feat: Add 1Password provider support (#15)

* feat: 1password provider

* fix: ci missing env

* fix: ci missing env

* fix: missing top level field

Author: dirathea

.github/workflows/ci.yml

@@ -56,6 +56,8 @@ jobs:
           BW_PASSWORD: ${{ secrets.BW_PASSWORD }}
           BW_CLIENTSECRET: ${{ secrets.BW_CLIENTSECRET }}
           BW_CLIENTID: ${{ secrets.BW_CLIENTID }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_TEST_VAULT_NAME: ${{ secrets.OP_TEST_VAULT_NAME }}
         run: go test -v ./tests/end2end/...
 
   build:

.sstart.yml.example

@@ -33,3 +33,9 @@ providers:
     id: dotenv-shared
     path: ${HOME}/.config/myapp/.env
 
+  # 1Password example - fetch a whole section
+  # Requires OP_SERVICE_ACCOUNT_TOKEN environment variable
+  - kind: 1password
+    id: onepassword-prod
+    ref: op://Production/MyApp/Database
+

CONFIGURATION.md

@@ -23,6 +23,7 @@ providers:
 
 | Provider | Status |
 |----------|--------|
+| `1password` | Stable |
 | `aws_secretsmanager` | Stable |
 | `azure_keyvault` | Stable |
 | `bitwarden` | Stable |
@@ -33,6 +34,125 @@ providers:
 
