Inject and audit 1Password secrets via the op CLI: op:// references with op run/op inject, an always-ask permission gate, and an opt-in deny-capable PreToolUse audit hook. Use for API keys, tokens, credentials, .env secrets, OP_SERVICE_ACCOUNT_TOKEN, or 1Password.