1Password SSH Agent Forwarding for Devcontainers

0-README.md

1Password SSH Agent Forwarding for Devcontainers

Use 1Password's SSH agent to sign Git commits inside VS Code devcontainers across macOS, Linux, and Windows.

Quick Start

1. Read the full guide: 1password-ssh-devcontainer-guide.md
2. Configure your host to use 1Password's SSH agent
3. Add the devcontainer mount for your platform
4. Use the setup script (setup-ssh-agent.sh) to auto-detect and configure the agent

What's Included

• 1password-ssh-devcontainer-guide.md - Complete setup guide for all platforms
• setup-ssh-agent.sh - Cross-platform script to configure SSH agent in devcontainers

Supported Platforms

Platform	Docker	Status
macOS	Docker Desktop	Tested
Linux	Native Docker	Untested
Windows	WSL2 + Docker Desktop	Untested

License

MIT

1password-ssh-devcontainer-guide.md

1Password SSH Agent Forwarding for Devcontainers

A cross-platform guide for using 1Password's SSH agent to sign Git commits inside VS Code devcontainers.

Tested Configurations

• ✅ macOS Sequoia 15.2 + Docker Desktop 4.37.1 + 1Password 8.x + VS Code 1.96.x (working January 2026)
• ⏳ Ubuntu 24.04 + Docker Engine (untested)
• ✅ Windows 11 + WSL2 + Docker Desktop (working January 2026)

The Problem

When using VS Code devcontainers with 1Password's SSH agent, signed git commits fail with errors like:

error: Couldn't find key in agent?
fatal: failed to write commit object

This happens because:

1. 1Password manages SSH keys via its own agent socket
2. VS Code's devcontainer SSH agent forwarding doesn't automatically detect 1Password's socket
3. The socket forwarding mechanism differs by host operating system

Prerequisites (All Platforms)

Note: This guide is for local devcontainers running via Docker Desktop or Docker Engine. GitHub Codespaces uses different SSH forwarding mechanisms and is not covered here.

IDE Compatibility: While this guide references VS Code, it also applies to VS Code forks that support devcontainers, including Cursor and Windsurf.

• 1Password desktop app installed
• SSH key stored in 1Password
• SSH key registered with your Git provider (GitHub, GitLab, etc.) as both:
  • Authentication key (for push/pull)
  • Signing key (for commit signing)
• VS Code with Dev Containers extension
• Docker Desktop (macOS/Windows) or Docker Engine (Linux)

---

macOS Setup (Docker Desktop)

Why macOS is Different

Docker Desktop on macOS runs containers inside a Linux VM. Unix sockets cannot be directly mounted from macOS into this VM. Docker Desktop provides a special "magic" socket at /run/host-services/ssh-auth.sock that forwards to whatever SSH_AUTH_SOCK is set to on your Mac.

The catch: Docker Desktop is launched by launchd, which doesn't inherit your shell environment. You must configure SSH_AUTH_SOCK globally.

Host Setup

1. Enable 1Password SSH Agent

1. Open 1Password → Settings → Developer
2. Check "Use the SSH agent"
3. Optionally enable "Display key names when authorizing connections"

2. Create the Socket Symlink (Recommended)

1Password's actual socket path is unwieldy. Create a symlink:

mkdir -p ~/.1password
ln -sf "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock" ~/.1password/agent.sock

3. Configure SSH_AUTH_SOCK Globally for launchd

This is the critical step that makes Docker Desktop work with 1Password:

launchctl setenv SSH_AUTH_SOCK "$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

Note: This must be run after every macOS restart, or you can add it to your login items. See 1Password's documentation for making it persistent.

4. Restart Docker Desktop

Quit Docker Desktop completely and reopen it. It will now pick up the SSH_AUTH_SOCK environment variable.

5. Verify Host Setup

# Should list your 1Password SSH keys
ssh-add -l

# Should also list your keys (proves Docker can see them)
docker run --rm -it \
  -v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \
  -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \
  alpine:latest sh -c "apk add --no-cache openssh-client && ssh-add -l"

Devcontainer Configuration (macOS)

devcontainer.json

{
  "name": "Your Project",
  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
  "workspaceFolder": "/workspace",
  
  "mounts": [
    "source=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock,type=bind"
  ],
  
  "remoteEnv": {
    "SSH_AUTH_SOCK": "/run/host-services/ssh-auth.sock"
  }
}

Alternative: docker-compose.yml

services:
  app:
    volumes:
      - /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock:ro
    environment:
      - SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock

---

Linux Setup (Native Docker)

Why Linux is Easier

On Linux with native Docker (not Docker Desktop), you can directly mount Unix sockets from the host into containers.

