diff --git a/dot_config/private_fish/functions/opx.fish b/dot_config/private_fish/functions/opx.fish
index cc9239641fd09ecfa4504b414635c4e42350ba2c..e7cf1ad1f5352d6912b3c6c2ceb9a8ce10f2b73d 100644
--- a/dot_config/private_fish/functions/opx.fish
+++ b/dot_config/private_fish/functions/opx.fish
@@ -1,21 +1,32 @@
 function opx --description "Run command with 1Password secret refs resolved"
-    set -l env_overrides
-    
+    set -l vars_to_resolve
+    set -l refs
+
     for var in (set --names -x)
         set -l value $$var
         if string match -q 'op://*' -- $value
-            set -l resolved (op read "$value" 2>/dev/null)
-            if test $status -ne 0
-                echo "opx: failed to resolve $var ($value)" >&2
-                return 1
-            end
-            set -a env_overrides "$var=$resolved"
+            set -a vars_to_resolve $var
+            set -a refs $value
         end
     end
-    
-    if test (count $env_overrides) -eq 0
+
+    if test (count $vars_to_resolve) -eq 0
         $argv
-    else
-        env $env_overrides $argv
+        return
     end
+
+    # Build template: VAR=op://ref (one per line)
+    set -l template_lines
+    for i in (seq (count $vars_to_resolve))
+        set -a template_lines "$vars_to_resolve[$i]=$refs[$i]"
+    end
+
+    # Single op call resolves everything
+    set -l resolved_lines (printf '%s\n' $template_lines | op inject 2>/dev/null)
+    if test $status -ne 0
+        echo "opx: failed to resolve secrets" >&2
+        return 1
+    end
+
+    env $resolved_lines $argv
 end