to a differe
 ### Providers Environment
 ```
 opencode-providers
-├── MINIMAX_CODING_PLAN = your-minimax-api-key
-├── DEEPSEEK = your-deepseek-api-key
-└── OPENCODE = your-opencode-api-key
+├── opencode = your-opencode-api-key           # or OPENCODE
+├── deepseek = your-deepseek-api-key           # or DEEPSEEK
+└── minimax-coding-plan = your-minimax-api-key # or MINIMAX_CODING_PLAN
 ```
 
 ### MCPS Environment

package/index-v2.ts

@@ -0,0 +1,387 @@
+import type { Plugin } from "@opencode-ai/plugin";
+import * as sdk from "@1password/sdk";
+
+// Debug logging to file
+const debugLog = (message: string) => {
+  const timestamp = new Date().toISOString();
+  const logMessage = `[${timestamp}] 1Password: ${message}\n`;
+  console.log(logMessage.trim());
+  
+  try {
+    // Try to write to a debug log file
+    const fs = require('fs');
+    const path = require('path');
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    const logDir = path.join(home, '.opencode-1password-debug');
+    if (!fs.existsSync(logDir)) {
+      fs.mkdirSync(logDir, { recursive: true });
+    }
+    const logFile = path.join(logDir, 'debug.log');
+    fs.appendFileSync(logFile, logMessage);
+  } catch (err) {
+    // Ignore file logging errors
+  }
+};
+
+interface MCPServerConfig {
+  environment?: Record<string, string>;
+}
+
+interface OpenCodeConfig {
+  mcp?: Record<string, MCPServerConfig>;
+}
+
+interface ProviderAuth {
+  type: string;
+  key: string;
+}
+
+interface AuthJson {
+  [providerId: string]: ProviderAuth;
+}
+
+export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
+  let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
+  let mcpsEnvId: string | undefined;
+
+  debugLog("Plugin loaded");
+
+  const normalizeProviderId = (variableName: string): string => {
+    // Convert common patterns to match auth.json provider IDs
+    // e.g., "MINIMAX_CODING_PLAN" -> "minimax-coding-plan"
+    // e.g., "OPENCODE" -> "opencode"
+    // e.g., "DEEPSEEK" -> "deepseek"
+    
+    let normalized = variableName.toLowerCase();
+    
+    // Convert underscores to hyphens
+    normalized = normalized.replace(/_/g, '-');
+    
+    debugLog(`Normalized ${variableName} -> ${normalized}`);
+    return normalized;
+  };
+
+  const getAlternativeEnvVarNames = (providerId: string): string[] => {
+    // Generate all possible env var names that might be used
+    const names = new Set<string>();
+    
+    // Original providerId (e.g., "minimax-coding-plan")
+    names.add(providerId);
+    
+    // Uppercase version (e.g., "MINIMAX-CODING-PLAN")
+    names.add(providerId.toUpperCase());
+    
+    // With underscores instead of hyphens (e.g., "minimax_coding_plan")
+    names.add(providerId.replace(/-/g, '_'));
+    
+    // Uppercase with underscores (e.g., "MINIMAX_CODING_PLAN")
+    names.add(providerId.replace(/-/g, '_').toUpperCase());
+    
+    // Just the first part (e.g., "minimax")
+    const firstPart = providerId.split('-')[0];
+    if (firstPart && firstPart !== providerId) {
+      names.add(firstPart);
+      names.add(firstPart.toUpperCase());
+    }
+    
+    return Array.from(names);
+  };
+
+  const getHomeDir = (): string => {
+    return process.env.HOME || process.env.USERPROFILE || "";
+  };
+
+  const getAuthJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.local/share/opencode/auth.json`;
+  };
+
+  const getOpenCodeJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.config/opencode/opencode.json`;
+  };
+
+  const initClient = async () => {
+    const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
+    if (!token) {
+      debugLog("Missing OP_SERVICE_ACCOUNT_TOKEN");
+      return null;
+    }
+
+    try {
+      return await sdk.createClient({
+        auth: token,
+        integrationName: "opencode-1password-env",
+        integrationVersion: "1.0.0",
+      });
+    } catch (err) {
+      debugLog(`Failed to create client: ${err}`);
+      return null;
+    }
+  };
+
+  const readEnvironmentVariables = async (envId: string) => {
+    if (!opClient) return [];
+
+    try {
+      const { variables } = await opClient.environments.getVariables(envId);
+      debugLog(`Read ${variables?.length || 0} variables from environment ${envId}`);
+      return variables || [];
+    } catch (err) {
+      debugLog(`Failed to read environment ${envId}: ${err}`);
+      return [];
+    }
+  };
+
+  const getSecretsFromEnvironment = async (envId: string): Promise<Record<string, string>> => {
+    const vars = await readEnvironmentVariables(envId);
+    const secrets: Record<string, string> = {};
+    for (const v of vars) {
+      if (v.value) {
+        secrets[v.name] = v.value;
+        debugLog(`Found secret: ${v.name} (${v.value.length} chars)`);
+      }
+    }
+    return secrets;
+  };
+
+  const updateAuthJson = async (providerEnvId: string): Promise<void> => {
+    const authJsonPath = getAuthJsonPath();
+
+    try {
+      // Read current auth.json using cat
+      const catResult = await $`cat "${authJsonPath}"`;
+      const content = catResult.stdout;
+      let auth: AuthJson;
+
+      try {
+        auth = JSON.parse(content);
+      } catch {
+        debugLog("auth.json is not valid JSON, skipping");
+        return;
+      }
+
+      let modified = false;
+
+      for (const [providerId, authConfig] of Object.entries(auth)) {
+        if (authConfig.key && !authConfig.key.startsWith("{env:")) {
+          // Replace hardcoded key with env var reference
+          authConfig.key = `{env:${providerId}}`;
+          modified = true;
+          debugLog(`Updated auth.json - ${providerId} -> {env:${providerId}}`);
+        }
+      }
+
+      if (modified) {
+        // Write updated content using a temp file and mv
+        const newContent = JSON.stringify(auth, null, 2);
+        // Use node to write the file since $ heredocs can be tricky
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
+        debugLog("auth.json updated to use environment variables");
+      }
+    } catch (err) {
+      debugLog(`Failed to update auth.json: ${err}`);
+    }
+  };
+
+  const updateOpenCodeJsonMCP = async (mcpEnvId: string): Promise<void> => {
+    const openCodeJsonPath = getOpenCodeJsonPath();
+
+    try {
+      // Read current opencode.json using cat
+      const catResult = await $`cat "${openCodeJsonPath}"`;
+      const content = catResult.stdout;