Host Setup

1. Enable 1Password SSH Agent

1. Open 1Password → Settings → Developer
2. Check "Use the SSH agent"

2. Configure Your Shell

Add to ~/.bashrc or ~/.zshrc:

export SSH_AUTH_SOCK=~/.1password/agent.sock

Then reload:

source ~/.bashrc  # or ~/.zshrc

3. Verify Host Setup

# Should list your 1Password SSH keys
ssh-add -l

Devcontainer Configuration (Linux)

devcontainer.json

{
  "name": "Your Project",
  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
  "workspaceFolder": "/workspace",
  
  "mounts": [
    "source=${localEnv:HOME}/.1password/agent.sock,target=/home/vscode/.1password/agent.sock,type=bind"
  ],
  
  "remoteEnv": {
    "SSH_AUTH_SOCK": "/home/vscode/.1password/agent.sock"
  }
}

Alternative: docker-compose.yml

services:
  app:
    volumes:
      - ${HOME}/.1password/agent.sock:/home/vscode/.1password/agent.sock:ro
    environment:
      - SSH_AUTH_SOCK=/home/vscode/.1password/agent.sock

---

Windows Setup (WSL2 + Docker Desktop)

Why Windows is Complex

1Password on Windows uses a Windows named pipe (\\.\pipe\openssh-ssh-agent), not a Unix socket. WSL2 and Docker containers need a Unix socket. You must bridge between them using npiperelay and socat.

Host Setup

1. Enable 1Password SSH Agent (Windows Side)

1. Open 1Password → Settings → Developer
2. Check "Use the SSH agent"
3. Important: Disable the Windows OpenSSH Agent service to avoid conflicts:

   # Run in PowerShell as Administrator
   Stop-Service ssh-agent
   Set-Service ssh-agent -StartupType Disabled

2. Verify Windows Side

# In PowerShell (not WSL), should list your keys
ssh-add -l

3. Install npiperelay (Windows Side)

The npiperelay tool bridges Windows named pipes to WSL2. Install it using PowerShell:

# Run in PowerShell (as Administrator recommended)

# Create bin directory
mkdir $env:USERPROFILE\bin -Force

# Download and extract npiperelay
cd $env:USERPROFILE\bin
Invoke-WebRequest -Uri "https://github.com/jstarks/npiperelay/releases/download/v0.1.0/npiperelay_windows_amd64.zip" -OutFile "npiperelay.zip"
Expand-Archive npiperelay.zip -DestinationPath . -Force

# Add to PATH permanently
[Environment]::SetEnvironmentVariable("PATH", "$env:PATH;$env:USERPROFILE\bin", "User")

# Verify installation
.\npiperelay.exe -h

Note: winget install jstarks.npiperelay and scoop install npiperelay may not work reliably. The manual download method above is recommended.

4. Install socat (WSL2 Side)

# In WSL2
sudo apt update && sudo apt install -y socat

5. Verify npiperelay is accessible from WSL2

Before configuring the bridge, verify WSL2 can access the Windows binary:

# Replace YOUR_WINDOWS_USERNAME with your actual Windows username
/mnt/c/Users/YOUR_WINDOWS_USERNAME/bin/npiperelay.exe -h

You should see the npiperelay help output.

6. Configure the SSH Agent Bridge

Add the following to your ~/.bashrc or ~/.zshrc:

# 1Password SSH Agent relay from Windows
# IMPORTANT: Replace YOUR_WINDOWS_USERNAME with your actual Windows username
export SSH_AUTH_SOCK="$HOME/.ssh/agent.sock"

if ! ss -a 2>/dev/null | grep -q "$SSH_AUTH_SOCK"; then
    rm -f "$SSH_AUTH_SOCK"
    (setsid socat UNIX-LISTEN:"$SSH_AUTH_SOCK",fork EXEC:"/mnt/c/Users/YOUR_WINDOWS_USERNAME/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork &) >/dev/null 2>&1
fi

Important: You must use the full path to npiperelay.exe (e.g., /mnt/c/Users/billb/bin/npiperelay.exe) because Windows executables are not in WSL2's PATH by default.

