Update secrets management docs

- New setup workflow
- Can now list 1Password secrets
- Minor polishing

Author: danbarr

docs/toolhive/guides-cli/install.mdx

@@ -262,39 +262,49 @@ To uninstall ToolHive:
    rm -rf ~/Library/Application\ Support/toolhive/
    # Linux:
    rm -rf ~/.config/toolhive/
+   # Windows:
+   Remove-Item "$env:LOCALAPPDATA\toolhive" -Recurse -Force
    ```
 
 3. Remove the ToolHive CLI:
 
 {/* prettier-ignore */}
    <Tabs groupId='installer' queryString='installer'>
      <TabItem value='homebrew' label='Homebrew (macOS)' default>
+
        If you installed ToolHive via Homebrew, uninstall it with:
 
        ```bash
        brew uninstall thv
        ```
+
      </TabItem>
      <TabItem value='winget' label='WinGet (Windows)'>
+
        If you installed ToolHive via WinGet, uninstall it with:
 
        ```bash
        winget uninstall stacklok.thv
        ```
+
      </TabItem>
      <TabItem value='binary' label='Pre-compiled binaries'>
+
        Delete the binary from your PATH:
 
        ```bash
        sudo rm /usr/local/bin/thv
        ```
+
      </TabItem>
      <TabItem value='source' label='Build from source'>
+
        Remove the binary from your `$GOPATH`:
 
        ```bash
        rm $(go env GOPATH)/bin/thv
        ```
+
      </TabItem>
 
    </Tabs>

docs/toolhive/guides-cli/secrets-management.mdx

@@ -15,84 +15,82 @@ configuration files.
 
 ## Secrets providers
 
-ToolHive supports multiple secret providers:
+ToolHive supports multiple secret providers to fit different security and
+workflow requirements:
 
-- `encrypted` (default) - ToolHive encrypts secrets using a password that it
-  stores in your operating system's keyring.
-- `1password` - ToolHive retrieves secrets from a 1Password vault.
+- `encrypted` - ToolHive encrypts secrets using a password stored in your
+  operating system's keyring
+- `1password` - ToolHive retrieves secrets from a 1Password vault
 
-<Tabs groupId='secrets-provider' queryString='secrets-provider'>
-  <TabItem value='encrypted' label='Encrypted (default)' default>
+You can use only one provider at a time. To select your preferred provider, run:
 
-The `encrypted` provider is the default secrets provider. When you use a
-[`thv secret`](../reference/cli/thv_secret.md) command for the first time,
-ToolHive prompts you for a password to encrypt and decrypt your secrets.
+```bash
+thv secret setup
+```
 
-ToolHive stores the encryption password in your operating system's keyring
-(Keychain Access on macOS, dbus/Gnome Keyring on Linux). This means you don't
-need to enter it every time you use a
-[`thv secret`](../reference/cli/thv_secret.md) command.
+If you plan to use 1Password, first set up a 1Password service account and
+obtain an API token. See the 1Password tab below for details.
 
-To explicitly use the `encrypted` provider (or switch back to it from another
-provider), run:
+<Tabs groupId='secrets-provider'>
+  <TabItem value='encrypted' label='Encrypted' default>
 
-```bash
-thv config secrets-provider encrypted
-```
+When you select the `encrypted` provider, ToolHive prompts you to create an
+encryption password that protects your secrets.
+
+ToolHive stores this encryption password in your operating system's keyring
+(Keychain Access on macOS, Credential Manager on Windows, and dbus/Gnome Keyring
+on Linux). This means you don't need to enter the password every time you use a
+[`thv secret`](../reference/cli/thv_secret.md) command.
 