+      let config: OpenCodeConfig;
+
+      try {
+        config = JSON.parse(content);
+      } catch {
+        debugLog("opencode.json is not valid JSON, skipping");
+        return;
+      }
+
+      if (!config.mcp) {
+        debugLog("No MCP configuration found, skipping");
+        return;
+      }
+
+      let modified = false;
+
+      for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
+        if (serverConfig?.environment) {
+          for (const [key, value] of Object.entries(serverConfig.environment)) {
+            if (typeof value === "string" && !value.startsWith("{env:") && !value.startsWith("$")) {
+              // Replace hardcoded value with env var reference
+              serverConfig.environment[key] = `{env:${key}}`;
+              modified = true;
+              debugLog(`Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
+            }
+          }
+        }
+      }
+
+      if (modified) {
+        // Write updated content
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
+        debugLog("opencode.json MCP config updated to use environment variables");
+      }
+    } catch (err) {
+      debugLog(`Failed to update opencode.json: ${err}`);
+    }
+  };
+
+  const authenticateProviders = async (providerEnvId: string): Promise<void> => {
+    if (!opClient) return;
+
+    debugLog(`Reading provider secrets from environment ${providerEnvId}`);
+    const secrets = await getSecretsFromEnvironment(providerEnvId);
+    debugLog(`Found ${Object.keys(secrets).length} provider secrets`);
+
+    for (const [variableName, apiKey] of Object.entries(secrets)) {
+      if (!apiKey) continue;
+
+      const providerId = normalizeProviderId(variableName);
+      debugLog(`Processing ${variableName} -> ${providerId} (key length: ${apiKey.length})`);
+      
+      // Set environment variables in multiple formats
+      const envVarNames = getAlternativeEnvVarNames(providerId);
+      for (const envVarName of envVarNames) {
+        process.env[envVarName] = apiKey;
+        debugLog(`Set process.env.${envVarName} = ${apiKey.substring(0, 8)}...`);
+      }
+      
+      try {
+        // Authenticate with OpenCode runtime
+        debugLog(`Calling client.auth.set for ${providerId}`);
+        await client.auth.set({
+          path: { id: providerId },
+          body: { type: "api", key: apiKey },
+        });
+        debugLog(`✓ ${providerId} authenticated (from ${variableName})`);
+      } catch (err) {
+        debugLog(`Failed to authenticate ${providerId}: ${err}`);
+        if (err instanceof Error) {
+          debugLog(`Error message: ${err.message}`);
+        }
+      }
+    }
+  };
+
+  const getConfiguredMCPVars = (): Set<string> => {
+    const vars = new Set<string>();
+
+    try {
+      const config = client.config as OpenCodeConfig;
+      if (config?.mcp) {
+        for (const [, serverConfig] of Object.entries(config.mcp)) {
+          if (serverConfig?.environment) {
+            for (const [key] of Object.entries(serverConfig.environment)) {
+              if (key.startsWith("{env:")) {
+                const envVar = key.slice(5, -1);
+                vars.add(envVar);
+              } else {
+                vars.add(key);
+              }
+            }
+          }
+        }
+      }
+    } catch (err) {
+      debugLog(`Failed to read MCP config: ${err}`);
+    }
+
+    return vars;
+  };
+
+  const injectMCPSecrets = async (mcpEnvId: string): Promise<Record<string, string>> => {
+    const neededVars = getConfiguredMCPVars();
+    if (neededVars.size === 0) {
+      return {};
+    }
+
+    const secrets = await getSecretsFromEnvironment(mcpEnvId);
+    const toInject: Record<string, string> = {};
+
+    for (const varName of neededVars) {
+      if (secrets[varName]) {
+        toInject[varName] = secrets[varName];
+      }
+    }
+
+    return toInject;
+  };
+
+  return {
+    async event({ event }: { event: { type: string } }) {
+      debugLog(`Received event: ${event.type}`);
+      if (event.type === "server.connected") {
+        debugLog("Initializing...");
+
+        opClient = await initClient();
+        if (!opClient) {
+          debugLog("No client available");
+          return;
+        }
+
+        const configEnvId = process.env.OP_CONFIG_ENV_ID;
+        if (!configEnvId) {
+          debugLog("Missing OP_CONFIG_ENV_ID");
+          return;
+        }
+
+        debugLog(`Reading config from environment ${configEnvId}`);
+        const vars = await readEnvironmentVariables(configEnvId);
+        const configEnvIds: Record<string, string> = {};
+        for (const v of vars) {
+          if (v.name.endsWith("_ENV_ID") && v.value) {
+            configEnvIds[v.name] = v.value;
+            debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
+          }
+        }
+
+        const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+        if (providersEnvId) {
+          // First update the config files to use env var references
+          await updateAuthJson(providersEnvId);
+          await authenticateProviders(providersEnvId);
+        }
+
+        const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
+        if (mcpEnvIdFromConfig) {
+          mcpsEnvId = mcpEnvIdFromConfig;
+          await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
+          const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
+          if (Object.keys(toInject).length > 0) {
+            debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
+          }
+        }
+
+        debugLog("Initialization complete");
+      }
+    },
+
+    async "shell.env"(input, output) {
+      if (!opClient || !mcpsEnvId) return;
+
+      const toInject = await injectMCPSecrets(mcpsEnvId);
+
+      for (const [varName, value] of Object.entries(toInject)) {
+        output.env[varName] = value;
+        debugLog(`Injected ${varName} into shell environment`);
+      }
+    },
+
+    async "tool.execute.before"(input) {
+      if (input.tool !== "read") return;
+
+      const fileArgs = input.args as { filePath?: string } | undefined;
+      if (fileArgs?.filePath && fileArgs.filePath.includes(".env")) {
+        debugLog(
+          "Warning - .env file access detected. Consider using 1Password for secrets management."
+        );
+      }
+    },
+  };
+};
+
+export default OnePasswordAuthPlugin;