7. Verify WSL2 Setup

Open a new terminal (or run source ~/.zshrc / source ~/.bashrc), then:

# Should list your 1Password SSH keys
ssh-add -l

# Should authenticate successfully
ssh -T git@github.com

Alternative: Use systemd (if WSL has systemd enabled)

Create ~/.config/systemd/user/1password-ssh-agent.service:

[Unit]
Description=1Password SSH Agent Bridge

[Service]
Type=simple
ExecStartPre=/bin/rm -f %h/.ssh/agent.sock
ExecStart=/usr/bin/socat UNIX-LISTEN:%h/.ssh/agent.sock,fork EXEC:"/mnt/c/Users/YOUR_WINDOWS_USERNAME/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent",nofork
Restart=always

[Install]
WantedBy=default.target

Enable it:

systemctl --user daemon-reload
systemctl --user enable --now 1password-ssh-agent.service

Devcontainer Configuration (Windows/WSL2)

The socket is now available in WSL2 at ~/.ssh/agent.sock.

devcontainer.json

{
  "name": "Your Project",
  "dockerComposeFile": "docker-compose.yml",
  "service": "app",
  "workspaceFolder": "/workspace",

  "mounts": [
    "source=${localEnv:HOME}/.ssh/agent.sock,target=/home/vscode/.ssh/agent.sock,type=bind"
  ],

  "remoteEnv": {
    "SSH_AUTH_SOCK": "/home/vscode/.ssh/agent.sock"
  }
}

---

Git Configuration (All Platforms)

Inside the Devcontainer

After the container starts, configure Git for SSH signing:

# Get your public key from the agent
SIGNING_KEY=$(ssh-add -L | head -1)

# Configure git
git config --global gpg.format ssh
git config --global user.signingkey "$SIGNING_KEY"
git config --global commit.gpgsign true
git config --global tag.gpgsign true

Important: Remove op-ssh-sign from .gitconfig

If you previously configured 1Password on the host, your ~/.gitconfig may contain:

[gpg "ssh"]
    program = "/path/to/op-ssh-sign"

Remove or comment out this section. The op-ssh-sign binary doesn't exist inside the container, and it's not needed when using agent forwarding.

---

Verification

After rebuilding your devcontainer, verify everything works:

# 1. Check agent has keys
ssh-add -l
# Expected: Lists your SSH key(s)

# 2. Test SSH connection to GitHub
ssh -T git@github.com
# Expected: "Hi username! You've successfully authenticated..."
# 1Password should prompt you to authorize

# 3. Check git config
git config --get gpg.format
# Expected: ssh

git config --get user.signingkey
# Expected: Your public key

# 4. Test a signed commit
git commit --allow-empty -m "test: verify SSH signing"
git log --show-signature -1
# Expected: Shows "Good signature"

---

Troubleshooting

"The agent has no identities"

• All platforms: Make sure 1Password is unlocked
• All platforms: Check that your SSH key is enabled for the agent in 1Password (Key settings → "Use for SSH agent")
• macOS: Did you run launchctl setenv? Did you restart Docker Desktop afterward?
• Windows: Is the Windows OpenSSH Agent service disabled? (It conflicts with 1Password)

"Error connecting to agent: Connection refused" or "communication with agent failed"

• macOS: The direct socket mount doesn't work. Use /run/host-services/ssh-auth.sock instead
• Windows: The npiperelay bridge may not be running. Check with ps aux | grep socat
• Windows: Verify npiperelay.exe path is correct: /mnt/c/Users/YOUR_USERNAME/bin/npiperelay.exe -h
• Windows: Make sure you're using the full path to npiperelay.exe in your shell config (not just npiperelay.exe)
• Linux: Check socket permissions: ls -la ~/.1password/agent.sock

"No such file or directory" for agent socket

• Rebuild the devcontainer after adding the mount configuration
• macOS: Make sure you're mounting /run/host-services/ssh-auth.sock, not the 1Password socket directly

Git commit fails with "cannot run op-ssh-sign"

Your .gitconfig has the [gpg "ssh"] program setting. Remove it — it's not needed with agent forwarding and the binary doesn't exist in the container.

