Skip to content

Migrate from @1password/op-js to the 1Password JavaScript SDK#1

Draft
Tom Plant (pl4nty) wants to merge 5 commits into
mainfrom
claude/amazing-turing-LZ0Oa
Draft

Migrate from @1password/op-js to the 1Password JavaScript SDK#1
Tom Plant (pl4nty) wants to merge 5 commits into
mainfrom
claude/amazing-turing-LZ0Oa

Conversation

@pl4nty

Copy link
Copy Markdown
Member

Summary

Replaces the CLI-based @1password/op-js dependency with the native @1password/sdk (onepassword-sdk-js).

The two libraries are architecturally very different: op-js shells out to the installed op CLI binary, while the SDK is a self-contained native client (with a ~10MB WebAssembly core) that authenticates against the 1Password desktop app via DesktopAuth (biometric unlock). No CLI install is required anymore.

Key changes

  • New client wrapper (src/client.ts) — OnePassword lazily creates and reuses an SDK client (createClient({ auth: new DesktopAuth(account), integrationName, integrationVersion })), replacing the CLI-validation wrapper (src/cli.ts). It also exposes a resolveItem helper that resolves a vault/item reference (name or ID) to a full item, since client.items.get requires concrete IDs.
  • Account setup (src/setup.ts) — the SDK can't enumerate accounts (no account.list/whoami), so "Choose account" now prompts for an account name / sign-in address / UUID. Vault selection uses client.vaults.list.
  • Items (src/items.ts) — uses client.items.get/create/list. Secret references are constructed from op://<vaultId>/<itemId>/<fieldId> (the SDK doesn't return a reference string on fields). Password generation uses Secrets.generatePassword with a recipe parsed from the existing recipe string.
  • Secret injection (src/injection.ts) — finds op:// references in the document, resolves them in one batch via client.secrets.resolveAll, and substitutes the values, replacing inject.data.
  • Hover (src/language-providers/hover.ts) — auth check uses the SDK client; the Windows-only CLI workaround (and the 1s delay) is removed, so hover previews are now enabled on all platforms (src/editor.ts).
  • Field types / categories — mapped to the SDK's ItemFieldType / ItemCategory enums (src/constants.ts, src/utils.ts).
  • Packaging (compile.ts, .vscodeignore) — the SDK and its wasm core are kept external in the esbuild bundle and shipped in node_modules, because the wasm is loaded from disk at runtime via __dirname.
  • Settings1password.items.cacheValues is marked deprecated (the SDK has no cache).
  • Tests, factories, and the README quick start are updated to match.

Behavioral changes to be aware of

  • Account selection is now manual entry instead of a picker (SDK limitation).
  • Requirement shift: the 1Password desktop app (installed + biometric unlock) is now required; the CLI is no longer needed.
  • cacheValues no longer has any effect.

Verification

  • tsc --noEmit
  • eslint
  • prettier --check
  • jest — 179/179 passing ✅
  • Production esbuild build succeeds with the SDK externalized ✅
  • Smoke-tested that the SDK's wasm core loads and Secrets.generatePassword works in this environment ✅

Note

I couldn't exercise the full interactive desktop-app auth flow (DesktopAuth) in CI, since it requires a running, unlocked 1Password desktop app. That path should be manually verified before release.

https://claude.ai/code/session_01TGpfBgZbebxze8uV5i2uv3


Generated by Claude Code

Claude (claude) and others added 5 commits June 2, 2026 01:37
Replace the CLI-based @1password/op-js dependency with the native
@1password/sdk (onepassword-sdk-js). The SDK authenticates against the
1Password desktop app via DesktopAuth (biometric unlock) instead of
shelling out to the installed op CLI.

Key changes:
- Add a OnePassword client wrapper (src/client.ts) that lazily creates and
  reuses an SDK client, replacing the CLI validation wrapper (src/cli.ts).
- Account setup now prompts for an account name/URL/UUID, since the SDK
  cannot enumerate accounts (no account.list/whoami). Vault selection uses
  client.vaults.list.
- Items use client.items.get/create and client.items.list; secret
  references are constructed from vault/item/field IDs (the SDK doesn't
  return a reference string on fields).
- Secret injection resolves op:// references via client.secrets.resolveAll
  and substitutes them, replacing inject.data.
- Password generation uses Secrets.generatePassword with a parsed recipe.
- Field types/categories map to the SDK's ItemFieldType/ItemCategory enums.
- Hover auth check uses the SDK client; the Windows-only CLI workaround is
  removed and hover previews are enabled on all platforms.
- Keep the SDK and its WebAssembly core external in the esbuild bundle and
  ship them in node_modules (the ~10MB wasm is loaded from disk at runtime).
- The items.cacheValues setting is marked deprecated (the SDK has no cache).
- Update tests, factories, and README to match.
Updated quick start guide for 1Password extension installation.
Signed-off-by: GitHub <noreply@github.com>
When the 1Password desktop app integration is disabled (or the app isn't
running/unlocked), the SDK throws "Native library is not available." This
previously surfaced as a raw message and, on quiet paths like hover, only
went to the logs.

Detect this specific error and show a clear notification explaining how to
fix it (enable app integration in Settings -> Developer) with a "Learn more"
link to the docs. The notification is shown even on otherwise-quiet paths,
deduped so it appears only once until the account changes or a client
connects. Add client tests covering the new behavior.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants