gh-densom-claude-1password-plugins-1password/commands/env-sync.md

---
description: Populate .env file from .env.1password template using 1Password CLI
argument-hint: [path-to-template]
---

You are tasked with generating a `.env` file by resolving 1Password secret references from a `.env.1password` template file.

## Prerequisites Check:

1. **Verify 1Password CLI is installed**: Run `op --version` to check if the 1Password CLI is available.
   - If not installed, inform the user to install it from https://developer.1password.com/docs/cli/get-started/

2. **Verify 1Password CLI is authenticated**: Run `op account list` to check if the user is signed in.
   - If not authenticated, inform the user to run `op signin` first

## Instructions:

1. **Locate the template file**: If the user provided a path argument, use that path. Otherwise, look for `.env.1password` in the current working directory.
   - If `.env.1password` doesn't exist, inform the user and suggest running `/claude-1password:env-init` first

2. **Check if .env already exists**:
   - If `.env` already exists, ask the user if they want to overwrite it
   - Consider backing up the existing `.env` as `.env.backup` before overwriting

3. **Use op inject command**: Use the 1Password CLI `op inject` command to resolve all secret references in the template file and generate the `.env` file.

   The basic command syntax is:
   ```bash
   op inject -i .env.1password -o .env
   ```
  
   The `op inject` command will:
   - Automatically find all `op://vault/item/field` references in the template
   - Resolve them by fetching the secrets from 1Password
   - Replace the references with the actual secret values
   - Preserve all comments, empty lines, and non-secret values exactly as they appear
   - Handle multiple references on a single line
   - Provide clear error messages if any references are invalid or inaccessible

If the user opted to overwrite the existing file, make sure to use the `--force` flag in the op command.

4. **Output summary**: Show the user:
   - Success message: "Successfully generated .env from .env.1password"
   - The path to the generated `.env` file
   - Number of secret references that were resolved (count `op://` occurrences in the template)
   - A reminder to add `.env` to `.gitignore` if not already present
   - Security reminder: "Remember to delete this file when no longer needed"

## Example:

Template (`.env.1password`):
```
# Database configuration
DATABASE_URL=op://Private/myapp/database_url
API_KEY=op://Private/myapp/api_key

# Non-secret values can be stored directly
NODE_ENV=development
```

Command executed:
```bash
op inject -i .env.1password -o .env
```

Generated (`.env`):
```
# Database configuration
DATABASE_URL=postgresql://user:pass@localhost:5432/db
API_KEY=sk_live_abc123xyz789

# Non-secret values can be stored directly
NODE_ENV=development
```

## Additional Options:

- **Force overwrite**: If you want to skip the overwrite confirmation, you can add the `--force` flag: `op inject -i .env.1password -o .env --force`
- **In-memory only**: To output to stdout without writing a file (useful for verification): `op inject -i .env.1password`
- **Different paths**: You can specify any template and output paths: `op inject -i path/to/template -o path/to/.env`

## Error Handling:

- If `.env.1password` doesn't exist, inform the user and suggest running `/claude-1password:env-init` first
- If `.env` already exists, ask if they want to overwrite it
- If `op inject` fails, show the specific error message from the CLI and suggest solutions:
  - **"not signed in"**: User needs to run `op signin`
  - **"item not found"** or **"vault not found"**: Check that the `op://` references in `.env.1password` match actual items in 1Password
  - **"field not found"**: Verify the field name exists in the 1Password item
  - For any errors, show which reference(s) caused the problem to help the user debug
- If the command succeeds but the output seems incorrect, suggest the user manually verify their 1Password references