opencode-1password-auth 1.0.3 → 1.0.6

package/README.md

@@ -31,7 +31,9 @@ Create these environments in 1Password:
 - `OPENCODE_MCPS_ENV_ID` - Environment ID containing MCP server secrets
 
 **Providers Environment** (holds API keys):
-- Provider IDs as variable names (e.g., `MINIMAX_CODING_PLAN`, `DEEPSEEK`, `OPENCODE`)
+- Variable names should match provider IDs (case-insensitive, underscores converted to hyphens)
+- Examples: `opencode`, `OPENCODE`, `deepseek`, `DEEPSEEK`, `minimax-coding-plan`, `MINIMAX_CODING_PLAN`
+- The plugin normalizes: lowercase + underscores → hyphens
 - API keys as values
 
 **MCPS Environment** (holds MCP secrets):
@@ -97,9 +99,9 @@ To change configurations, simply update `OP_CONFIG_ENV_ID` to point to a differe
 ### Providers Environment
 ```
 opencode-providers
-├── MINIMAX_CODING_PLAN = your-minimax-api-key
-├── DEEPSEEK = your-deepseek-api-key
-└── OPENCODE = your-opencode-api-key
+├── opencode = your-opencode-api-key           # or OPENCODE
+├── deepseek = your-deepseek-api-key           # or DEEPSEEK
+└── minimax-coding-plan = your-minimax-api-key # or MINIMAX_CODING_PLAN
 ```
 