1Password doesn't prompt for authorization

• Check that "Require approval for each new application" is enabled in 1Password SSH agent settings
• Try locking and unlocking 1Password

---

Cross-Platform devcontainer.json (Advanced)

If your team uses multiple operating systems, you can try mounting multiple socket paths. The ones that don't exist will fail silently, and you can detect which one works at runtime:

{
  "mounts": [
    "source=/run/host-services/ssh-auth.sock,target=/run/host-services/ssh-auth.sock,type=bind",
    "source=${localEnv:HOME}/.1password/agent.sock,target=/home/vscode/.1password/agent.sock,type=bind",
    "source=${localEnv:HOME}/.ssh/agent.sock,target=/home/vscode/.ssh/agent.sock,type=bind"
  ],

  "postStartCommand": ".devcontainer/setup-ssh-agent.sh"
}

Then use a setup script that checks all locations:

#!/bin/bash
# setup-ssh-agent.sh

if [ -S "/run/host-services/ssh-auth.sock" ]; then
    # macOS with Docker Desktop
    export SSH_AUTH_SOCK="/run/host-services/ssh-auth.sock"
elif [ -S "/home/vscode/.1password/agent.sock" ]; then
    # Linux native Docker
    export SSH_AUTH_SOCK="/home/vscode/.1password/agent.sock"
elif [ -S "/home/vscode/.ssh/agent.sock" ]; then
    # Windows/WSL2
    export SSH_AUTH_SOCK="/home/vscode/.ssh/agent.sock"
fi

# Write to profile for future shells
echo "export SSH_AUTH_SOCK=\"$SSH_AUTH_SOCK\"" >> ~/.bashrc

Note: This approach may produce mount warnings on some platforms. Test thoroughly with your team.

---

References

• 1Password SSH Agent Documentation
• 1Password WSL Integration
• VS Code Dev Containers SSH Forwarding
• Docker Desktop SSH Agent Forwarding (macOS)
• npiperelay for Windows Named Pipe Bridging

---

Contributing

Found an issue or have an improvement? This guide is maintained as a Gist. Please leave a comment or suggest edits!

---

Last updated: January 2026

LICENSE

MIT License

Copyright (c) 2026 Bill Barnett

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

setup-ssh-agent.sh

#!/bin/bash
# shellcheck shell=bash
# Setup SSH agent for 1Password in devcontainer
# Supports macOS (Docker Desktop), Linux (native Docker), and Windows (WSL2)

set -e

# Script version
SCRIPT_VERSION="1.0.0"

# Show usage information
show_help() {
    cat << EOF
Usage: $(basename "$0") [OPTIONS]

Setup SSH agent for 1Password in devcontainers.
Detects and configures the appropriate SSH agent socket for macOS (Docker Desktop),
Linux (native Docker), and Windows (WSL2).

OPTIONS:
    -h, --help      Show this help message and exit
    -v, --version   Show version information and exit

ENVIRONMENT:
    SSH_AUTH_SOCK   Will be set to the detected socket path
    HOME            Used to determine user home directory

EXAMPLES:
    $(basename "$0")              # Run setup
    source ~/.ssh-agent-env       # Load the configured SSH_AUTH_SOCK

For more information, see: https://github.com/agilous/1password-ssh-devcontainer-guide
EOF
}

# Show version
show_version() {
    echo "setup-ssh-agent.sh version $SCRIPT_VERSION"
}

# Parse command line arguments
parse_args() {
    while [[ $# -gt 0 ]]; do
        case "$1" in
            -h|--help)
                show_help
                exit 0
                ;;
            -v|--version)
                show_version
                exit 0
                ;;
            *)
                echo "Unknown option: $1" >&2
                echo "Use --help for usage information." >&2
                exit 1
                ;;
        esac
        shift
    done
}

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
log_error() { echo -e "${RED}[ERROR]${NC} $1"; }

# Portable stat function for getting file permissions
# Returns octal permissions (e.g., 644, 755)
get_file_perms() {
    local file="$1"
    if [[ "$(uname -s)" == "Darwin" ]]; then
        stat -f '%Lp' "$file" 2>/dev/null
    else
        stat -c '%a' "$file" 2>/dev/null
    fi
}

