diff --git a/home/shell/fish.nix b/home/shell/fish.nix
index bd42982..9743bba 100644
--- a/home/shell/fish.nix
+++ b/home/shell/fish.nix
@@ -8,10 +8,10 @@ in
   # op:// references only — no real secrets, safe to commit
   # Kept outside ~/.config/op — that dir must be 700 and owned by op CLI
   xdg.configFile."op-env/env.tpl".text = ''
-    AI_GATEWAY_BASE_URL={{ op://Private/AI Gateway API/URL }}
-    AI_GATEWAY_API_KEY={{ op://Private/AI Gateway API/credential }}
-    EXA_API_KEY={{ op://Private/Exa API/credential }}
-    CONTEXT7_API_KEY={{ op://Private/Context7 API/credential }}
+    set -gx AI_GATEWAY_BASE_URL "{{ op://Developer/AI Gateway API/URL }}"
+    set -gx AI_GATEWAY_API_KEY "{{ op://Developer/AI Gateway API/credential }}"
+    set -gx EXA_API_KEY "{{ op://Developer/Exa API/credential }}"
+    set -gx CONTEXT7_API_KEY "{{ op://Developer/Context7 API/credential }}"
   '';
 
   programs.fish = {
@@ -49,7 +49,6 @@ in
       if set -q WSL_DISTRO_NAME
         alias pbcopy clip.exe
         alias pbpaste "powershell.exe -noprofile -c Get-Clipboard"
-        alias op op.exe
       end
 
       # User-local overrides
@@ -58,19 +57,12 @@ in
       end
 
       # 1Password → env vars (single op call, silent on failure)
+      # Auth via OP_SERVICE_ACCOUNT_TOKEN (set it in ~/.config/fish/local.fish)
       function op-env --description "Load secrets from 1Password"
-        if not type -q op; or not test -f ${envTpl}
+        if not type -q op; or not set -q OP_SERVICE_ACCOUNT_TOKEN; or not test -f ${envTpl}
           return 1
         end
-        set -l output (op inject --in-file ${envTpl} 2>/dev/null)
-        or return 1
-        for line in $output
-          string match -qr '^\s*(#|$)' -- $line; and continue
-          set -l kv (string split -m 1 '=' $line)
-          if test (count $kv) -ge 2
-            set -gx $kv[1] $kv[2]
-          end
-        end
+        op inject --in-file ${envTpl} 2>/dev/null | source
       end
       op-env
     '';
diff --git a/modules/darwin/default.nix b/modules/darwin/default.nix
index b076e8d..fa15618 100644
--- a/modules/darwin/default.nix
+++ b/modules/darwin/default.nix
@@ -9,9 +9,6 @@
   # ── Primary user (required by nix-darwin) ──────────
   system.primaryUser = username;
 
-  # ── 1Password CLI ───────────────────────────────────
-  programs._1password.enable = true;
-
   # ── User ───────────────────────────────────────────
   users.knownUsers = [ username ];
   users.users.${username} = {
diff --git a/modules/shared/default.nix b/modules/shared/default.nix
index 1b4f346..f7e2570 100644
--- a/modules/shared/default.nix
+++ b/modules/shared/default.nix
@@ -5,5 +5,6 @@
   ];
 
   programs.fish.enable = true;
+  programs._1password.enable = true;
   services.openssh.enable = true;
 }