Crate secretenv_backend_1password 

1Password backend for SecretEnv.

Wraps the op CLI — never 1Password’s Connect Server SDK. The CLI handles SSO, biometric unlock, service accounts, and multiple signed- in accounts without us touching any of it.

URI shape

<instance>://<vault>/<item>/<field> — exactly three non-empty path segments. Example: 1password-personal://Engineering/Prod DB/url targets the url field of the Prod DB item in the Engineering vault.

Nested fields (items with sections, op://vault/item/section/field) are out of scope for v0.1; the strict 3-segment rule is documented in the error message when parsing fails.

Config fields

• op_account (optional) — 1Password account shorthand or URL (e.g. myteam.1password.com). Needed only when multiple accounts are signed in simultaneously. Passed as --account <value> to every op invocation.

Semantics

• get calls op read op://<v>/<i>/<f> and returns the field value verbatim.
• set calls op item edit <item> <field>=<value> --vault <vault>. Errors if the item does not exist — we never auto-create.
• delete calls op item edit <item> <field>= --vault <vault> (empty value). Full item deletion is out of scope for v0.1.
• list fetches the field value and parses it as flat TOML HashMap<String, String>. This is the registry- document shape: a 1Password note whose body is the alias → URI map in TOML form.
• check runs op --version (Level 1) and op whoami --format=json (Level 2).

Safety

Every argv call goes through tokio::process::Command::args(&[…]) — never sh -c. URI-derived values never touch a shell interpreter.

Structs

OnePasswordBackend

A live instance of the 1Password backend.

OnePasswordFactory

Factory for the 1Password backend. No required config fields; op_account is optional.