npm - opencode-1password-auth - Versions diffs - 1.0.5 → 1.0.7 - Mend

opencode-1password-auth 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -2,11 +2,49 @@
 Authenticate LLM providers and inject MCP server secrets from 1Password environments.
+## ⚠️ Important Note
+**OpenCode does NOT resolve `{env:VAR}` syntax in `auth.json`**. This plugin works around this limitation by:
+1. Setting API keys via `client.auth.set()` at runtime
+2. Setting environment variables in `process.env` for MCP servers
+3. Using `{env:VAR}` references in config files for MCP servers only
+**Version 1.0.6+ includes critical timing fixes** - the plugin now initializes immediately when loaded, not waiting for the `server.connected` event.
+## 🚀 Quick Start
+1. **Run setup script**:
+   ```powershell
+   # Windows
+   .\setup.ps1
+   # macOS/Linux
+   ./setup.sh
+   ```
+2. **Update config files**:
+   ```powershell
+   .\setup.ps1 -UpdateConfig
+   ```
+3. **Add to OpenCode config** (`~/.config/opencode/opencode.json`):
+   ```json
+   {
+     "plugin": ["opencode-1password-auth"]
+   }
+   ```
+4. **Restart OpenCode** completely
+5. **Check debug logs** at `~/.opencode-1password-debug/debug.log`
 ## Features
-- **Provider Authentication**: Automatically authenticate OpenCode providers (MiniMax, DeepSeek, OpenCode, etc.) from 1Password
+- **Provider Authentication**: Automatically authenticate OpenCode providers (MiniMax, DeepSeek, OpenCode, etc.) from 1Password at runtime
 - **MCP Secret Injection**: Inject secrets into MCP server environments from 1Password
 - **.env Access Warning**: Warns when .env files are accessed
+- **Config File Management**: Automatically update config files to use `{env:VAR}` references (for MCP servers)
+- **Debug Logging**: Detailed logs at `~/.opencode-1password-debug/debug.log`
 ## Prerequisites
@@ -39,6 +77,24 @@ Create these environments in 1Password:
 **MCPS Environment** (holds MCP secrets):
 - Secret names matching your MCP server config (e.g., `MINIMAX_API_KEY`, `MINIMAX_API_HOST`)
+### Variable Naming Guide
+The plugin normalizes variable names to match auth.json provider IDs:
+| 1Password Variable | Normalized Provider ID | auth.json Key |
+|-------------------|------------------------|---------------|
+| `MINIMAX_CODING_PLAN` | `minimax-coding-plan` | `minimax-coding-plan` |
+| `OPENCODE` | `opencode` | `opencode` |
+| `DEEPSEEK` | `deepseek` | `deepseek` |
+| `minimax_coding_plan` | `minimax-coding-plan` | `minimax-coding-plan` |
+| `open_code` | `open-code` | `open-code` |
+**Rules:**
+1. Variable names are **case-insensitive**
+2. Underscores (`_`) are converted to hyphens (`-`)
+3. The plugin sets environment variables in multiple formats for compatibility
+4. MCP variable names should match exactly what your MCP server expects
 ## Setup
 ### 1. Run Setup Script
@@ -63,9 +119,13 @@ The script will:
 - Show a full audit of your configuration
 **Script Options:**
-- `.\setup.ps1 -Audit` - View current configuration
+- `.\setup.ps1` - Interactive setup (default)
+- `.\setup.ps1 -Audit` - View current configuration without making changes
+- `.\setup.ps1 -UpdateConfig` - **Critical**: Update `auth.json` and `opencode.json` to use `{env:VAR}` references
 - `.\setup.ps1 -Uninstall` - Remove environment variables
+> **⚠️ IMPORTANT**: You MUST run `.\setup.ps1 -UpdateConfig` after setting up environment variables to update your config files.
 ### 2. Install Plugin
 Add to your `opencode.json`:
@@ -113,7 +173,7 @@ opencode-mcps
 ## MCP Configuration
-In your `opencode.json`, use `{env:VARIABLE_NAME}` syntax to reference injected secrets:
+In your `opencode.json`, use `{env:VARIABLE_NAME}` syntax to reference injected secrets. **This works for MCP servers** because the plugin injects environment variables via the `shell.env` hook:
 ```json
 {
@@ -130,12 +190,41 @@ In your `opencode.json`, use `{env:VARIABLE_NAME}` syntax to reference injected
 }
 ```
-## How It Works
+> **Note**: While `{env:VAR}` syntax works for MCP servers in `opencode.json`, it **does NOT work** for provider authentication in `auth.json`. For providers, the plugin uses `client.auth.set()` instead.