 ### MCPS Environment

package/index-v2.ts

@@ -0,0 +1,387 @@
+import type { Plugin } from "@opencode-ai/plugin";
+import * as sdk from "@1password/sdk";
+
+// Debug logging to file
+const debugLog = (message: string) => {
+  const timestamp = new Date().toISOString();
+  const logMessage = `[${timestamp}] 1Password: ${message}\n`;
+  console.log(logMessage.trim());
+  
+  try {
+    // Try to write to a debug log file
+    const fs = require('fs');
+    const path = require('path');
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    const logDir = path.join(home, '.opencode-1password-debug');
+    if (!fs.existsSync(logDir)) {
+      fs.mkdirSync(logDir, { recursive: true });
+    }
+    const logFile = path.join(logDir, 'debug.log');
+    fs.appendFileSync(logFile, logMessage);
+  } catch (err) {
+    // Ignore file logging errors
+  }
+};
+
+interface MCPServerConfig {
+  environment?: Record<string, string>;
+}
+
+interface OpenCodeConfig {
+  mcp?: Record<string, MCPServerConfig>;
+}
+
+interface ProviderAuth {
+  type: string;
+  key: string;
+}
+
+interface AuthJson {
+  [providerId: string]: ProviderAuth;
+}
+
+export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
+  let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
+  let mcpsEnvId: string | undefined;
+
+  debugLog("Plugin loaded");
+
+  const normalizeProviderId = (variableName: string): string => {
+    // Convert common patterns to match auth.json provider IDs
+    // e.g., "MINIMAX_CODING_PLAN" -> "minimax-coding-plan"
+    // e.g., "OPENCODE" -> "opencode"
+    // e.g., "DEEPSEEK" -> "deepseek"
+    
+    let normalized = variableName.toLowerCase();
+    
+    // Convert underscores to hyphens
+    normalized = normalized.replace(/_/g, '-');
+    
+    debugLog(`Normalized ${variableName} -> ${normalized}`);
+    return normalized;
+  };
+
+  const getAlternativeEnvVarNames = (providerId: string): string[] => {
+    // Generate all possible env var names that might be used
+    const names = new Set<string>();
+    
+    // Original providerId (e.g., "minimax-coding-plan")
+    names.add(providerId);
+    
+    // Uppercase version (e.g., "MINIMAX-CODING-PLAN")
+    names.add(providerId.toUpperCase());
+    
+    // With underscores instead of hyphens (e.g., "minimax_coding_plan")
+    names.add(providerId.replace(/-/g, '_'));
+    
+    // Uppercase with underscores (e.g., "MINIMAX_CODING_PLAN")
+    names.add(providerId.replace(/-/g, '_').toUpperCase());
+    
+    // Just the first part (e.g., "minimax")
+    const firstPart = providerId.split('-')[0];
+    if (firstPart && firstPart !== providerId) {
+      names.add(firstPart);
+      names.add(firstPart.toUpperCase());
+    }
+    
+    return Array.from(names);
+  };
+
+  const getHomeDir = (): string => {
+    return process.env.HOME || process.env.USERPROFILE || "";
+  };
+
+  const getAuthJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.local/share/opencode/auth.json`;
+  };
+
+  const getOpenCodeJsonPath = (): string => {
+    const home = getHomeDir();
+    return `${home}/.config/opencode/opencode.json`;
+  };
+
+  const initClient = async () => {
+    const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
+    if (!token) {
+      debugLog("Missing OP_SERVICE_ACCOUNT_TOKEN");
+      return null;
+    }
+
+    try {
+      return await sdk.createClient({
+        auth: token,
+        integrationName: "opencode-1password-env",
+        integrationVersion: "1.0.0",
+      });
+    } catch (err) {
+      debugLog(`Failed to create client: ${err}`);
+      return null;
+    }
+  };
+
+  const readEnvironmentVariables = async (envId: string) => {
+    if (!opClient) return [];
+
+    try {
+      const { variables } = await opClient.environments.getVariables(envId);
+      debugLog(`Read ${variables?.length || 0} variables from environment ${envId}`);
+      return variables || [];
+    } catch (err) {
+      debugLog(`Failed to read environment ${envId}: ${err}`);
+      return [];
+    }
+  };
+
+  const getSecretsFromEnvironment = async (envId: string): Promise<Record<string, string>> => {