package/index.ts

@@ -1,8 +1,27 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import * as sdk from "@1password/sdk";
-import * as fs from "fs";
-import * as path from "path";
-import * as os from "os";
+
+// Debug logging to file
+const debugLog = (message: string) => {
+  const timestamp = new Date().toISOString();
+  const logMessage = `[${timestamp}] 1Password: ${message}\n`;
+  console.log(logMessage.trim());
+  
+  try {
+    // Try to write to a debug log file
+    const fs = require('fs');
+    const path = require('path');
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    const logDir = path.join(home, '.opencode-1password-debug');
+    if (!fs.existsSync(logDir)) {
+      fs.mkdirSync(logDir, { recursive: true });
+    }
+    const logFile = path.join(logDir, 'debug.log');
+    fs.appendFileSync(logFile, logMessage);
+  } catch (err) {
+    // Ignore file logging errors
+  }
+};
 
 interface MCPServerConfig {
   environment?: Record<string, string>;
@@ -21,17 +40,71 @@ interface AuthJson {
   [providerId: string]: ProviderAuth;
 }
 
-const AUTH_JSON_PATH = path.join(os.homedir(), ".local", "share", "opencode", "auth.json");
-const OPENCODE_JSON_PATH = path.join(os.homedir(), ".config", "opencode", "opencode.json");
-
-export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
+export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
   let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
   let mcpsEnvId: string | undefined;
 
+  debugLog("Plugin loaded");
+
+  const normalizeProviderId = (variableName: string): string => {
+    // Convert common patterns to match auth.json provider IDs
+    // e.g., "MINIMAX_CODING_PLAN" -> "minimax-coding-plan"
+    // e.g., "OPENCODE" -> "opencode"
+    // e.g., "DEEPSEEK" -> "deepseek"
+    
+    let normalized = variableName.toLowerCase();
+    
+    // Convert underscores to hyphens
+    normalized = normalized.replace(/_/g, '-');
+    
+    debugLog(`Normalized ${variableName} -> ${normalized}`);
+    return normalized;
+  };
+
+  const getAlternativeEnvVarNames = (providerId: string): string[] => {
+    // Generate all possible env var names that might be used
+    const names = new Set<string>();
+    
+    // Original providerId (e.g., "minimax-coding-plan")
+    names.add(providerId);
+    
+    // Uppercase version (e.g., "MINIMAX-CODING-PLAN")
+    names.add(providerId.toUpperCase());
+    
+    // With underscores instead of hyphens (e.g., "minimax_coding_plan")
+    names.add(providerId.replace(/-/g, '_'));
+    
+    // Uppercase with underscores (e.g., "MINIMAX_CODING_PLAN")
+    names.add(providerId.replace(/-/g, '_').toUpperCase());
+    
+    // Just the first part (e.g., "minimax")
+    const firstPart = providerId.split('-')[0];
+    if (firstPart && firstPart !== providerId) {
+      names.add(firstPart);
+      names.add(firstPart.toUpperCase());
+    }
+    
+    return Array.from(names);
+  };
+
+  const getHomeDir = (): string => {
+    return process.env.HOME || process.env.USERPROFILE || "";
+  };
+
+  const getAuthJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.local/share/opencode/auth.json`;
+  };
+
+  const getOpenCodeJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.config/opencode/opencode.json`;
+  };
+
   const initClient = async () => {
     const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
     if (!token) {
-      console.error("1Password: Missing OP_SERVICE_ACCOUNT_TOKEN");
+      debugLog("Missing OP_SERVICE_ACCOUNT_TOKEN");
       return null;
     }
 