+## How It Works (v1.0.6+)
+1. **Immediate Initialization**: When OpenCode loads the plugin, it immediately:
+   - Creates 1Password SDK client using `OP_SERVICE_ACCOUNT_TOKEN`
+   - Reads bootstrap environment ID from `OP_CONFIG_ENV_ID`
+   - Retrieves provider and MCP environment IDs
+2. **Provider Authentication**:
+   - Reads API keys from 1Password providers environment
+   - Sets `process.env` variables with multiple naming formats (e.g., `opencode`, `OPENCODE`, `opencode`, `OPENCODE`)
+   - Calls `client.auth.set()` to authenticate each provider at runtime
+3. **MCP Secret Injection**:
+   - Reads secrets from 1Password MCP environment
+   - Injects them via the `shell.env` hook when MCP servers start
+4. **Config File Management**:
+   - Updates `auth.json` to use `{env:providerId}` references (though OpenCode doesn't resolve these)
+   - Updates `opencode.json` MCP config to use `{env:VAR}` references (which DO work for MCP)
+## Authentication Flow
+```mermaid
+graph TD
+    A[OpenCode starts] --> B[Load 1Password Plugin]
+    B --> C[Immediate initialization]
+    C --> D{Read 1Password config}
+    D --> E[Set process.env variables]
+    D --> F[Call client.auth.set()]
+    F --> G[Provider authenticated at runtime]
+    E --> H[MCP servers get env vars]
+    G --> I[Chat requests work]
+    H --> I
+```
-1. On `server.connected` event, the plugin initializes the 1Password SDK
-2. Reads environment IDs from your config environment
-3. Authenticates providers using `client.auth.set()`
-4. Injects MCP secrets via the `shell.env` hook
+> **Note**: `client.auth.set()` happens AFTER OpenCode reads `auth.json`, so the plugin must initialize early enough to intercept authentication attempts.
 ## Requirements
@@ -145,31 +234,105 @@ In your `opencode.json`, use `{env:VARIABLE_NAME}` syntax to reference injected
 ## Troubleshooting
-**Plugin not loading?**
+### Plugin not loading?
 - Ensure environment variables are set system-wide (not just in terminal)
 - Restart OpenCode completely after setting environment variables
+- Check OpenCode console for plugin loading errors
-**Can't read 1Password environments?**
-- Verify service account has access to the vaults containing your environments
+### Can't read 1Password environments?
+- Verify service account has access to the vaults containing your environments
 - Check that environment IDs in config are correct
+- Run `.\setup.ps1 -Audit` to verify connection and configuration
+### Authentication failing with "Your api key: ****eek} is invalid"?
+This means OpenCode is reading the literal `{env:deepseek}` string from `auth.json`. The plugin needs to authenticate providers earlier.