# Portable stat function for getting file group
get_file_group() {
    local file="$1"
    if [[ "$(uname -s)" == "Darwin" ]]; then
        stat -f '%Sg' "$file" 2>/dev/null
    else
        stat -c '%G' "$file" 2>/dev/null
    fi
}

# Get current username
get_current_user() {
    whoami
}

# Possible SSH agent socket locations (checked in order of priority)
#
# 1. Docker Desktop magic socket (macOS + Docker Desktop)
#    This is the ONLY method that works on macOS with Docker Desktop.
#    Direct socket mounts fail because Docker runs in a VM.
DOCKER_DESKTOP_SOCK="/run/host-services/ssh-auth.sock"

# 2. Direct mount from host - Linux native Docker
#    These work when the host socket is directly mounted into the container.
#    Note: We use $HOME instead of hardcoded /home/vscode to support any user
ONEPASSWORD_SOCK="${HOME}/.1password/agent.sock"

# 3. Direct mount from host - Windows/WSL2
#    Windows uses a different socket path via npiperelay bridge
WSL2_SSH_SOCK="${HOME}/.ssh/agent.sock"

# 4. VS Code's forwarded SSH agent (fallback)
#    VS Code sometimes creates its own forwarded socket.
VSCODE_SSH_SOCK=$(ls /tmp/vscode-ssh-auth-*.sock 2>/dev/null | head -1)

setup_ssh_agent() {
    # Check for Docker Desktop magic socket (macOS with Docker Desktop)
    # This must be checked FIRST because on macOS, the direct mount paths
    # may appear to exist but won't actually work.
    if [ -S "$DOCKER_DESKTOP_SOCK" ]; then
        export SSH_AUTH_SOCK="$DOCKER_DESKTOP_SOCK"
        log_info "Using Docker Desktop SSH agent forwarding at $DOCKER_DESKTOP_SOCK"

    # Check for 1Password socket (mounted from host - Linux native Docker)
    elif [ -S "$ONEPASSWORD_SOCK" ]; then
        export SSH_AUTH_SOCK="$ONEPASSWORD_SOCK"
        log_info "Using 1Password SSH agent at $ONEPASSWORD_SOCK"

    # Check for WSL2 socket (mounted from host - Windows/WSL2)
    elif [ -S "$WSL2_SSH_SOCK" ]; then
        export SSH_AUTH_SOCK="$WSL2_SSH_SOCK"
        log_info "Using WSL2 SSH agent bridge at $WSL2_SSH_SOCK"

    # Fallback to VS Code's forwarded agent
    elif [ -S "$VSCODE_SSH_SOCK" ]; then
        export SSH_AUTH_SOCK="$VSCODE_SSH_SOCK"
        log_warn "1Password socket not found, using VS Code SSH agent forwarding"
        log_warn "For 1Password support, ensure your host SSH_AUTH_SOCK points to 1Password"

    else
        log_error "No SSH agent socket found!"
        log_error ""
        log_error "To use 1Password SSH agent, configure your host machine:"
        log_error ""
        log_error "  macOS (Docker Desktop):"
        log_error "    1. Enable SSH agent in 1Password Settings > Developer"
        log_error "    2. Run: launchctl setenv SSH_AUTH_SOCK \"\$HOME/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock\""
        log_error "    3. Restart Docker Desktop"
        log_error "    4. Rebuild the devcontainer"
        log_error ""
        log_error "  Linux (native Docker):"
        log_error "    1. Enable SSH agent in 1Password Settings > Developer"
        log_error "    2. Add to ~/.bashrc or ~/.zshrc:"
        log_error "       export SSH_AUTH_SOCK=~/.1password/agent.sock"
        log_error "    3. Rebuild the devcontainer"
        log_error ""
        log_error "  Windows (WSL2):"
        log_error "    1. Enable SSH agent in 1Password Settings > Developer"
        log_error "    2. Install npiperelay on Windows:"
        log_error "       - Download from https://github.com/jstarks/npiperelay/releases"
        log_error "       - Extract to C:\\Users\\USERNAME\\bin\\"
        log_error "    3. Install socat in WSL: sudo apt install socat"
        log_error "    4. Add to ~/.bashrc or ~/.zshrc:"
        log_error "       export SSH_AUTH_SOCK=\"\$HOME/.ssh/agent.sock\""
        log_error "       if ! ss -a 2>/dev/null | grep -q \"\$SSH_AUTH_SOCK\"; then"
        log_error "           rm -f \"\$SSH_AUTH_SOCK\""
        log_error "           (setsid socat UNIX-LISTEN:\"\$SSH_AUTH_SOCK\",fork \\"
        log_error "               EXEC:\"/mnt/c/Users/USERNAME/bin/npiperelay.exe -ei -s //./pipe/openssh-ssh-agent\",nofork &)"
        log_error "       fi"
        log_error "    5. Use full path to npiperelay.exe (not just the filename)"
        return 1
    fi