@@ -42,7 +115,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
         integrationVersion: "1.0.0",
       });
     } catch (err) {
-      console.error("1Password: Failed to create client:", err);
+      debugLog(`Failed to create client: ${err}`);
       return null;
     }
   };
@@ -52,9 +125,10 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
 
     try {
       const { variables } = await opClient.environments.getVariables(envId);
+      debugLog(`Read ${variables?.length || 0} variables from environment ${envId}`);
       return variables || [];
     } catch (err) {
-      console.error(`1Password: Failed to read environment ${envId}:`, err);
+      debugLog(`Failed to read environment ${envId}: ${err}`);
       return [];
     }
   };
@@ -65,20 +139,28 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
     for (const v of vars) {
       if (v.value) {
         secrets[v.name] = v.value;
+        debugLog(`Found secret: ${v.name} (${v.value.length} chars)`);
       }
     }
     return secrets;
   };
 
   const updateAuthJson = async (providerEnvId: string): Promise<void> => {
-    if (!fs.existsSync(AUTH_JSON_PATH)) {
-      console.log("1Password: auth.json not found, skipping");
-      return;
-    }
+    const authJsonPath = getAuthJsonPath();
 
     try {
-      const content = fs.readFileSync(AUTH_JSON_PATH, "utf-8");
-      const auth: AuthJson = JSON.parse(content);
+      // Read current auth.json using cat
+      const catResult = await $`cat "${authJsonPath}"`;
+      const content = catResult.stdout;
+      let auth: AuthJson;
+
+      try {
+        auth = JSON.parse(content);
+      } catch {
+        debugLog("auth.json is not valid JSON, skipping");
+        return;
+      }
+
       let modified = false;
 
       for (const [providerId, authConfig] of Object.entries(auth)) {
@@ -86,31 +168,40 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
           // Replace hardcoded key with env var reference
           authConfig.key = `{env:${providerId}}`;
           modified = true;
-          console.log(`1Password: Updated auth.json - ${providerId} -> {env:${providerId}}`);
+          debugLog(`Updated auth.json - ${providerId} -> {env:${providerId}}`);
         }
       }
 
       if (modified) {
-        fs.writeFileSync(AUTH_JSON_PATH, JSON.stringify(auth, null, 2));
-        console.log("1Password: auth.json updated to use environment variables");
+        // Write updated content using a temp file and mv
+        const newContent = JSON.stringify(auth, null, 2);
+        // Use node to write the file since $ heredocs can be tricky
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
+        debugLog("auth.json updated to use environment variables");
       }
     } catch (err) {
-      console.error("1Password: Failed to update auth.json:", err);
+      debugLog(`Failed to update auth.json: ${err}`);
     }
   };
 
   const updateOpenCodeJsonMCP = async (mcpEnvId: string): Promise<void> => {
-    if (!fs.existsSync(OPENCODE_JSON_PATH)) {
-      console.log("1Password: opencode.json not found, skipping");
-      return;
-    }
+    const openCodeJsonPath = getOpenCodeJsonPath();
 
     try {
-      const content = fs.readFileSync(OPENCODE_JSON_PATH, "utf-8");
-      const config = JSON.parse(content);
+      // Read current opencode.json using cat
+      const catResult = await $`cat "${openCodeJsonPath}"`;
+      const content = catResult.stdout;
+      let config: OpenCodeConfig;
+
+      try {
+        config = JSON.parse(content);
+      } catch {
+        debugLog("opencode.json is not valid JSON, skipping");
+        return;
+      }
 
       if (!config.mcp) {
-        console.log("1Password: No MCP configuration found, skipping");
+        debugLog("No MCP configuration found, skipping");
         return;
       }
 
@@ -123,37 +214,55 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
               // Replace hardcoded value with env var reference
               serverConfig.environment[key] = `{env:${key}}`;
               modified = true;
-              console.log(`1Password: Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
+              debugLog(`Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
             }
           }
         }
       }
 
       if (modified) {
-        fs.writeFileSync(OPENCODE_JSON_PATH, JSON.stringify(config, null, 2));
-        console.log("1Password: opencode.json MCP config updated to use environment variables");
+        // Write updated content
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
+        debugLog("opencode.json MCP config updated to use environment variables");
       }
     } catch (err) {
-      console.error("1Password: Failed to update opencode.json:", err);
+      debugLog(`Failed to update opencode.json: ${err}`);
     }
   };
 
   const authenticateProviders = async (providerEnvId: string): Promise<void> => {
     if (!opClient) return;
 
+    debugLog(`Reading provider secrets from environment ${providerEnvId}`);
     const secrets = await getSecretsFromEnvironment(providerEnvId);
+    debugLog(`Found ${Object.keys(secrets).length} provider secrets`);
 
-    for (const [providerId, apiKey] of Object.entries(secrets)) {
+    for (const [variableName, apiKey] of Object.entries(secrets)) {
       if (!apiKey) continue;
 
