Struggles with integrating 1Password's op

[rsyring]

I've been trying to figure out how to get 1Password secrets integrated with mise (refs #1359). The biggest challenge I've encountered is that the op utility is rather slow, taking about 1s to return when asked for secrets. That delay on every prompt is pretty annoying.

Since direnv doesn't run at every prompt, I thought I had this solved with a pretty simple setup:

# .mise.toml
[env]
TF_VAR_wasabi_access_key = 'op://private/aws/access-key'
TF_VAR_wasabi_secret_key = 'op://private/aws/secret-key'

# .envrc
direnv_load op run --no-masking -- direnv dump
watch_file .mise.toml

This setup has the advantage of being usable with op run directly if someone prefers not to use direnv. The problem I encountered is that there is a conflict between direnv and mise which led to the environment variables not getting removed when leaving the directory. The secrets were no longer resolved but the environment variables (TF_VAR_*) remained in the current shell.

The benefit of direnv for this setup is that .envrc isn't executed on every prompt. If I need to refresh the secrets its easy with direnv reload.

Since mise has the stated intention of replacing direnv for any use case, it would be better to do:

# .mise.toml
[env]
TF_VAR_wasabi_access_key = 'op://private/aws/access-key'
TF_VAR_wasabi_secret_key = 'op://private/aws/secret-key'
_.source = 'op-run.sh'

But, in this case, for performance to be acceptable, I'd only want op-run.sh run the first time it was needed and/or on demand.

This may also also impact #1448.

One other thought regarding this: since we are dealing with secrets, I wouldn't want to see these values cached to the filesystem.