+**Solutions:**
+1. **Update to v1.0.6+** - Includes critical timing fixes
+2. **Check debug logs** - Look at `~/.opencode-1password-debug/debug.log`
+3. **Verify plugin is in opencode.json** - Ensure `"opencode-1password-auth"` is in the plugin array
+4. **Restart OpenCode** - Completely quit and restart to reload the plugin
+### Debug Logging
+The plugin writes detailed logs to `~/.opencode-1password-debug/debug.log`. Check this file for:
+- Plugin initialization status
+- 1Password connection attempts
+- `client.auth.set()` calls and results
+- Environment variable injections
+### Common Issues
+- **Timing**: If the plugin initializes too late, OpenCode already attempted authentication
+- **Environment Variables**: Must be set system-wide, not just in current terminal
+- **1Password Permissions**: Service account needs read access to environments
+- **Variable Names**: Provider names in 1Password should match auth.json provider IDs (case-insensitive, underscores converted to hyphens)
+## Current Status (v1.0.6)
+### ✅ Implemented
+- **Provider Authentication**: `client.auth.set()` at runtime
+- **MCP Secret Injection**: Via `shell.env` hook
+- **Config File Management**: Auto-update `auth.json` and `opencode.json` with `-UpdateConfig` flag
+- **Debug Logging**: File-based logging at `~/.opencode-1password-debug/debug.log`
+- **Variable Normalization**: Multiple naming formats supported
+- **Immediate Initialization**: Plugin loads early in OpenCode lifecycle
+### 🔄 Working Around OpenCode Limitations
+The plugin works around OpenCode's limitation of not resolving `{env:VAR}` in `auth.json` by:
+1. Calling `client.auth.set()` to authenticate providers at runtime
+2. Setting `process.env` variables for MCP servers
+3. Using timing fixes in v1.0.6+ to initialize before authentication attempts
 ## Roadmap
-The following features are planned for future releases:
 ### Phase 2 - Enhanced Scripting
 - [ ] **Automated service account creation** - Guide users through creating service accounts with correct permissions via 1Password API
 - [ ] **Bootstrap environment management via scripts** - Add, list, remove environment references from the bootstrap environment through CLI
+- [ ] **Cross-platform setup improvements** - Better support for macOS/Linux setup scripts
-### Phase 3 - Advanced Plugin Features
+### Phase 3 - Advanced Plugin Features
 - [ ] **Dynamic environment detection** - Plugin automatically detects new environments added to bootstrap and integrates them
-- [ ] **Config file injection** - Plugin replaces hardcoded API keys in OpenCode config files with `{env:VAR}` references
+- [x] **Config file injection** - ✅ Implemented (uses `-UpdateConfig` flag)
 - [ ] **Custom environment support** - Support for additional environments beyond the standard opencode-providers, opencode-plugins, opencode-mcps pattern
 - [ ] **Write support** - Ability to store secrets back to 1Password environments
+- [ ] **Auth.json workaround** - Investigate alternative approaches if `client.auth.set()` timing issues persist
-### Phase 4 - polish
+### Phase 4 - Polish & Reliability
 - [ ] **Uninstall script** - Clean removal of environment variables and plugin configuration
 - [ ] **Configuration validation** - Validate OpenCode config files reference correct environment variables
+- [ ] **Health checks** - Periodic verification that 1Password connection and authentication are working
+- [ ] **Better error messages** - User-friendly error reporting for common issues
+## Deployment
+### Publishing New Versions
+1. **Update version** in `package.json`
+2. **Commit changes** with descriptive message:
+   ```bash
+   git add .
+   git commit -m "Brief description of changes"
+   ```
+3. **Tag the release** (optional but recommended):
+   ```bash
+   git tag v1.0.6
+   git push origin v1.0.6
+   ```
+4. **Publish to npm**:
+   ```bash
+   npm publish
+   ```
+5. **Update GitHub**:
+   ```bash
+   git push origin master
+   ```
+### Version History
+- **v1.0.6**: Timing fixes - immediate initialization, config hook, enhanced logging
+- **v1.0.5**: Debug logging and error handling improvements
+- **v1.0.4**: Variable normalization and multiple env var formats
+- **v1.0.3**: Setup scripts with config file modification
+- **v1.0.2**: MCP secret injection and .env warnings
+- **v1.0.1**: Initial release with basic provider authentication
 ## License

package/index.ts CHANGED Viewed

@@ -252,17 +252,20 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
       try {
         // Authenticate with OpenCode runtime