 ## Provider Configuration
 
+### 1Password (`1password`)
+
+Retrieves secrets from 1Password using the 1Password Connect SDK. Supports fetching individual fields, whole sections, or entire items from 1Password vaults.
+
+**Dependencies:**
+- No CLI required. Uses the 1Password Go SDK directly.
+
+**Configuration:**
+- `ref` (required): The 1Password secret reference in the format `op://<vault>/<item>/[section/]<field>`. sstart supports custom reference formats that allow fetching different scopes of secrets:
+  - `op://VaultName/ItemName/fieldName` - Fetch a specific top-level field (not in any section)
+  - `op://VaultName/ItemName/sectionName/fieldName` - Fetch a specific field from a section
+  - `op://VaultName/ItemName/sectionName` - **Fetch all fields from a section** (custom sstart feature)
+  - `op://VaultName/ItemName` - **Fetch all fields from an entire item** (custom sstart feature)
+- `use_section_prefix` (optional): When `true`, fields from sections will have keys prefixed with the section name (e.g., `SectionName_FieldName`). When `false` or not specified, fields use just the field name. Defaults to `false`.
+
+**Reference Format Support:**
+sstart extends the standard 1Password reference format to support fetching multiple secrets at once:
+- **Single field references** (`op://vault/item/field` or `op://vault/item/section/field`): Fetch one specific field value
+- **Whole section references** (`op://vault/item/section`): Fetch all fields from a specific section in an item. All fields from that section will be loaded as environment variables.
+- **Whole item references** (`op://vault/item`): Fetch all fields from an entire item, including both top-level fields and fields from all sections. This is useful when you want to load all secrets from an item at once.
+
+**Authentication:**
+1Password authentication must be provided via environment variable:
+- `OP_SERVICE_ACCOUNT_TOKEN` (required): Service account token for 1Password Connect API authentication
+
+**Example - Fetch a specific field:**
+```yaml
+providers:
+  - kind: 1password
+    id: onepassword-prod
+    ref: op://Production/MyApp/API_KEY
+```
+
+**Example - Fetch a whole section:**
+```yaml
+providers:
+  - kind: 1password
+    id: onepassword-db
+    ref: op://Production/MyApp/Database
+    keys:
+      HOST: DB_HOST
+      PORT: DB_PORT
+      USERNAME: DB_USER
+      PASSWORD: DB_PASSWORD
+```
+
+This example fetches all fields from the "Database" section. When using `keys`, only the specified fields will be mapped. If `keys` is omitted, all fields from the section will be loaded.
+
+**Example - Fetch whole item with section prefixes:**
+```yaml
+providers:
+  - kind: 1password
+    id: onepassword-app
+    ref: op://Production/MyApp
+    use_section_prefix: true
+    keys:
+      API_KEY: ==
+      Database_HOST: ==
+      Database_PORT: ==
+      Redis_HOST: ==
+```
+
+This example fetches all fields from the entire item. With `use_section_prefix: true`, fields from sections are prefixed (e.g., `Database_HOST`), while top-level fields remain unprefixed (e.g., `API_KEY`).
+
+**Example - Fetch whole item without section prefixes:**
+```yaml
+providers:
+  - kind: 1password
+    id: onepassword-app
+    ref: op://Production/MyApp
+    use_section_prefix: false
+```
+
+This example fetches all fields from the entire item without section prefixes. Field names will be just the field names (e.g., `HOST`, `PORT`). Top-level fields take precedence over section fields with the same name (warnings are logged). If the same field name exists in multiple sections, an error will be raised to prevent collisions.
+
+**Section Prefix Behavior:**
+- **Default (no prefix)**: When `use_section_prefix` is not specified or set to `false`, fields use just their field names (e.g., `HOST`, `PORT`). This works well when field names are unique across sections.
+- **With prefix**: When `use_section_prefix: true`, fields from sections are prefixed with the section name (e.g., `Database_HOST`, `Database_PORT`). This prevents collisions when the same field name exists in multiple sections.
+
+**Collision Handling and Priority:**
+When fetching secrets without section prefixes, sstart handles collisions with a clear priority system:
+
+1. **Top-level fields take precedence**: If a field name exists both as a top-level field and in a section, the top-level field value will be used. A warning will be logged suggesting how to access the section field instead.
+
+2. **Ambiguous references**: When using a reference like `op://vault/item/DB` where both a top-level field "DB" and a section "DB" exist, sstart will:
+   - Use the top-level field (priority)
+   - Log a warning about the ambiguous reference
+   - Suggest renaming either the top-level field or the section in 1Password to avoid ambiguity, or use `use_section_prefix: true` when fetching the whole item to access both
+
+3. **Section-to-section collisions**: If the same field name exists in multiple sections (e.g., `HOST` in both "Database" and "Redis" sections), sstart will return an error. Use `use_section_prefix: true` to load both fields with distinct names.
+
+**Examples of collision handling:**
+
+- **Top-level field vs section field**: If item has top-level field `DB` and section `DB` with field `HOST`:
+  - `op://vault/item/DB` → Uses top-level field `DB`, warns about section
+  - `op://vault/item` → Uses top-level field `DB`, section field `HOST` is loaded (no collision)
+  - If section `DB` also had a field named `DB`, the top-level field takes precedence, and a warning is logged
+
+- **Multiple sections with same field name**: If item has `HOST` in both "Database" and "Redis" sections:
+  - `op://vault/item` (without prefix) → Error: collision detected
+  - `op://vault/item` with `use_section_prefix: true` → Loads both as `Database_HOST` and `Redis_HOST`
+
+**How it works:**
+The provider uses the 1Password Connect SDK to authenticate with 1Password Connect (or 1Password Business/Enterprise) using a service account token. It resolves vault and item names to IDs, then retrieves the specified secrets. 
+
+sstart implements custom support for 1Password reference formats beyond single-field references:
+- **Section-level fetching** (`op://vault/item/section`): When a reference points to a section (without a field name), sstart fetches all fields within that section and makes them available as environment variables.
+- **Item-level fetching** (`op://vault/item`): When a reference points to just a vault and item (without section or field), sstart fetches all fields from the entire item, including top-level fields and fields from all sections.
+
+This custom implementation allows you to efficiently load multiple secrets in a single provider configuration, rather than requiring separate provider entries for each field.
+
+**1Password Connect Setup:**
+To use this provider, you need:
+1. 1Password Connect server running (or access to 1Password Business/Enterprise)
+2. A service account token created in your 1Password account
+3. The service account must have access to the vaults and items you want to retrieve
+
+For more information on setting up 1Password Connect, see the [1Password Connect documentation](https://developer.1password.com/docs/connect).
+
 ### AWS Secrets Manager (`aws_secretsmanager`)
 
 Retrieves secrets from AWS Secrets Manager. Supports both JSON secrets (parsed into multiple key-value pairs) and plain text secrets.