+    const vars = await readEnvironmentVariables(envId);
+    const secrets: Record<string, string> = {};
+    for (const v of vars) {
+      if (v.value) {
+        secrets[v.name] = v.value;
+        debugLog(`Found secret: ${v.name} (${v.value.length} chars)`);
+      }
+    }
+    return secrets;
+  };
+
+  const updateAuthJson = async (providerEnvId: string): Promise<void> => {
+    const authJsonPath = getAuthJsonPath();
+
+    try {
+      // Read current auth.json using cat
+      const catResult = await $`cat "${authJsonPath}"`;
+      const content = catResult.stdout;
+      let auth: AuthJson;
+
+      try {
+        auth = JSON.parse(content);
+      } catch {
+        debugLog("auth.json is not valid JSON, skipping");
+        return;
+      }
+
+      let modified = false;
+
+      for (const [providerId, authConfig] of Object.entries(auth)) {
+        if (authConfig.key && !authConfig.key.startsWith("{env:")) {
+          // Replace hardcoded key with env var reference
+          authConfig.key = `{env:${providerId}}`;
+          modified = true;
+          debugLog(`Updated auth.json - ${providerId} -> {env:${providerId}}`);
+        }
+      }
+
+      if (modified) {
+        // Write updated content using a temp file and mv
+        const newContent = JSON.stringify(auth, null, 2);
+        // Use node to write the file since $ heredocs can be tricky
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
+        debugLog("auth.json updated to use environment variables");
+      }
+    } catch (err) {
+      debugLog(`Failed to update auth.json: ${err}`);
+    }
+  };
+
+  const updateOpenCodeJsonMCP = async (mcpEnvId: string): Promise<void> => {
+    const openCodeJsonPath = getOpenCodeJsonPath();
+
+    try {
+      // Read current opencode.json using cat
+      const catResult = await $`cat "${openCodeJsonPath}"`;
+      const content = catResult.stdout;
+      let config: OpenCodeConfig;
+
+      try {
+        config = JSON.parse(content);
+      } catch {
+        debugLog("opencode.json is not valid JSON, skipping");
+        return;
+      }
+
+      if (!config.mcp) {
+        debugLog("No MCP configuration found, skipping");
+        return;
+      }
+
+      let modified = false;
+
+      for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
+        if (serverConfig?.environment) {
+          for (const [key, value] of Object.entries(serverConfig.environment)) {
+            if (typeof value === "string" && !value.startsWith("{env:") && !value.startsWith("$")) {
+              // Replace hardcoded value with env var reference
+              serverConfig.environment[key] = `{env:${key}}`;
+              modified = true;
+              debugLog(`Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
+            }
+          }
+        }
+      }
+
+      if (modified) {
+        // Write updated content
+        await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
+        debugLog("opencode.json MCP config updated to use environment variables");
+      }
+    } catch (err) {
+      debugLog(`Failed to update opencode.json: ${err}`);
+    }
+  };
+
+  const authenticateProviders = async (providerEnvId: string): Promise<void> => {
+    if (!opClient) return;
+
+    debugLog(`Reading provider secrets from environment ${providerEnvId}`);
+    const secrets = await getSecretsFromEnvironment(providerEnvId);
+    debugLog(`Found ${Object.keys(secrets).length} provider secrets`);
+
+    for (const [variableName, apiKey] of Object.entries(secrets)) {
+      if (!apiKey) continue;
+
+      const providerId = normalizeProviderId(variableName);
+      debugLog(`Processing ${variableName} -> ${providerId} (key length: ${apiKey.length})`);
+      
+      // Set environment variables in multiple formats
+      const envVarNames = getAlternativeEnvVarNames(providerId);
+      for (const envVarName of envVarNames) {
+        process.env[envVarName] = apiKey;
+        debugLog(`Set process.env.${envVarName} = ${apiKey.substring(0, 8)}...`);
+      }
+      
+      try {
+        // Authenticate with OpenCode runtime
+        debugLog(`Calling client.auth.set for ${providerId}`);