+      const providerId = normalizeProviderId(variableName);
+      debugLog(`Processing ${variableName} -> ${providerId} (key length: ${apiKey.length})`);
+      
+      // Set environment variables in multiple formats
+      const envVarNames = getAlternativeEnvVarNames(providerId);
+      for (const envVarName of envVarNames) {
+        process.env[envVarName] = apiKey;
+        debugLog(`Set process.env.${envVarName} = ${apiKey.substring(0, 8)}...`);
+      }
+      
       try {
-        await ctx.client.auth.set({
+        // Authenticate with OpenCode runtime
+        debugLog(`Calling client.auth.set for ${providerId}`);
+        await client.auth.set({
           path: { id: providerId },
           body: { type: "api", key: apiKey },
         });
-        console.log(`1Password: ✓ ${providerId} authenticated`);
+        debugLog(`✓ ${providerId} authenticated (from ${variableName})`);
       } catch (err) {
-        console.error(`1Password: Failed to authenticate ${providerId}:`, err);
+        debugLog(`Failed to authenticate ${providerId}: ${err}`);
+        if (err instanceof Error) {
+          debugLog(`Error message: ${err.message}`);
+        }
       }
     }
   };
@@ -162,7 +271,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
     const vars = new Set<string>();
 
     try {
-      const config = ctx.config as OpenCodeConfig;
+      const config = client.config as OpenCodeConfig;
       if (config?.mcp) {
         for (const [, serverConfig] of Object.entries(config.mcp)) {
           if (serverConfig?.environment) {
@@ -178,7 +287,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
         }
       }
     } catch (err) {
-      console.error("1Password: Failed to read MCP config:", err);
+      debugLog(`Failed to read MCP config: ${err}`);
     }
 
     return vars;
@@ -204,26 +313,29 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
 
   return {
     async event({ event }: { event: { type: string } }) {
+      debugLog(`Received event: ${event.type}`);
       if (event.type === "server.connected") {
-        console.log("1Password: Initializing...");
+        debugLog("Initializing...");
 
         opClient = await initClient();
         if (!opClient) {
-          console.error("1Password: No client available");
+          debugLog("No client available");
           return;
         }
 
         const configEnvId = process.env.OP_CONFIG_ENV_ID;
         if (!configEnvId) {
-          console.error("1Password: Missing OP_CONFIG_ENV_ID");
+          debugLog("Missing OP_CONFIG_ENV_ID");
           return;
         }
 
+        debugLog(`Reading config from environment ${configEnvId}`);
         const vars = await readEnvironmentVariables(configEnvId);
         const configEnvIds: Record<string, string> = {};
         for (const v of vars) {
           if (v.name.endsWith("_ENV_ID") && v.value) {
             configEnvIds[v.name] = v.value;
+            debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
           }
         }
 
@@ -240,11 +352,11 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
           await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
           const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
           if (Object.keys(toInject).length > 0) {
-            console.log(`1Password: Injected ${Object.keys(toInject).join(", ")} for MCP`);
+            debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
           }
         }
 
-        console.log("1Password: Initialization complete");
+        debugLog("Initialization complete");
       }
     },
 
@@ -255,6 +367,7 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
 
       for (const [varName, value] of Object.entries(toInject)) {
         output.env[varName] = value;
+        debugLog(`Injected ${varName} into shell environment`);
       }
     },
 
@@ -263,8 +376,8 @@ export const OnePasswordAuthPlugin: Plugin = async (ctx) => {
 
       const fileArgs = input.args as { filePath?: string } | undefined;
       if (fileArgs?.filePath && fileArgs.filePath.includes(".env")) {
-        console.warn(
-          "1Password: Warning - .env file access detected. Consider using 1Password for secrets management."
+        debugLog(
+          "Warning - .env file access detected. Consider using 1Password for secrets management."
         );
       }
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-1password-auth",
-  "version": "1.0.1",
+  "version": "1.0.5",
   "description": "1Password integration for OpenCode - authenticate providers and inject MCP secrets from 1Password environments",
   "type": "module",
   "main": "index.ts",

package/setup.ps1

@@ -3,7 +3,8 @@
 
 param(
     [switch]$Uninstall,
-    [switch]$Audit
+    [switch]$Audit,
+    [switch]$UpdateConfig
 )
 