-        debugLog(`Calling client.auth.set for ${providerId}`);
-        await client.auth.set({
+        debugLog(`Calling client.auth.set for ${providerId} with key length ${apiKey.length}`);
+        const result = await client.auth.set({
           path: { id: providerId },
           body: { type: "api", key: apiKey },
         });
-        debugLog(`✓ ${providerId} authenticated (from ${variableName})`);
+        debugLog(`✓ ${providerId} authenticated (from ${variableName}) - Result: ${JSON.stringify(result)}`);
       } catch (err) {
         debugLog(`Failed to authenticate ${providerId}: ${err}`);
         if (err instanceof Error) {
           debugLog(`Error message: ${err.message}`);
+          debugLog(`Error stack: ${err.stack}`);
         }
+        // Also log to console for immediate visibility
+        console.error(`[1Password Plugin] Failed to authenticate ${providerId}: ${err}`);
       }
     }
   };
@@ -311,52 +314,85 @@ export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
     return toInject;
   };
-  return {
-    async event({ event }: { event: { type: string } }) {
-      debugLog(`Received event: ${event.type}`);
-      if (event.type === "server.connected") {
-        debugLog("Initializing...");
+  // Initialize as soon as plugin loads (config hook runs early)
+  const initializePlugin = async () => {
+    debugLog("Initializing plugin...");
-        opClient = await initClient();
-        if (!opClient) {
-          debugLog("No client available");
-          return;
-        }
+    opClient = await initClient();
+    if (!opClient) {
+      debugLog("No client available");
+      return;
+    }
-        const configEnvId = process.env.OP_CONFIG_ENV_ID;
-        if (!configEnvId) {
-          debugLog("Missing OP_CONFIG_ENV_ID");
-          return;
-        }
+    const configEnvId = process.env.OP_CONFIG_ENV_ID;
+    if (!configEnvId) {
+      debugLog("Missing OP_CONFIG_ENV_ID");
+      return;
+    }
-        debugLog(`Reading config from environment ${configEnvId}`);
-        const vars = await readEnvironmentVariables(configEnvId);
-        const configEnvIds: Record<string, string> = {};
-        for (const v of vars) {
-          if (v.name.endsWith("_ENV_ID") && v.value) {
-            configEnvIds[v.name] = v.value;
-            debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
-          }
-        }
+    debugLog(`Reading config from environment ${configEnvId}`);
+    const vars = await readEnvironmentVariables(configEnvId);
+    const configEnvIds: Record<string, string> = {};
+    for (const v of vars) {
+      if (v.name.endsWith("_ENV_ID") && v.value) {
+        configEnvIds[v.name] = v.value;
+        debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
+      }
+    }
-        const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
-        if (providersEnvId) {
-          // First update the config files to use env var references
-          await updateAuthJson(providersEnvId);
-          await authenticateProviders(providersEnvId);
-        }
+    const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+    if (providersEnvId) {
+      // First update the config files to use env var references
+      await updateAuthJson(providersEnvId);
+      await authenticateProviders(providersEnvId);
+    }
-        const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
-        if (mcpEnvIdFromConfig) {
-          mcpsEnvId = mcpEnvIdFromConfig;
-          await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
-          const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
-          if (Object.keys(toInject).length > 0) {
-            debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
+    const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
+    if (mcpEnvIdFromConfig) {
+      mcpsEnvId = mcpEnvIdFromConfig;
+      await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
+      const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
+      if (Object.keys(toInject).length > 0) {
+        debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
+      }
+    }
+    debugLog("Plugin initialization complete");
+  };
+  // Start initialization immediately
+  initializePlugin().catch(err => {
+    debugLog(`Failed to initialize plugin: ${err}`);
+  });
+  return {
+    async config(config: any) {
+      debugLog("Config hook called");
+      // Config hook runs early, we could also initialize here
+      // but we're already initializing above
+    },
+    async event({ event }: { event: { type: string } }) {