+        await client.auth.set({
+          path: { id: providerId },
+          body: { type: "api", key: apiKey },
+        });
+        debugLog(`✓ ${providerId} authenticated (from ${variableName})`);
+      } catch (err) {
+        debugLog(`Failed to authenticate ${providerId}: ${err}`);
+        if (err instanceof Error) {
+          debugLog(`Error message: ${err.message}`);
+        }
+      }
+    }
+  };
+
+  const getConfiguredMCPVars = (): Set<string> => {
+    const vars = new Set<string>();
+
+    try {
+      const config = client.config as OpenCodeConfig;
+      if (config?.mcp) {
+        for (const [, serverConfig] of Object.entries(config.mcp)) {
+          if (serverConfig?.environment) {
+            for (const [key] of Object.entries(serverConfig.environment)) {
+              if (key.startsWith("{env:")) {
+                const envVar = key.slice(5, -1);
+                vars.add(envVar);
+              } else {
+                vars.add(key);
+              }
+            }
+          }
+        }
+      }
+    } catch (err) {
+      debugLog(`Failed to read MCP config: ${err}`);
+    }
+
+    return vars;
+  };
+
+  const injectMCPSecrets = async (mcpEnvId: string): Promise<Record<string, string>> => {
+    const neededVars = getConfiguredMCPVars();
+    if (neededVars.size === 0) {
+      return {};
+    }
+
+    const secrets = await getSecretsFromEnvironment(mcpEnvId);
+    const toInject: Record<string, string> = {};
+
+    for (const varName of neededVars) {
+      if (secrets[varName]) {
+        toInject[varName] = secrets[varName];
+      }
+    }
+
+    return toInject;
+  };
+
+  return {
+    async event({ event }: { event: { type: string } }) {
+      debugLog(`Received event: ${event.type}`);
+      if (event.type === "server.connected") {
+        debugLog("Initializing...");
+
+        opClient = await initClient();
+        if (!opClient) {
+          debugLog("No client available");
+          return;
+        }
+
+        const configEnvId = process.env.OP_CONFIG_ENV_ID;
+        if (!configEnvId) {
+          debugLog("Missing OP_CONFIG_ENV_ID");
+          return;
+        }
+
+        debugLog(`Reading config from environment ${configEnvId}`);
+        const vars = await readEnvironmentVariables(configEnvId);
+        const configEnvIds: Record<string, string> = {};
+        for (const v of vars) {
+          if (v.name.endsWith("_ENV_ID") && v.value) {
+            configEnvIds[v.name] = v.value;
+            debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
+          }
+        }
+
+        const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+        if (providersEnvId) {
+          // First update the config files to use env var references
+          await updateAuthJson(providersEnvId);
+          await authenticateProviders(providersEnvId);
+        }
+
+        const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
+        if (mcpEnvIdFromConfig) {
+          mcpsEnvId = mcpEnvIdFromConfig;
+          await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
+          const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
+          if (Object.keys(toInject).length > 0) {
+            debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
+          }
+        }
+
+        debugLog("Initialization complete");
+      }
+    },
+
+    async "shell.env"(input, output) {
+      if (!opClient || !mcpsEnvId) return;
+
+      const toInject = await injectMCPSecrets(mcpsEnvId);
+
+      for (const [varName, value] of Object.entries(toInject)) {
+        output.env[varName] = value;
+        debugLog(`Injected ${varName} into shell environment`);
+      }
+    },
+
+    async "tool.execute.before"(input) {
+      if (input.tool !== "read") return;
+
+      const fileArgs = input.args as { filePath?: string } | undefined;
+      if (fileArgs?.filePath && fileArgs.filePath.includes(".env")) {
+        debugLog(
+          "Warning - .env file access detected. Consider using 1Password for secrets management."
+        );
+      }
+    },
+  };
+};
+
+export default OnePasswordAuthPlugin;