    # Verify agent has identities
    if ssh-add -l &>/dev/null; then
        local key_count=$(ssh-add -l | wc -l)
        log_info "SSH agent has $key_count key(s) available"

        # Configure git to use SSH signing if keys are available
        if command -v git &>/dev/null; then
            SIGNING_KEY=$(ssh-add -L 2>/dev/null | head -1)
            if [ -n "$SIGNING_KEY" ]; then
                git config --global gpg.format ssh
                git config --global user.signingkey "$SIGNING_KEY"
                git config --global commit.gpgsign true
                git config --global tag.gpgsign true
                log_info "Git configured for SSH commit signing"
            fi
        fi
    else
        log_warn "SSH agent is available but has no identities"
        log_warn "Make sure 1Password is unlocked and SSH keys are available"
    fi
}

# Write SSH_AUTH_SOCK to a file that can be sourced by shells
write_env_file() {
    local env_file="${HOME}/.ssh-agent-env"
    echo "export SSH_AUTH_SOCK=\"${SSH_AUTH_SOCK}\"" > "$env_file"
    log_info "SSH agent config written to $env_file"
    log_info "Add 'source ~/.ssh-agent-env' to your shell rc file if needed"
}

# Fix permissions for SSH agent socket access
fix_socket_permissions() {
    local current_user
    current_user=$(get_current_user)

    # Docker Desktop magic socket (macOS) - chmod directly since it's recreated on each Docker start
    if [ -S "$DOCKER_DESKTOP_SOCK" ]; then
        local socket_perms
        socket_perms=$(get_file_perms "$DOCKER_DESKTOP_SOCK")
        if [ "$socket_perms" != "666" ] && [ "$socket_perms" != "777" ]; then
            log_info "Fixing permissions on Docker Desktop SSH socket..."
            sudo chmod 666 "$DOCKER_DESKTOP_SOCK" 2>/dev/null || {
                log_warn "Could not fix socket permissions. You may need to run:"
                log_warn "  sudo chmod 666 $DOCKER_DESKTOP_SOCK"
            }
        fi
    fi

    # Direct socket mounts (Linux) - add user to root group
    if [ -S "$ONEPASSWORD_SOCK" ]; then
        # Check if socket is owned by root group and we're not in it
        local socket_group
        socket_group=$(get_file_group "$ONEPASSWORD_SOCK")
        if [ "$socket_group" = "root" ] && ! groups | grep -q '\broot\b'; then
            log_info "Adding $current_user to root group for 1Password socket access..."
            sudo usermod -aG root "$current_user" 2>/dev/null || true
            log_info "Group membership updated (takes effect in new terminal sessions)"
        fi
    fi

    # WSL2 socket mounts - add user to root group if needed
    if [ -S "$WSL2_SSH_SOCK" ]; then
        local socket_group
        socket_group=$(get_file_group "$WSL2_SSH_SOCK")
        if [ "$socket_group" = "root" ] && ! groups | grep -q '\broot\b'; then
            log_info "Adding $current_user to root group for WSL2 socket access..."
            sudo usermod -aG root "$current_user" 2>/dev/null || true
            log_info "Group membership updated (takes effect in new terminal sessions)"
        fi
    fi
}

# Main
main() {
    # Parse arguments first (handles --help, --version)
    parse_args "$@"

    log_info "Setting up SSH agent for devcontainer..."

    # Create .1password directory if it doesn't exist (for mount point)
    mkdir -p "${HOME}/.1password" 2>/dev/null || true

    fix_socket_permissions
    setup_ssh_agent
    write_env_file

    echo ""
    log_info "SSH agent setup complete!"
}

main "$@"