+      debugLog(`Received event: ${event.type}`);
+      if (event.type === "server.connected") {
+        debugLog("Server connected - rechecking authentication");
+        // Re-authenticate providers in case they weren't set earlier
+        if (opClient) {
+          const configEnvId = process.env.OP_CONFIG_ENV_ID;
+          if (configEnvId) {
+            const vars = await readEnvironmentVariables(configEnvId);
+            const configEnvIds: Record<string, string> = {};
+            for (const v of vars) {
+              if (v.name.endsWith("_ENV_ID") && v.value) {
+                configEnvIds[v.name] = v.value;
+              }
+            }
+            const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
+            if (providersEnvId) {
+              await authenticateProviders(providersEnvId);
+            }
           }
         }
-        debugLog("Initialization complete");
       }
     },

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "opencode-1password-auth",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "1Password integration for OpenCode - authenticate providers and inject MCP secrets from 1Password environments",
   "type": "module",
   "main": "index.ts",

package/index-v2.ts DELETED Viewed

@@ -1,387 +0,0 @@
-import type { Plugin } from "@opencode-ai/plugin";
-import * as sdk from "@1password/sdk";
-// Debug logging to file
-const debugLog = (message: string) => {
-  const timestamp = new Date().toISOString();
-  const logMessage = `[${timestamp}] 1Password: ${message}\n`;
-  console.log(logMessage.trim());
-  try {
-    // Try to write to a debug log file
-    const fs = require('fs');
-    const path = require('path');
-    const home = process.env.HOME || process.env.USERPROFILE || '';
-    const logDir = path.join(home, '.opencode-1password-debug');
-    if (!fs.existsSync(logDir)) {
-      fs.mkdirSync(logDir, { recursive: true });
-    }
-    const logFile = path.join(logDir, 'debug.log');
-    fs.appendFileSync(logFile, logMessage);
-  } catch (err) {
-    // Ignore file logging errors
-  }
-};
-interface MCPServerConfig {
-  environment?: Record<string, string>;
-}
-interface OpenCodeConfig {
-  mcp?: Record<string, MCPServerConfig>;
-}
-interface ProviderAuth {
-  type: string;
-  key: string;
-}
-interface AuthJson {
-  [providerId: string]: ProviderAuth;
-}
-export const OnePasswordAuthPlugin: Plugin = async ({ client, $ }) => {
-  let opClient: Awaited<ReturnType<typeof sdk.createClient>> | null = null;
-  let mcpsEnvId: string | undefined;
-  debugLog("Plugin loaded");
-  const normalizeProviderId = (variableName: string): string => {
-    // Convert common patterns to match auth.json provider IDs
-    // e.g., "MINIMAX_CODING_PLAN" -> "minimax-coding-plan"
-    // e.g., "OPENCODE" -> "opencode"
-    // e.g., "DEEPSEEK" -> "deepseek"
-    let normalized = variableName.toLowerCase();
-    // Convert underscores to hyphens
-    normalized = normalized.replace(/_/g, '-');
-    debugLog(`Normalized ${variableName} -> ${normalized}`);
-    return normalized;
-  };
-  const getAlternativeEnvVarNames = (providerId: string): string[] => {
-    // Generate all possible env var names that might be used
-    const names = new Set<string>();
-    // Original providerId (e.g., "minimax-coding-plan")
-    names.add(providerId);
-    // Uppercase version (e.g., "MINIMAX-CODING-PLAN")
-    names.add(providerId.toUpperCase());
-    // With underscores instead of hyphens (e.g., "minimax_coding_plan")
-    names.add(providerId.replace(/-/g, '_'));
-    // Uppercase with underscores (e.g., "MINIMAX_CODING_PLAN")
-    names.add(providerId.replace(/-/g, '_').toUpperCase());
-    // Just the first part (e.g., "minimax")
-    const firstPart = providerId.split('-')[0];
-    if (firstPart && firstPart !== providerId) {
-      names.add(firstPart);
-      names.add(firstPart.toUpperCase());
-    }
-    return Array.from(names);
-  };
-  const getHomeDir = (): string => {
-    return process.env.HOME || process.env.USERPROFILE || "";
-  };
-  const getAuthJsonPath = (): string => {
-    const home = getHomeDir();
-    return `${home}/.local/share/opencode/auth.json`;
-  };
-  const getOpenCodeJsonPath = (): string => {
-    const home = getHomeDir();
-    return `${home}/.config/opencode/opencode.json`;
-  };
-  const initClient = async () => {
-    const token = process.env.OP_SERVICE_ACCOUNT_TOKEN;
-    if (!token) {
-      debugLog("Missing OP_SERVICE_ACCOUNT_TOKEN");
-      return null;
-    }
-    try {
-      return await sdk.createClient({