package/index.ts

@@ -1,6 +1,28 @@
 import type { Plugin } from "@opencode-ai/plugin";
 import * as sdk from "@1password/sdk";
 
+// Debug logging to file
+const debugLog = (message: string) => {
+  const timestamp = new Date().toISOString();
+  const logMessage = `[${timestamp}] 1Password: ${message}\n`;
+  console.log(logMessage.trim());
+  
+  try {
+    // Try to write to a debug log file
+    const fs = require('fs');
+    const path = require('path');
+    const home = process.env.HOME || process.env.USERPROFILE || '';
+    const logDir = path.join(home, '.opencode-1password-debug');
+    if (!fs.existsSync(logDir)) {
+      fs.mkdirSync(logDir, { recursive: true });
+    }
+    const logFile = path.join(logDir, 'debug.log');
+    fs.appendFileSync(logFile, logMessage);
+  } catch (err) {
+    // Ignore file logging errors
+  }
+};
+
 interface MCPServerConfig {
   environment?: Record<string, string>;
 }
@@ -22,6 +44,49 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
   let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
   let mcpsEnvId: string | undefined;
 
+  debugLog("Plugin loaded");
+
+  const normalizeProviderId = (variableName: string): string => {
+    // Convert common patterns to match auth.json provider IDs
+    // e.g., "MINIMAX_CODING_PLAN" -> "minimax-coding-plan"
+    // e.g., "OPENCODE" -> "opencode"
+    // e.g., "DEEPSEEK" -> "deepseek"
+    
+    let normalized = variableName.toLowerCase();
+    
+    // Convert underscores to hyphens
+    normalized = normalized.replace(/_/g, '-');
+    
+    debugLog(`Normalized ${variableName} -> ${normalized}`);
+    return normalized;
+  };
+
+  const getAlternativeEnvVarNames = (providerId: string): string[] => {
+    // Generate all possible env var names that might be used
+    const names = new Set<string>();
+    
+    // Original providerId (e.g., "minimax-coding-plan")
+    names.add(providerId);
+    
+    // Uppercase version (e.g., "MINIMAX-CODING-PLAN")
+    names.add(providerId.toUpperCase());
+    
+    // With underscores instead of hyphens (e.g., "minimax_coding_plan")
+    names.add(providerId.replace(/-/g, '_'));
+    
+    // Uppercase with underscores (e.g., "MINIMAX_CODING_PLAN")
+    names.add(providerId.replace(/-/g, '_').toUpperCase());
+    
+    // Just the first part (e.g., "minimax")
+    const firstPart = providerId.split('-')[0];
+    if (firstPart && firstPart !== providerId) {
+      names.add(firstPart);
+      names.add(firstPart.toUpperCase());
+    }
+    
+    return Array.from(names);
+  };
+
   const getHomeDir = (): string => {
     return process.env.HOME || process.env.USERPROFILE || "";
   };
@@ -39,7 +104,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
   const initClient = async () => {
     const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
     if (!token) {
-      console.error("1Password: Missing OP_SERVICE_ACCOUNT_TOKEN");
+      debugLog("Missing OP_SERVICE_ACCOUNT_TOKEN");
       return null;
     }
 
@@ -50,7 +115,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
         integrationVersion: "1.0.0",
       });
     } catch (err) {
-      console.error("1Password: Failed to create client:", err);
+      debugLog(`Failed to create client: ${err}`);
       return null;
     }
   };
@@ -60,9 +125,10 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
 
     try {
       const { variables } = await opClient.environments.getVariables(envId);
+      debugLog(`Read ${variables?.length || 0} variables from environment ${envId}`);
       return variables || [];
     } catch (err) {
-      console.error(`1Password: Failed to read environment ${envId}:`, err);
+      debugLog(`Failed to read environment ${envId}: ${err}`);
       return [];
     }
   };
@@ -73,6 +139,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
     for (const v of vars) {
       if (v.value) {
         secrets[v.name] = v.value;
+        debugLog(`Found secret: ${v.name} (${v.value.length} chars)`);
       }
     }
     return secrets;
@@ -90,7 +157,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
       try {
         auth = JSON.parse(content);
       } catch {
-        console.log("1Password: auth.json is not valid JSON, skipping");
+        debugLog("auth.json is not valid JSON, skipping");
         return;
       }
 
@@ -101,7 +168,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
           // Replace hardcoded key with env var reference
           authConfig.key = `{env:${providerId}}`;
           modified = true;
-          console.log(`1Password: Updated auth.json - ${providerId} -> {env:${providerId}}`);
+          debugLog(`Updated auth.json - ${providerId} -> {env:${providerId}}`);
         }
       }
 
@@ -110,10 +177,10 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
         const newContent = JSON.stringify(auth, null, 2);
         // Use node to write the file since $ heredocs can be tricky
         await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
-        console.log("1Password: auth.json updated to use environment variables");
+        debugLog("auth.json updated to use environment variables");
       }
     } catch (err) {
-      console.error("1Password: Failed to update auth.json:", err);
+      debugLog(`Failed to update auth.json: ${err}`);
     }
   };
 
@@ -129,12 +196,12 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
       try {
         config = JSON.parse(content);
       } catch {
-        console.log("1Password: opencode.json is not valid JSON, skipping");
+        debugLog("opencode.json is not valid JSON, skipping");
         return;
       }
 
       if (!config.mcp) {
-        console.log("1Password: No MCP configuration found, skipping");
+        debugLog("No MCP configuration found, skipping");
         return;
       }
 
@@ -147,7 +214,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
               // Replace hardcoded value with env var reference
               serverConfig.environment[key] = `{env:${key}}`;
               modified = true;
-              console.log(`1Password: Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
+              debugLog(`Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
             }
           }
         }
@@ -156,29 +223,49 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
       if (modified) {
         // Write updated content
         await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
-        console.log("1Password: opencode.json MCP config updated to use environment variables");
+        debugLog("opencode.json MCP config updated to use environment variables");
       }
     } catch (err) {
-      console.error("1Password: Failed to update opencode.json:", err);
+      debugLog(`Failed to update opencode.json: ${err}`);
     }
   };
 
   const authenticateProviders = async (providerEnvId: string): Promise<void> => {
     if (!opClient) return;
 