 # Colors for output
@@ -65,6 +66,137 @@ function Remove-RegistryValue {
     }
 }
 
+function Get-OpenCodeAuthJsonPath {
+    $homeDir = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$homeDir/.local/share/opencode/auth.json"
+}
+
+function Get-OpenCodeConfigJsonPath {
+    $homeDir = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$homeDir/.config/opencode/opencode.json"
+}
+
+function Update-ConfigFiles {
+    param([string]$Token, [string]$ProvidersEnvId, [string]$McpsEnvId)
+    
+    $nodeModulesPath = Get-OpenCodeNodeModulesPath
+    if (-not $nodeModulesPath) {
+        Write-Error "Could not find @1password/sdk in any node_modules directory"
+        return
+    }
+    
+    $sdkPath = ($nodeModulesPath -replace '\\', '/') + "/@1password/sdk/dist/sdk.js"
+    
+    # Get provider secrets from 1Password
+    Write-Info "Reading provider secrets from 1Password..."
+    
+    $script = @"
+const sdk = require('${sdkPath}');
+
+async function getSecrets() {
+    const client = await sdk.createClient({
+        auth: '${Token}',
+        integrationName: 'opencode-1password-setup',
+        integrationVersion: '1.0.0'
+    });
+    
+    const providers = {};
+    const { variables: providerVars } = await client.environments.getVariables('${ProvidersEnvId}');
+    for (const v of providerVars) {
+        if (v.value) providers[v.name] = v.value;
+    }
+    
+    const mcps = {};
+    if ('${McpsEnvId}') {
+        const { variables: mcpVars } = await client.environments.getVariables('${McpsEnvId}');
+        for (const v of mcpVars) {
+            if (v.value) mcps[v.name] = v.value;
+        }
+    }
+    
+    console.log(JSON.stringify({ providers, mcps }));
+}
+
+getSecrets().catch(err => { console.error('FAILED:', err.message); process.exit(1); });
+"@
+    
+    $tempScript = [System.IO.Path]::GetTempFileName() -replace '\.tmp$', '.js'
+    $script | Out-File -FilePath $tempScript -Encoding UTF8 -NoNewline
+    
+    $result = & node $tempScript 2>&1 | Out-String
+    Remove-Item $tempScript -ErrorAction SilentlyContinue
+    
+    if ($result -match "FAILED:") {
+        Write-Error "Failed to read secrets from 1Password: $($result -replace 'FAILED:', '')"
+        return
+    }
+    
+    $secrets = $result | ConvertFrom-Json
+    
+    # Update auth.json
+    $authJsonPath = Get-OpenCodeAuthJsonPath
+    Write-Info "Updating auth.json..."
+    
+    if (Test-Path $authJsonPath) {
+        $authContent = Get-Content $authJsonPath -Raw -Encoding UTF8
+        $auth = $authContent | ConvertFrom-Json
+        
+        $modified = $false
+        foreach ($providerId in $auth.PSObject.Properties.Name) {
+            $authConfig = $auth.$providerId
+            if ($authConfig.key -and -not $authConfig.key.StartsWith("{env:")) {
+                $authConfig.key = "{env:$providerId}"
+                $modified = $true
+                Write-Success "Updated $providerId -> {env:$providerId}"
+            }
+        }
+        
+        if ($modified) {
+            $auth | ConvertTo-Json -Depth 10 | Set-Content $authJsonPath -Encoding UTF8 -NoNewline
+            Write-Success "auth.json updated"
+        } else {
+            Write-Info "auth.json already uses environment variable references"
+        }
+    } else {
+        Write-Info "auth.json not found at $authJsonPath"
+    }
+    
+    # Update opencode.json MCP config
+    $configJsonPath = Get-OpenCodeConfigJsonPath
+    Write-Info "Updating opencode.json MCP config..."
+    
+    if (Test-Path $configJsonPath) {
+        $configContent = Get-Content $configJsonPath -Raw -Encoding UTF8
+        $config = $configContent | ConvertFrom-Json
+        
+        $modified = $false
+        if ($config.mcp) {
+            foreach ($serverName in $config.mcp.PSObject.Properties.Name) {
+                $serverConfig = $config.mcp.$serverName
+                if ($serverConfig.environment) {
+                    foreach ($key in $serverConfig.environment.PSObject.Properties.Name) {
+                        $value = $serverConfig.environment.$key
+                        if ($value -and -not $value.StartsWith("{env:") -and -not $value.StartsWith("$")) {
+                            $serverConfig.environment.$key = "{env:$key}"
+                            $modified = $true
+                            Write-Success "Updated $serverName.$key -> {env:$key}"
+                        }
+                    }
+                }
+            }
+        }
+        
+        if ($modified) {
+            $config | ConvertTo-Json -Depth 10 | Set-Content $configJsonPath -Encoding UTF8 -NoNewline
+            Write-Success "opencode.json updated"
+        } else {
+            Write-Info "opencode.json already uses environment variable references"
+        }
+    } else {
+        Write-Info "opencode.json not found at $configJsonPath"
+    }
+}
+
 function Get-OpenCodeNodeModulesPath {
     $paths = @(
         "$env:USERPROFILE\.cache\opencode\node_modules",
@@ -320,6 +452,66 @@ if ($Audit) {
     exit 0
 }
 
