Home
Softono
opah.fish

opah.fish

Open source Apache-2.0 Shell
GitHub
20
Stars
0
Forks
2
Issues
0
Watchers
3 weeks
Last Commit
Secret Management

About opah.fish

A Fish shell plugin for seamless 1Password secrets management with automatic loading and intelligent caching.

Platforms

Web Self-hosted

Languages

Shell

Links

Source Code
t
Published by
tbcrawford
Visit View Profile

README.md

View on GitHub
opah.fish

Automatically load 1Password secrets into your Fish shell environment.
Secure caching, instant startup, and a clean CLI for day-to-day secret management.

fisher install tbcrawford/opah.fish

License: Apache 2.0  Fish  Release

Quick Start

  1. Install the plugin: fisher install tbcrawford/opah.fish
  2. Create ~/.config/fish/secrets.yaml with your secret references (see Configuration)
  3. Run opah refresh to fetch from 1Password and populate the cache
  4. Open a new shell — secrets load automatically on every startup

Why opah

Dotfiles committed to git should not contain secrets. The alternatives — templating systems, encrypted files, excluded config — all add friction.

opah separates the reference from the value. Your dotfiles hold only op:// URIs. The actual secrets live in 1Password and are fetched on demand, cached locally, and exported into your environment automatically.

  • Commit your entire Fish config without exposing credentials
  • No preprocessors, no templates, no extra tooling
  • Works across every machine that has the 1Password CLI installed

Install

Prerequisites: Fish 3.0+ and 1Password CLI (op)

Fisher

fisher install tbcrawford/opah.fish

Oh My Fish

omf install https://github.com/tbcrawford/opah.fish

Configuration

Create ~/.config/fish/secrets.yaml:

secrets:
  API_KEY: "op://Work/API Keys/api_key"
  DATABASE_URL: "op://Work/Database/connection_string"
  GITHUB_TOKEN: "op://Work/GitHub/token"

Values must be 1Password secret references in op://vault/item/field format. opah checks the following locations in order, using the first file it finds:

  • ~/.config/fish/secrets.yaml (recommended)
  • ~/.config/fish/secrets.yml
  • ~/.config/fish/.secrets.yaml
  • ~/.config/fish/.secrets.yml
  • ~/.config/opah/secrets.yaml
  • ~/.config/opah/secrets.yml

Command Reference

Command Description
opah refresh [KEY] Fetch secrets from 1Password and update the cache. Pass a key name to refresh a single secret.
opah status [KEY] Show which secrets are cached and loaded into the environment.
opah config Validate the configuration file and list defined secrets.
opah doctor Run health checks: CLI installation, authentication, config, and cache.
opah clear Remove the cache and unset all managed environment variables.
opah reinit Clear state, re-authenticate, and reload everything from scratch.
opah help Show usage. All subcommands also accept -h.

How It Works

On each shell startup, opah checks for a local cache. If it exists, secrets load instantly without touching 1Password. If it is missing, opah calls op read for each secret in your config, writes a fresh cache, and exports everything into the environment.

The cache is stored at ~/.cache/fish/opah/secrets.fish with 600 permissions. It is updated by opah refresh and removed by opah clear.

Security

Cached secrets are stored in plaintext on disk. Use opah clear before walking away from a shared machine. On personal machines, whole-disk encryption provides the appropriate layer of protection beneath the 600 file permissions opah sets on the cache.

Secrets are exported as global environment variables and are visible to all child processes. This is the same posture as loading secrets from a .env file — convenient for local development, not appropriate for production hosts.

Apache 2.0 License · Built for Fish shell · Report an issue