+    debugLog(`Reading provider secrets from environment ${providerEnvId}`);
     const secrets = await getSecretsFromEnvironment(providerEnvId);
+    debugLog(`Found ${Object.keys(secrets).length} provider secrets`);
 
-    for (const [providerId, apiKey] of Object.entries(secrets)) {
+    for (const [variableName, apiKey] of Object.entries(secrets)) {
       if (!apiKey) continue;
 
+      const providerId = normalizeProviderId(variableName);
+      debugLog(`Processing ${variableName} -> ${providerId} (key length: ${apiKey.length})`);
+      
+      // Set environment variables in multiple formats
+      const envVarNames = getAlternativeEnvVarNames(providerId);
+      for (const envVarName of envVarNames) {
+        process.env[envVarName] = apiKey;
+        debugLog(`Set process.env.${envVarName} = ${apiKey.substring(0, 8)}...`);
+      }
+      
       try {
-        await client.auth.set({
+        // Authenticate with OpenCode runtime
+        debugLog(`Calling client.auth.set for ${providerId} with key length ${apiKey.length}`);
+        const result = await client.auth.set({
           path: { id: providerId },
           body: { type: "api", key: apiKey },
         });
-        console.log(`1Password: ✓ ${providerId} authenticated`);
+        debugLog(`✓ ${providerId} authenticated (from ${variableName}) - Result: ${JSON.stringify(result)}`);
       } catch (err) {
-        console.error(`1Password: Failed to authenticate ${providerId}:`, err);
+        debugLog(`Failed to authenticate ${providerId}: ${err}`);
+        if (err instanceof Error) {
+          debugLog(`Error message: ${err.message}`);
+          debugLog(`Error stack: ${err.stack}`);
+        }
+        // Also log to console for immediate visibility
+        console.error(`[1Password Plugin] Failed to authenticate ${providerId}: ${err}`);
       }
     }
   };
@@ -203,7 +290,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
         }
       }
     } catch (err) {
-      console.error("1Password: Failed to read MCP config:", err);
+      debugLog(`Failed to read MCP config: ${err}`);
     }
 
     return vars;
@@ -227,49 +314,85 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
     return toInject;
   };
 
-  return {
-    async event({ event }: { event: { type: string } }) {
-      if (event.type === "server.connected") {
-        console.log("1Password: Initializing...");
+  // Initialize as soon as plugin loads (config hook runs early)
+  const initializePlugin = async () => {
+    debugLog("Initializing plugin...");
 
-        opClient = await initClient();
-        if (!opClient) {
-          console.error("1Password: No client available");
-          return;
-        }
+    opClient = await initClient();
+    if (!opClient) {
+      debugLog("No client available");
+      return;
+    }
 
-        const configEnvId = process.env.OP_CONFIG_ENV_ID;
-        if (!configEnvId) {
-          console.error("1Password: Missing OP_CONFIG_ENV_ID");
-          return;
-        }
+    const configEnvId = process.env.OP_CONFIG_ENV_ID;
+    if (!configEnvId) {
+      debugLog("Missing OP_CONFIG_ENV_ID");
+      return;
+    }
 
-        const vars = await readEnvironmentVariables(configEnvId);
-        const configEnvIds: Record<string, string> = {};
-        for (const v of vars) {
-          if (v.name.endsWith("_ENV_ID") && v.value) {
-            configEnvIds[v.name] = v.value;
-          }
-        }
+    debugLog(`Reading config from environment ${configEnvId}`);
+    const vars = await readEnvironmentVariables(configEnvId);
+    const configEnvIds: Record<string, string> = {};
+    for (const v of vars) {
+      if (v.name.endsWith("_ENV_ID") && v.value) {
+        configEnvIds[v.name] = v.value;
+        debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
+      }
+    }
 
-        const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
-        if (providersEnvId) {
-          // First update the config files to use env var references
-          await updateAuthJson(providersEnvId);
-          await authenticateProviders(providersEnvId);
-        }
+    const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+    if (providersEnvId) {
+      // First update the config files to use env var references
+      await updateAuthJson(providersEnvId);
+      await authenticateProviders(providersEnvId);
+    }
+
+    const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
+    if (mcpEnvIdFromConfig) {
+      mcpsEnvId = mcpEnvIdFromConfig;
+      await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
+      const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
+      if (Object.keys(toInject).length > 0) {
+        debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
+      }
+    }
+
+    debugLog("Plugin initialization complete");
+  };
+
+  // Start initialization immediately
+  initializePlugin().catch(err => {
+    debugLog(`Failed to initialize plugin: ${err}`);
+  });
 
-        const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
-        if (mcpEnvIdFromConfig) {
-          mcpsEnvId = mcpEnvIdFromConfig;
-          await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
-          const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
-          if (Object.keys(toInject).length > 0) {
-            console.log(`1Password: Injected ${Object.keys(toInject).join(", ")} for MCP`);
+  return {
+    async config(config: any) {
+      debugLog("Config hook called");
+      // Config hook runs early, we could also initialize here
+      // but we're already initializing above
+    },
+
+    async event({ event }: { event: { type: string } }) {
+      debugLog(`Received event: ${event.type}`);
+      if (event.type === "server.connected") {
+        debugLog("Server connected - rechecking authentication");
+        // Re-authenticate providers in case they weren't set earlier
+        if (opClient) {
+          const configEnvId = process.env.OP_CONFIG_ENV_ID;
+          if (configEnvId) {
+            const vars = await readEnvironmentVariables(configEnvId);
+            const configEnvIds: Record<string, string> = {};
+            for (const v of vars) {
+              if (v.name.endsWith("_ENV_ID") && v.value) {
+                configEnvIds[v.name] = v.value;
+              }
+            }
+            const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+            if (providersEnvId) {
+              await authenticateProviders(providersEnvId);
+            }
           }
         }
-
-        console.log("1Password: Initialization complete");
       }
     },
 
@@ -280,6 +403,7 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
 
       for (const [varName, value] of Object.entries(toInject)) {
         output.env[varName] = value;
+        debugLog(`Injected ${varName} into shell environment`);
       }
     },
 
@@ -288,8 +412,8 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
 
       const fileArgs = input.args as { filePath?: string } | undefined;
       if (fileArgs?.filePath && fileArgs.filePath.includes(".env")) {
-        console.warn(
-          "1Password: Warning - .env file access detected. Consider using 1Password for secrets management."
+        debugLog(
+          "Warning - .env file access detected. Consider using 1Password for secrets management."
         );
       }
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-1password-auth",
-  "version": "1.0.3",
+  "version": "1.0.6",
   "description": "1Password integration for OpenCode - authenticate providers and inject MCP secrets from 1Password environments",
   "type": "module",
   "main": "index.ts",

package/setup.ps1

@@ -67,13 +67,13 @@ function Remove-RegistryValue {
 }
 
 function Get-OpenCodeAuthJsonPath {
-    $home = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
-    return "$home/.local/share/opencode/auth.json"
+    $homeDir = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$homeDir/.local/share/opencode/auth.json"
 }
 
 function Get-OpenCodeConfigJsonPath {
-    $home = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
-    return "$home/.config/opencode/opencode.json"
+    $homeDir = if ($env:USERPROFILE) { $env:USERPROFILE } else { $env:USERPROFILE }
+    return "$homeDir/.config/opencode/opencode.json"
 }
 
 function Update-ConfigFiles {