Initialize 1Password + direnv Secret Management

Set up secure secret management using 1Password CLI with direnv.

Phase 1: Check Prerequisites

1. Verify 1Password CLI is installed:

   op --version
   

   If not installed, inform user:

   brew install --cask 1password-cli
   

2. Verify direnv is installed:

   direnv --version
   

   If not installed, inform user:

   brew install direnv
   echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc  # or ~/.bashrc
   

3. Check if 1Password is signed in:

   op account list
   

   If no accounts, inform user to sign in:

   op signin --account=yourcompany.1password.com
   

Phase 2: Gather Configuration

Use AskUserQuestion to collect:

Q1: 1Password Account "What is your 1Password account domain?"

• Default from $ARGUMENTS if provided
• Example: mycompany.1password.com

Q2: Vault Name "Which vault contains your secrets?"

• Default: Development or Private
• User can specify custom vault

Q3: Initial Secrets (optional) "What environment variables do you need? (comma-separated)"

• Example: DATABASE_URL, API_KEY, AWS_ACCESS_KEY_ID
• Can be empty - user can add later

Phase 3: Create Files

1. Create .env.op

# 1Password Secret References
# Safe to commit - contains only op:// pointers, not actual secrets
#
# Format: VAR_NAME="op://Vault/Item/Field"
# Example: DATABASE_URL="op://Development/PostgreSQL/connection-string"

# Add your secret references below:

If user provided initial secrets, add placeholder entries:

DATABASE_URL="op://Vault/Item/Field"  # TODO: Update with actual 1Password path
API_KEY="op://Vault/Item/Field"       # TODO: Update with actual 1Password path

2. Create .envrc

# Load secrets from 1Password using direnv
# Safe to commit - no secrets, just delegates to .env.op

direnv_load op run --env-file=.env.op --no-masking \
  --account=ACCOUNT_DOMAIN -- direnv dump

Replace ACCOUNT_DOMAIN with the user's account.

3. Update .gitignore

Check if .gitignore exists. If so, append (if not already present):

# 1Password + direnv
.direnv/
.env
.env.local

If no .gitignore, create one with these entries.

Note: .envrc is safe to commit - it contains no secrets, just a loader command that delegates to .env.op.

Phase 4: Finalize Setup

1. Run direnv allow:

   direnv allow
   

2. Provide usage instructions:

   Setup complete!
   
   Files created:
   - .env.op     (safe to commit - add your op:// references here)
   - .envrc      (safe to commit - no secrets, just loader command)
   - .gitignore  (updated with direnv entries)
   
   Next steps:
   1. Edit .env.op to add your secret references:
      DATABASE_URL="op://Development/MyApp/database-url"
   
   2. Test a secret resolves:
      op read "op://Development/MyApp/database-url"
   
   3. Reload the environment:
      direnv allow
   
   4. Verify secrets loaded:
      echo $DATABASE_URL
   
   To migrate an existing .env file, run:
      /secrets:migrate
   

Reference

See the 1password-direnv-secrets skill for detailed documentation on:

• The op run pattern and why it's faster
• Troubleshooting common issues
• Alternative approaches (op inject)