v1.27.0: Daemon, Secret Scanning, and Config Defaults

This release adds three pieces aimed at making fnox faster, safer, and easier to compose: an opt-in per-user daemon for cached secret resolution, a new fnox scan command for finding plaintext secrets before they leak, and ${VAR} interpolation for secret defaults. It also includes a small documentation pass and CI housekeeping.

Added

Per-user secret resolver daemon (#550) -- @jdx

fnox now has an opt-in daemon that keeps resolved secrets in memory for your user session and serves repeated read-oriented resolutions over a same-user Unix socket. It is intended for configs backed by remote providers such as 1Password, Bitwarden, AWS Secrets Manager, or Vault where repeated fnox get, fnox exec, shell hooks, TUI refreshes, or MCP calls can otherwise feel slow.

Enable it with a top-level config block:

[daemon]
enabled = true
idle_timeout = "8h"

New lifecycle commands are available under fnox daemon:

fnox daemon start
fnox daemon status
fnox daemon clear
fnox daemon stop

Implementation details worth knowing:

• Daemon-backed resolution is used by read-oriented commands such as get, exec, export, hook-env, list --values, check, tui, mcp, and ci-redact.
• Mutation and admin flows still resolve directly, including set, remove, sync, reencrypt, edit, provider, and lease create.
• The cache is memory-only and is invalidated when relevant config files, profile settings, provider references, post-processing options, or provider environment variables change.
• fnox check can connect through the daemon, but still bypasses cached values so it validates current provider state.
• Use --no-daemon, FNOX_DAEMON=off, or daemon_cache = false on a provider or secret when you need direct resolution.
• The daemon is Unix-first: it uses a Unix domain socket, strict runtime-directory permissions, and same-user peer verification rather than TCP.

fnox scan secret detection (#548) -- @jdx

fnox scan [DIR] is now implemented as a read-only repository scanner for common plaintext secrets. It walks the target tree with gitignore-aware traversal, skips common VCS/build/vendor directories and large or binary files, and reports high-signal patterns with redacted evidence.

Supported output modes include human-readable output, JSON, and quiet file-list output:

fnox scan
fnox scan --format json
fnox scan --quiet src
fnox scan --ignore 'fixtures/**'

The scanner reports line and column, detector name, severity, and a redacted snippet. Findings return a scan-specific non-zero error so the command can be used in automation.

Secret default interpolation (#549) -- @jdx

Secret default strings can now reference other secrets with ${SECRET_NAME} syntax. This makes fallback-only configs easier to compose without duplicating literals, for example when building a local connection URL from sibling defaults.

Provider-backed values still win over defaults, and interpolation only runs when the default value is actually used. Batch resolution now includes default references in dependency ordering, so composed defaults are resolved order-independently. fnox also reports config errors for undefined references, empty ${} placeholders, and interpolation cycles.

Documentation

• Sponsor links (#543) -- @jdx: Documentation now links to the full sponsor list.
• Contribution guidance (#545) -- @jdx: The contribution docs now clarify what kinds of changes are a good fit for the project.

Other Changes

• Shared CodeRabbit config (#546) -- @jdx: CI now uses the shared repository review configuration.

Full Changelog: v1.26.0...v1.27.0

💚 Sponsor fnox

fnox is maintained by @jdx under en.dev — a small independent studio building developer tooling like mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.

If fnox is handling secrets or config for you or your team, please consider sponsoring at en.dev. Sponsorships are what let fnox stay independent and the project keep moving.