1Password CLI Python Wrapper

Python wrapper for 1Password CLI with Pydantic Settings integration. Automatically injects secrets from op:// references while preserving types.

Features

• Automatic secret injection with op:// reference detection
• Pydantic Settings integration with pre-validation injection
• Type preservation (int, float, bool, None, lists)
• Full type hints with py.typed marker
• Performance optimized (skips CLI calls when no secrets detected)
• Timeout protection and clear error messages

Installation

pip install 1password-cli

Prerequisites: 1Password CLI installed and authenticated (op signin)

Usage

String injection:

from scottzach1.onepassword_cli import inject_string_1password

password = inject_string_1password("op://vault/database/password")

Dictionary injection:

from scottzach1.onepassword_cli import inject_dictionary_1password

config = {
    "database_url": "op://vault/database/url",
    "api_key": "op://vault/api/key",
    "port": 5432,  # Non-secret values preserved
}
injected = inject_dictionary_1password(config)

Pydantic Settings:

from scottzach1.onepassword_cli import OnePasswordSettings

class AppSettings(OnePasswordSettings):
    database_url: str = "op://vault/database/url"
    api_key: str = "op://vault/api/key"
    port: int = 8080

settings = AppSettings()  # Secrets injected automatically

API

• inject_string_1password(value, check_cli=True) - Inject secrets into a string
• inject_dictionary_1password(data, check_cli=True, in_place=False) - Inject secrets into a dictionary
• OnePasswordSettings - Pydantic Settings base class with automatic injection

See docstrings for parameters and exceptions.

Development

# Setup
uv sync --dev && uv run pre-commit install

# Test
uv run pytest tests/ -v -m "not integration"
uv run coverage run -m pytest tests/ -m "not integration"

# Lint/Format
uv run ruff check src/ tests/ --fix
uv run ruff format src/ tests/

License

MIT License - see LICENSE file.