-        auth: token,
-        integrationName: "opencode-1password-env",
-        integrationVersion: "1.0.0",
-      });
-    } catch (err) {
-      debugLog(`Failed to create client: ${err}`);
-      return null;
-    }
-  };
-  const readEnvironmentVariables = async (envId: string) => {
-    if (!opClient) return [];
-    try {
-      const { variables } = await opClient.environments.getVariables(envId);
-      debugLog(`Read ${variables?.length || 0} variables from environment ${envId}`);
-      return variables || [];
-    } catch (err) {
-      debugLog(`Failed to read environment ${envId}: ${err}`);
-      return [];
-    }
-  };
-  const getSecretsFromEnvironment = async (envId: string): Promise<Record<string, string>> => {
-    const vars = await readEnvironmentVariables(envId);
-    const secrets: Record<string, string> = {};
-    for (const v of vars) {
-      if (v.value) {
-        secrets[v.name] = v.value;
-        debugLog(`Found secret: ${v.name} (${v.value.length} chars)`);
-      }
-    }
-    return secrets;
-  };
-  const updateAuthJson = async (providerEnvId: string): Promise<void> => {
-    const authJsonPath = getAuthJsonPath();
-    try {
-      // Read current auth.json using cat
-      const catResult = await $`cat "${authJsonPath}"`;
-      const content = catResult.stdout;
-      let auth: AuthJson;
-      try {
-        auth = JSON.parse(content);
-      } catch {
-        debugLog("auth.json is not valid JSON, skipping");
-        return;
-      }
-      let modified = false;
-      for (const [providerId, authConfig] of Object.entries(auth)) {
-        if (authConfig.key && !authConfig.key.startsWith("{env:")) {
-          // Replace hardcoded key with env var reference
-          authConfig.key = `{env:${providerId}}`;
-          modified = true;
-          debugLog(`Updated auth.json - ${providerId} -> {env:${providerId}}`);
-        }
-      }
-      if (modified) {
-        // Write updated content using a temp file and mv
-        const newContent = JSON.stringify(auth, null, 2);
-        // Use node to write the file since $ heredocs can be tricky
-        await $`node -e "const fs=require('fs'); fs.writeFileSync('${authJsonPath}', JSON.stringify(${JSON.stringify(auth)}, null, 2));"`;
-        debugLog("auth.json updated to use environment variables");
-      }
-    } catch (err) {
-      debugLog(`Failed to update auth.json: ${err}`);
-    }
-  };
-  const updateOpenCodeJsonMCP = async (mcpEnvId: string): Promise<void> => {
-    const openCodeJsonPath = getOpenCodeJsonPath();
-    try {
-      // Read current opencode.json using cat
-      const catResult = await $`cat "${openCodeJsonPath}"`;
-      const content = catResult.stdout;
-      let config: OpenCodeConfig;
-      try {
-        config = JSON.parse(content);
-      } catch {
-        debugLog("opencode.json is not valid JSON, skipping");
-        return;
-      }
-      if (!config.mcp) {
-        debugLog("No MCP configuration found, skipping");
-        return;
-      }
-      let modified = false;
-      for (const [serverName, serverConfig] of Object.entries(config.mcp)) {
-        if (serverConfig?.environment) {
-          for (const [key, value] of Object.entries(serverConfig.environment)) {
-            if (typeof value === "string" && !value.startsWith("{env:") && !value.startsWith("$")) {
-              // Replace hardcoded value with env var reference
-              serverConfig.environment[key] = `{env:${key}}`;
-              modified = true;
-              debugLog(`Updated opencode.json - ${serverName}.${key} -> {env:${key}}`);
-            }
-          }
-        }
-      }
-      if (modified) {
-        // Write updated content
-        await $`node -e "const fs=require('fs'); fs.writeFileSync('${openCodeJsonPath}', JSON.stringify(${JSON.stringify(config)}, null, 2));"`;
-        debugLog("opencode.json MCP config updated to use environment variables");
-      }
-    } catch (err) {
-      debugLog(`Failed to update opencode.json: ${err}`);
-    }
-  };
-  const authenticateProviders = async (providerEnvId: string): Promise<void> => {
-    if (!opClient) return;
-    debugLog(`Reading provider secrets from environment ${providerEnvId}`);
-    const secrets = await getSecretsFromEnvironment(providerEnvId);
-    debugLog(`Found ${Object.keys(secrets).length} provider secrets`);
-    for (const [variableName, apiKey] of Object.entries(secrets)) {
-      if (!apiKey) continue;
-      const providerId = normalizeProviderId(variableName);
-      debugLog(`Processing ${variableName} -> ${providerId} (key length: ${apiKey.length})`);