+if ($UpdateConfig) {
+    # Update Config mode
+    Write-Host "Update Config Mode" -ForegroundColor Yellow
+    Write-Host "------------------" -ForegroundColor Yellow
+    Write-Host ""
+    
+    $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "Machine"
+    $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "Machine"
+    
+    if (-not $token) {
+        $token = Get-RegistryValue -Name "OP_SERVICE_ACCOUNT_TOKEN" -Scope "User"
+        $configId = Get-RegistryValue -Name "OP_CONFIG_ENV_ID" -Scope "User"
+    }
+    
+    if (-not $token -or -not $configId) {
+        Write-Error "Environment variables not set. Run setup first."
+        exit 1
+    }
+    
+    Write-Info "Testing 1Password connection..."
+    
+    if (Test-1PasswordConnection -Token $token) {
+        Write-Success "1Password connection successful!"
+    } else {
+        Write-Error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    }
+    
+    Write-Info "Reading configuration from 1Password..."
+    
+    $envIds = Get-1PasswordAudit -Token $token -ConfigEnvId $configId
+    
+    if ($envIds) {
+        $providersEnvId = $null
+        $mcpsEnvId = $null
+        
+        foreach ($prop in $envIds.PSObject.Properties) {
+            if ($prop.Name -eq "OPENCODE_PROVIDERS_ENV_ID") {
+                $providersEnvId = $prop.Value
+            } elseif ($prop.Name -eq "OPENCODE_MCPS_ENV_ID") {
+                $mcpsEnvId = $prop.Value
+            }
+        }
+        
+        if ($providersEnvId) {
+            Write-Info "Updating config files to use environment variables..."
+            Update-ConfigFiles -Token $token -ProvidersEnvId $providersEnvId -McpsEnvId $mcpsEnvId
+            Write-Success "Config update complete!"
+        } else {
+            Write-Error "Could not find OPENCODE_PROVIDERS_ENV_ID in bootstrap environment"
+            exit 1
+        }
+    } else {
+        Write-Error "Failed to read bootstrap environment."
+        exit 1
+    }
+    
+    exit 0
+}
+
 # Setup mode (default)
 Write-Host "Setup Mode" -ForegroundColor Yellow
 Write-Host "----------" -ForegroundColor Yellow
@@ -438,6 +630,7 @@ Write-Success "Setup complete!"
 Write-Info "Restart OpenCode to activate the plugin."
 Write-Host ""
 Write-Host "Usage:" -ForegroundColor White
-Write-Host "  ./setup.ps1 -Audit    Show current configuration"
-Write-Host "  ./setup.ps1 -Uninstall Remove environment variables"
+Write-Host "  ./setup.ps1 -Audit         Show current configuration"
+Write-Host "  ./setup.ps1 -UpdateConfig  Update config files to use {env:VAR} references"
+Write-Host "  ./setup.ps1 -Uninstall    Remove environment variables"
 Write-Host ""

package/setup.sh

@@ -221,9 +221,161 @@ EOFINNER
     done
 }
 
+update_config_files() {
+    local token="$1"
+    local providers_env_id="$2"
+    local mcps_env_id="$3"
+    
+    log_info "Reading secrets from 1Password..."
+    
+    # Get provider and MCP secrets
+    cat > /tmp/update_config_$$.js << 'EOF'
+const sdk = require('@1password/sdk');
+
+async function getSecrets() {
+    const token = process.argv[1];
+    const providersEnvId = process.argv[2];
+    const mcpsEnvId = process.argv[3];
+    
+    const client = await sdk.createClient({
+        auth: token,
+        integrationName: 'opencode-1password-setup',
+        integrationVersion: '1.0.0'
+    });
+    
+    const providers = {};
+    const { variables: providerVars } = await client.environments.getVariables(providersEnvId);
+    for (const v of providerVars) {
+        if (v.value) providers[v.name] = v.value;
+    }
+    
+    const mcps = {};
+    if (mcpsEnvId) {
+        const { variables: mcpVars } = await client.environments.getVariables(mcpsEnvId);
+        for (const v of mcpVars) {
+            if (v.value) mcps[v.name] = v.value;
+        }
+    }
+    
+    console.log(JSON.stringify({ providers, mcps }));
+}
+
+getSecrets().catch(err => {
+    console.error('FAILED:', err.message);
+    process.exit(1);
+});
+EOF
+    
+    result=$(node /tmp/update_config_$$.js "$token" "$providers_env_id" "$mcps_env_id" 2>&1)
+    rm -f /tmp/update_config_$$.js
+    
+    if [[ "$result" == "FAILED:"* ]]; then
+        log_error "Failed to read secrets from 1Password: $result"
+        return 1
+    fi
+    
+    # Get home directory
+    home="${HOME:-}"
+    if [[ -z "$home" ]]; then
+        home=$(eval echo ~)
+    fi
+    
+    # Update auth.json
+    auth_json_path="$home/.local/share/opencode/auth.json"
+    log_info "Updating auth.json..."
+    
+    if [[ -f "$auth_json_path" ]]; then
+        # Read auth.json and update
+        auth_content=$(cat "$auth_json_path")
+        # Use node to parse and update JSON
+        cat > /tmp/update_auth_$$.js << 'EOFJ'
+const fs = require('fs');
+const authPath = process.argv[1];
+const auth = JSON.parse(fs.readFileSync(authPath, 'utf8'));
+
+let modified = false;
+for (const [providerId, authConfig] of Object.entries(auth)) {
+    if (authConfig.key && !authConfig.key.startsWith('{env:')) {
+        authConfig.key = '{env:' + providerId + '}';
+        modified = true;
+        console.log('Updated ' + providerId + ' -> {env:' + providerId + '}');
+    }
+}
+
+if (modified) {
+    fs.writeFileSync(authPath, JSON.stringify(auth, null, 2));
+    console.log('auth.json updated');
+} else {
+    console.log('auth.json already uses environment variable references');
+}
+EOFJ
+        
+        update_result=$(node /tmp/update_auth_$$.js "$auth_json_path" 2>&1)
+        rm -f /tmp/update_auth_$$.js
+        echo "$update_result" | while read line; do
+            if [[ "$line" == Updated* ]] || [[ "$line" == *updated* ]]; then
+                log_success "$(echo "$line" | sed 's/Updated/Updated/')"
+            else
+                log_info "$line"
+            fi
+        done
+    else
+        log_info "auth.json not found at $auth_json_path"
+    fi
+    
+    # Update opencode.json MCP config
+    config_json_path="$home/.config/opencode/opencode.json"
+    log_info "Updating opencode.json MCP config..."
+    
+    if [[ -f "$config_json_path" ]]; then
+        cat > /tmp/update_mcp_$$.js << 'EOFMCP'
+const fs = require('fs');
+const configPath = process.argv[1];
+const config = JSON.parse(fs.readFileSync(configPath, 'utf8'));
+
+let modified = false;
+if (config.mcp) {
+    for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
+        if (serverConfig && serverConfig.environment) {
+            for (const [key, value] of Object.entries(serverConfig.environment)) {
+                if (value && !value.startsWith('{env:') && !value.startsWith('$')) {
+                    serverConfig.environment[key] = '{env:' + key + '}';
+                    modified = true;
+                    console.log('Updated ' + serverName + '.' + key + ' -> {env:' + key + '}');
+                }
+            }
+        }
+    }
+}
+
+if (modified) {
+    fs.writeFileSync(configPath, JSON.stringify(config, null, 2));
+    console.log('opencode.json updated');
+} else {
+    console.log('opencode.json already uses environment variable references');
+}
+EOFMCP
+        
+        update_result=$(node /tmp/update_mcp_$$.js "$config_json_path" 2>&1)
+        rm -f /tmp/update_mcp_$$.js
+        echo "$update_result" | while read line; do
+            if [[ "$line" == Updated* ]] || [[ "$line" == *updated* ]]; then
+                log_success "$(echo "$line" | sed 's/Updated/Updated/')"
+            else
+                log_info "$line"
+            fi
+        done
+    else
+        log_info "opencode.json not found at $config_json_path"
+    fi
+    
+    log_success "Config update complete!"
+}
+
 # Parse arguments
 UNINSTALL=false
 AUDIT=false
+UPDATE_CONFIG=false
 
