Suggestion: Allow SSH Keys in any vault, choose which ones to export

Supporting multiple, isolated agents is a requirement for me. Forwarded agents are open to everyone that has access to the agent socket on the remote hosts.

If I have in my agent keys for foo.com and bar.com and I ssh to baz.bar.com with agent forwarding on, any one with root on baz.bar.com would be able to hijack my agent and ssh to hosts in foo.com.

I handle this by having multiple agents and ensuring keys are only loaded in domain specific agents and thus only forward keys that apply to that company's hosts.

1Password's implementation of ssh agents is limited to a single agent that has all the keys loaded in it. IdentityFile/IdentitiesOnly only ensures that the right key is used for auth, but nothing on which keys are actually able to be used on the remote host.

Per vault would be nice, but I could setup a collection of only one vault if they were exposed only via the collection level.

And SSH_AUTH_SOCK would still work just fine, you'd be able to do SSH_AUTH_SOCK="~/Library/Group Containers/XXXXXXXXXX.1password/t/agent-collection-work.sock" /usr/bin/foobar just fine.