README.md

@@ -1,11 +1,11 @@
 # 🤫 sstart: Secure Start for Cloud-Native Secrets
-sstart is a minimalist, zero-persistence CLI tool that securely retrieves application secrets from multiple backend sources (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) and injects them as environment variables into any wrapped process.
+sstart is a minimalist, zero-persistence CLI tool that securely retrieves application secrets from multiple backend sources (1Password, Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) and injects them as environment variables into any wrapped process.
 
 It is the spiritual successor to the [Teller](https://github.com/tellerops/teller), modernized and rebuilt in Go for fast execution, reliability, and cross-platform simplicity.
 
 ## 🎯 Why sstart?
 
-Say goodbye to `.env` files. With sstart, we eliminate the need for static `.env` files that store secrets in your project directory. Instead, secrets are pulled at runtime from secure backends like AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, or GCP Secret Manager.
+Say goodbye to `.env` files. With sstart, we eliminate the need for static `.env` files that store secrets in your project directory. Instead, secrets are pulled at runtime from secure backends like 1Password, AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, or GCP Secret Manager.
 
 This approach provides multiple security benefits:
 
@@ -17,7 +17,7 @@ You define all your required secrets from all your sources in a single, declarat
 
 ## Features
 
-- 🔐 **Multiple Secret Providers**: Support for AWS Secrets Manager, Azure Key Vault, Bitwarden, HashiCorp Vault, GCP Secret Manager, dotenv files, and more
+- 🔐 **Multiple Secret Providers**: Support for 1Password, AWS Secrets Manager, Azure Key Vault, Bitwarden, HashiCorp Vault, GCP Secret Manager, dotenv files, and more
 - 🔄 **Combine Secrets**: Merge secrets from multiple providers
 - 🚀 **Subprocess Execution**: Automatically inject secrets into subprocesses
 - 🔒 **Secure by Default**: Secrets never appear in shell history or logs

go.mod

@@ -18,6 +18,7 @@ require (
 	cloud.google.com/go/iam v1.5.2 // indirect
 	cloud.google.com/go/secretmanager v1.16.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
+	github.com/1password/onepassword-sdk-go v0.3.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
@@ -52,12 +53,15 @@ require (
 	github.com/docker/docker v28.5.1+incompatible // indirect
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect
 	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/extism/go-sdk v1.7.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -73,6 +77,7 @@ require (
 	github.com/hashicorp/go-sockaddr v1.0.7 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-7 // indirect
 	github.com/hashicorp/vault/api v1.22.0 // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
@@ -102,6 +107,8 @@ require (
 	github.com/testcontainers/testcontainers-go v0.40.0 // indirect
 	github.com/testcontainers/testcontainers-go/modules/localstack v0.40.0 // indirect
 	github.com/testcontainers/testcontainers-go/modules/vault v0.40.0 // indirect
+	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect
+	github.com/tetratelabs/wazero v1.9.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.13 // indirect
 	github.com/tklauser/numcpus v0.7.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
@@ -111,6 +118,7 @@ require (
 	go.opentelemetry.io/otel v1.38.0 // indirect
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	golang.org/x/crypto v0.45.0 // indirect
 	golang.org/x/mod v0.29.0 // indirect
 	golang.org/x/net v0.47.0 // indirect