 while [[ $# -gt 0 ]]; do
     case $1 in
@@ -235,8 +387,12 @@ while [[ $# -gt 0 ]]; do
             AUDIT=true
             shift
             ;;
+        -c|--update-config)
+            UPDATE_CONFIG=true
+            shift
+            ;;
         *)
-            echo "Usage: $0 [--uninstall|--audit]"
+            echo "Usage: $0 [--uninstall|--audit|--update-config]"
             exit 1
             ;;
     esac
@@ -325,6 +481,51 @@ if [[ "$AUDIT" == true ]]; then
     exit 0
 fi
 
+if [[ "$UPDATE_CONFIG" == true ]]; then
+    echo -e "${YELLOW}Update Config Mode${NC}"
+    echo -e "${YELLOW}------------------${NC}"
+    echo ""
+    
+    get_existing_values
+    
+    if [[ -z "$OP_SERVICE_ACCOUNT_TOKEN" || -z "$OP_CONFIG_ENV_ID" ]]; then
+        log_error "Environment variables not set. Run setup first."
+        exit 1
+    fi
+    
+    log_info "Testing 1Password connection..."
+    
+    if test_connection "$OP_SERVICE_ACCOUNT_TOKEN"; then
+        log_success "1Password connection successful!"
+    else
+        log_error "Failed to connect to 1Password. Check your service account token."
+        exit 1
+    fi
+    
+    log_info "Reading configuration from 1Password..."
+    
+    env_ids_json=$(get_audit_data "$OP_SERVICE_ACCOUNT_TOKEN" "$OP_CONFIG_ENV_ID")
+    
+    if [[ -n "$env_ids_json" && "$env_ids_json" != "FAILED:"* ]]; then
+        # Parse JSON to extract env IDs
+        providers_env_id=$(echo "$env_ids_json" | sed -n 's/.*"OPENCODE_PROVIDERS_ENV_ID":"\([^"]*\)".*/\1/p')
+        mcps_env_id=$(echo "$env_ids_json" | sed -n 's/.*"OPENCODE_MCPS_ENV_ID":"\([^"]*\)".*/\1/p')
+        
+        if [[ -n "$providers_env_id" ]]; then
+            log_info "Updating config files to use environment variables..."
+            update_config_files "$OP_SERVICE_ACCOUNT_TOKEN" "$providers_env_id" "$mcps_env_id"
+        else
+            log_error "Could not find OPENCODE_PROVIDERS_ENV_ID in bootstrap environment"
+            exit 1
+        fi
+    else
+        log_error "Failed to read bootstrap environment."
+        exit 1
+    fi
+    
+    exit 0
+fi
+
 # Setup mode (default)
 echo -e "${YELLOW}Setup Mode${NC}"
 echo -e "${YELLOW}----------${NC}"
@@ -439,6 +640,7 @@ log_success "Setup complete!"
 log_info "Restart OpenCode to activate the plugin."
 echo ""
 echo "Usage:"
-echo "  ./setup.sh --audit    Show current configuration"
-echo "  ./setup.sh --uninstall Remove environment variables"
+echo "  ./setup.sh --audit          Show current configuration"
+echo "  ./setup.sh --update-config  Update config files to use {env:VAR} references"
+echo "  ./setup.sh --uninstall     Remove environment variables"
 echo ""