Refine op integration toggle handling

Copilot · iloveitaly · Copilot · commit d5cdcd34e6a7 · 2025-12-15T20:04:33.000Z
Co-authored-by: iloveitaly &lt;150855+iloveitaly@users.noreply.github.com&gt;
diff --git a/.envrc b/.envrc
@@ -44,19 +44,35 @@ layout uv
 # debugging much more challenging. It's easy for obscure error messages to get swallowed up and waste development time
 # forgetting that this error path exists.
 op_inject_source() {
-  local tmpfile
-  tmpfile=$(mktemp)
+  local input_file injected_file op_reference_pattern
+  op_reference_pattern='op://[[:alnum:].~_-]+/[[:alnum:].~_-]+/[[:alnum:].~_/-]+'
+  # simplified matcher for op://vault/item/field references with alnum, dot, underscore, tilde, dash, or slash in the field
+  # references using other characters or additional path segments will bypass replacement
+
+  input_file=$(umask 077; mktemp)
+  injected_file=$(umask 077; mktemp)
+
+  if ! cat > "$input_file"; then
+    just _banner_echo "Failed to capture inject input"
+    rm -f "$input_file" "$injected_file"
+    return 1
+  fi
 
   if [ -n "${OP_INTEGRATION_DISABLED:-}" ]; then
-    cat > "$tmpfile"
-    sed -E 's@op://[^[:space:]]+@fake-op-value@g' "$tmpfile" > "${tmpfile}.fake"
-    source "${tmpfile}.fake"
-    rm -f "$tmpfile" "${tmpfile}.fake"
+    if grep -Eq "${op_reference_pattern}" "$input_file"; then
+      # intentionally uses a single placeholder for all secrets while OP integration is disabled
+      sed -E "s|${op_reference_pattern}|fake-op-value|g" "$input_file" > "$injected_file"
+    else
+      just _banner_echo "OP_INTEGRATION_DISABLED set but no op references matched fallback pattern; leaving values unchanged"
+      cp "$input_file" "$injected_file"
+    fi
+    source "$injected_file"
+    rm -f "$input_file" "$injected_file"
     return 0
   fi
 
   # `inject` consumes stdin
-  if ! op inject > "$tmpfile"; then
+  if ! op inject < "$input_file" > "$injected_file"; then
     just _banner_echo "1Password injection failed"
     cat >&2 << EOF
 Make sure you're authenticated with 1Password, have access to referenced secrets, and are using valid secret references.
@@ -72,12 +88,12 @@ Some tips on how to resolve this issue:
 - If you move a 1P entry out of a vault, this will cause a missing entry error.
 
 EOF
-    rm -f "$tmpfile"
+    rm -f "$input_file" "$injected_file"
     return 1
   fi
 
-  source "$tmpfile"
-  rm -f "$tmpfile"
+  source "$injected_file"
+  rm -f "$input_file" "$injected_file"
 }
 
 # this is hack to allow us to render a specific .env file
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ There are a couple of dependencies which are not managed by the project:
 * Latest macOS
 * VS Code
 
-(If you want to bootstrap without 1Password on first run, set `OP_INTEGRATION_DISABLED=1` to load fake secret values instead of running `op inject`.)
+(If you want to bootstrap without 1Password on first run, set `OP_INTEGRATION_DISABLED=1` to load fake secret values instead of running `op inject`).
 
 (you **could** use a different setup (bash, vim, etc), but this is not the golden path for this project.)
 