go.sum

@@ -10,6 +10,8 @@ cloud.google.com/go/secretmanager v1.16.0 h1:19QT7ZsLJ8FSP1k+4esQvuCD7npMJml6hYz
 cloud.google.com/go/secretmanager v1.16.0/go.mod h1://C/e4I8D26SDTz1f3TQcddhcmiC3rMEl0S1Cakvs3Q=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+github.com/1password/onepassword-sdk-go v0.3.1 h1:dz0LrYuIh/HrZ7rxr8NMymikNLBIXhyj4NBmo5Tdamc=
+github.com/1password/onepassword-sdk-go v0.3.1/go.mod h1:kssODrGGqHtniqPR91ZPoCMEo79mKulKat7RaD1bunk=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 h1:JXg2dwJUmPB9JmtVmdEB16APJ7jurfbY5jnfXpJoRMc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0/go.mod h1:YD5h/ldMsG0XiIw7PdyNhLxaM317eFh5yNLccNfGdyw=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
@@ -86,8 +88,12 @@ github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pM
 github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a h1:UwSIFv5g5lIvbGgtf3tVwC7Ky9rmMFBp0RMs+6f6YqE=
+github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a/go.mod h1:C8DzXehI4zAbrdlbtOByKX6pfivJTBiV9Jjqv56Yd9Q=
 github.com/ebitengine/purego v0.8.4 h1:CF7LEKg5FFOsASUj0+QwaXf8Ht6TlFxg09+S9wz0omw=
 github.com/ebitengine/purego v0.8.4/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
+github.com/extism/go-sdk v1.7.0 h1:yHbSa2JbcF60kjGsYiGEOcClfbknqCJchyh9TRibFWo=
+github.com/extism/go-sdk v1.7.0/go.mod h1:Dhuc1qcD0aqjdqJ3ZDyGdkZPEj/EHKVjbE4P+1XRMqc=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/go-jose/go-jose/v4 v4.1.1 h1:JYhSgy4mXXzAdF3nUx3ygx347LRXJRrpgyU3adRmkAI=
@@ -104,6 +110,8 @@ github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
@@ -137,6 +145,8 @@ github.com/hashicorp/hcl v1.0.1-vault-7 h1:ag5OxFVy3QYTFTJODRzTKVZ6xvdfLLCA1cy/Y
 github.com/hashicorp/hcl v1.0.1-vault-7/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hashicorp/vault/api v1.22.0 h1:+HYFquE35/B74fHoIeXlZIP2YADVboaPjaSicHEZiH0=
 github.com/hashicorp/vault/api v1.22.0/go.mod h1:IUZA2cDvr4Ok3+NtK2Oq/r+lJeXkeCrHRmqdyWfpmGM=
+github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca h1:T54Ema1DU8ngI+aef9ZhAhNGQhcRTrWxVeG07F+c/Rw=
+github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
@@ -202,6 +212,10 @@ github.com/testcontainers/testcontainers-go/modules/localstack v0.40.0 h1:b+lN2C
 github.com/testcontainers/testcontainers-go/modules/localstack v0.40.0/go.mod h1:8LuTSboTo2MJKFKV5xH6z4ZH1s3jhRJWwvtPJzKogj4=
 github.com/testcontainers/testcontainers-go/modules/vault v0.40.0 h1:8mNnxEsbh+MT3PQMWgSmyCtyAUBx2RRK8ojgV7eqCQU=
 github.com/testcontainers/testcontainers-go/modules/vault v0.40.0/go.mod h1:p5HvonDtban/rtZrQ3uoXtl7XdX3bTJiZls7PShebfo=
+github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q=
+github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834/go.mod h1:m9ymHTgNSEjuxvw8E7WWe4Pl4hZQHXONY8wE6dMLaRk=
+github.com/tetratelabs/wazero v1.9.0 h1:IcZ56OuxrtaEz8UYNRHBrUa9bYeX9oVY93KspZZBf/I=
+github.com/tetratelabs/wazero v1.9.0/go.mod h1:TSbcXCfFP0L2FGkRPxHphadXPjo1T6W+CseNNY7EkjM=
 github.com/tklauser/go-sysconf v0.3.13 h1:GBUpcahXSpR2xN01jhkNAbTLRk2Yzgggk8IM08lq3r4=
 github.com/tklauser/go-sysconf v0.3.13/go.mod h1:zwleP4Q4OehZHGn4CYZDipCgg9usW5IJePewFCGVEa0=
 github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr4=
@@ -230,6 +244,8 @@ go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt
 go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
 golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=

internal/cli/root.go

@@ -5,6 +5,7 @@ import (
 	_ "github.com/dirathea/sstart/internal/provider/bitwarden"
 	_ "github.com/dirathea/sstart/internal/provider/dotenv"
 	_ "github.com/dirathea/sstart/internal/provider/gcsm"
+	_ "github.com/dirathea/sstart/internal/provider/onepassword"
 	_ "github.com/dirathea/sstart/internal/provider/vault"
 	"github.com/spf13/cobra"
 )