-      // Set environment variables in multiple formats
-      const envVarNames = getAlternativeEnvVarNames(providerId);
-      for (const envVarName of envVarNames) {
-        process.env[envVarName] = apiKey;
-        debugLog(`Set process.env.${envVarName} = ${apiKey.substring(0, 8)}...`);
-      }
-      try {
-        // Authenticate with OpenCode runtime
-        debugLog(`Calling client.auth.set for ${providerId}`);
-        await client.auth.set({
-          path: { id: providerId },
-          body: { type: "api", key: apiKey },
-        });
-        debugLog(`✓ ${providerId} authenticated (from ${variableName})`);
-      } catch (err) {
-        debugLog(`Failed to authenticate ${providerId}: ${err}`);
-        if (err instanceof Error) {
-          debugLog(`Error message: ${err.message}`);
-        }
-      }
-    }
-  };
-  const getConfiguredMCPVars = (): Set<string> => {
-    const vars = new Set<string>();
-    try {
-      const config = client.config as OpenCodeConfig;
-      if (config?.mcp) {
-        for (const [, serverConfig] of Object.entries(config.mcp)) {
-          if (serverConfig?.environment) {
-            for (const [key] of Object.entries(serverConfig.environment)) {
-              if (key.startsWith("{env:")) {
-                const envVar = key.slice(5, -1);
-                vars.add(envVar);
-              } else {
-                vars.add(key);
-              }
-            }
-          }
-        }
-      }
-    } catch (err) {
-      debugLog(`Failed to read MCP config: ${err}`);
-    }
-    return vars;
-  };
-  const injectMCPSecrets = async (mcpEnvId: string): Promise<Record<string, string>> => {
-    const neededVars = getConfiguredMCPVars();
-    if (neededVars.size === 0) {
-      return {};
-    }
-    const secrets = await getSecretsFromEnvironment(mcpEnvId);
-    const toInject: Record<string, string> = {};
-    for (const varName of neededVars) {
-      if (secrets[varName]) {
-        toInject[varName] = secrets[varName];
-      }
-    }
-    return toInject;
-  };
-  return {
-    async event({ event }: { event: { type: string } }) {
-      debugLog(`Received event: ${event.type}`);
-      if (event.type === "server.connected") {
-        debugLog("Initializing...");
-        opClient = await initClient();
-        if (!opClient) {
-          debugLog("No client available");
-          return;
-        }
-        const configEnvId = process.env.OP_CONFIG_ENV_ID;
-        if (!configEnvId) {
-          debugLog("Missing OP_CONFIG_ENV_ID");
-          return;
-        }
-        debugLog(`Reading config from environment ${configEnvId}`);
-        const vars = await readEnvironmentVariables(configEnvId);
-        const configEnvIds: Record<string, string> = {};
-        for (const v of vars) {
-          if (v.name.endsWith("_ENV_ID") && v.value) {
-            configEnvIds[v.name] = v.value;
-            debugLog(`Found ${v.name} = ${v.value.substring(0, 10)}...`);
-          }
-        }
-        const providersEnvId = configEnvIds.OPENCODE_PROVIDERS_ENV_ID;
-        if (providersEnvId) {
-          // First update the config files to use env var references
-          await updateAuthJson(providersEnvId);
-          await authenticateProviders(providersEnvId);
-        }
-        const mcpEnvIdFromConfig = configEnvIds.OPENCODE_MCPS_ENV_ID;
-        if (mcpEnvIdFromConfig) {
-          mcpsEnvId = mcpEnvIdFromConfig;
-          await updateOpenCodeJsonMCP(mcpEnvIdFromConfig);
-          const toInject = await injectMCPSecrets(mcpEnvIdFromConfig);
-          if (Object.keys(toInject).length > 0) {
-            debugLog(`Injected ${Object.keys(toInject).join(", ")} for MCP`);
-          }
-        }
-        debugLog("Initialization complete");
-      }
-    },
-    async "shell.env"(input, output) {
-      if (!opClient || !mcpsEnvId) return;
-      const toInject = await injectMCPSecrets(mcpsEnvId);
-      for (const [varName, value] of Object.entries(toInject)) {
-        output.env[varName] = value;
-        debugLog(`Injected ${varName} into shell environment`);
-      }
-    },
-    async "tool.execute.before"(input) {
-      if (input.tool !== "read") return;
-      const fileArgs = input.args as { filePath?: string } | undefined;
-      if (fileArgs?.filePath && fileArgs.filePath.includes(".env")) {
-        debugLog(
-          "Warning - .env file access detected. Consider using 1Password for secrets management."
-        );
-      }
-    },
-  };
-};
-export default OnePasswordAuthPlugin;