   </TabItem>
   <TabItem value='1password' label='1Password'>
 
 :::note
 
-The `list`, `set`, and `delete` operations aren't currently supported with
-1Password.
-
-You can retrieve secrets using the
-[`thv secret get`](../reference/cli/thv_secret_get.md) command and the
-`--secret` parameter for [`thv run`](../reference/cli/thv_run.md), but the
-secret must already exist in 1Password.
+The 1Password provider is read-only. You can list and view secrets, but you
+can't create or delete them through ToolHive. Secrets must already exist in your
+1Password vault.
 
-If you'd like to see more functionality, please
+If you'd like to see write operations added, please
 [open an issue](https://github.com/stacklok/toolhive/issues) or join the
 `#toolhive-developers` channel in [Discord](https://discord.gg/stacklok).
-Contributions are also welcome!
+Contributions are welcome!
 
 :::
 
 To use 1Password as your secrets provider, set up a 1Password service account.
 For detailed instructions, see the
 [1Password documentation](https://developer.1password.com/docs/service-accounts/get-started#create-a-service-account).
 
-Next, set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable to the 1Password
-service account's API token, which is displayed during the service account
-creation process. This token is required for all
-[`thv secret`](../reference/cli/thv_secret.md) commands.
+Next, set the `OP_SERVICE_ACCOUNT_TOKEN` environment variable to your service
+account's API token (displayed during the service account creation process).
+This token is required for all [`thv secret`](../reference/cli/thv_secret.md)
+commands:
 
 ```bash
 export OP_SERVICE_ACCOUNT_TOKEN=<your-service-account-token>
 ```
 
-Then, set 1Password as your ToolHive secrets provider:
+Then, run `thv secret setup` and select `1password` when prompted.
 
-```bash
-thv config secrets-provider 1password
-```
-
-To reference a secret, use the
+To reference a secret from 1Password, use the
 [1Password secret reference](https://developer.1password.com/docs/cli/secret-reference-syntax)
 URI format:
 
 ```text
 op://<vault-name>/<item-name>/[section-name/]<field-name>
 ```
 
-For example, to retrieve a secret named `github` from the `MCPVault` vault:
+For example, to retrieve the `password` field from the `github` item in the
+`MCPVault` vault:
 
 ```bash
 thv secret get op://MCPVault/github/password
 ```
 
+Run [`thv secret list`](../reference/cli/thv_secret_list.md) to see all secrets
+accessible to your service account, along with their URIs.
+
   </TabItem>
 </Tabs>
 
@@ -172,17 +170,32 @@ thv secret reset-keyring
 
 Then, delete the encrypted secrets file:
 
-On macOS:
+<Tabs groupId='os'>
+  <TabItem value='macos' label='macOS' default>
+   
+    ```bash
+    rm ~/Library/Application\ Support/toolhive/secrets_encrypted
+    ```
 
-```bash
-rm ~/Library/Application\ Support/toolhive/secrets_encrypted
-```
+  </TabItem>
+  <TabItem value='linux' label='Linux'>
 
-On Linux:
+    ```bash
+    rm ~/.config/toolhive/secrets_encrypted
+    ```
 
-```bash
-rm ~/.config/toolhive/secrets_encrypted
-```
+  </TabItem>
+  <TabItem value='windows' label='Windows'>
+
+    ```powershell
+    Remove-Item "$env:LOCALAPPDATA\toolhive\secrets_encrypted"
+    ```
+
+  </TabItem>
+</Tabs>
+
+The next time you run a `thv secret` command, ToolHive prompts you to create a
+new encryption password and starts with a fresh secret store.
 
 ## Use secrets with MCP servers
 
@@ -328,7 +341,15 @@ If you can't access 1Password secrets:
    ```
 
 2. Check that the token is valid and has the necessary permissions to access the
-   vault and item.
+   vault and item:
+
+   ```bash
+   thv secret list
+   ```
 
 3. Make sure the secret reference URI is correct and matches the vault, item,
-   and field names in 1Password.
+   and field names in 1Password:
+
+   ```bash
+   thv secret get op://<vault-name>/<item-name>/[section-name/]<field-name>
+   ```