A focused release that hardens fnox's secret exposure model with an exec-only env mode, expands Proton Pass authentication for CI and agent use, and cleans up fnox export defaults.
Added
Exec-only env mode and top-level env default (#604) -- @jdx
The per-secret env field gains a new "exec" state, and a new top-level env sets the default for all secrets. This lets you keep secrets out of the interactive shell -- where AI coding agents and other inherited processes would see them -- while still injecting them into fnox exec subprocesses.
env |
shell integration / fnox export |
fnox exec |
fnox get |
|---|---|---|---|
true (default) |
yes | yes | yes |
"exec" (new) |
no | yes | yes |
false |
no | no | yes |
One line flips a project to default-deny:
env = "exec" # nothing enters the interactive shell
[secrets]
DATABASE_URL = { provider = "age", value = "..." } # exec-only (inherited)
PS1_TOKEN = { provider = "age", value = "...", env = true } # explicit opt-back-inPer-secret env overrides the top-level default, and the default rides normal config merge order so fnox.local.toml can tighten or loosen it per machine. Existing configs parse with identical semantics.
fnox doctor also warns when a shell-hiding top-level env is combined with an ambient FNOX_AGE_KEY in the environment, since that would undermine the whole posture. This eliminates ambient exposure but is not a hard boundary -- anything that can run commands in your shell can still call fnox get/fnox exec itself.
Proton Pass PAT and agent auth (#598) -- @TyceHerrman
The proton-pass provider now supports headless authentication via personal access tokens and audited agent access, so CI and scripted jobs no longer need an interactive pass-cli login --interactive.
export PROTON_PASS_PERSONAL_ACCESS_TOKEN="pst_token::key"
pass-cli loginNew provider config field:
[providers.protonpass]
type = "proton-pass"
vault = "Personal"
agent_reason = "fnox secret retrieval" # for audited agent accessfnox now passes through the full set of PROTON_PASS_* variables (PAT, agent reason, session dir, key provider, encryption key, Linux keyring) plus matching FNOX_PROTON_PASS_* aliases, and includes them in the daemon config fingerprint so cached values invalidate when auth env changes. Error messages point at the right knob when a session, key, or agent reason is missing.
Fixed
Daemon respects daemon_cache = false for default-provider secrets (#599) -- @TyceHerrman
The daemon's cache check only consulted a secret's explicit provider, so secrets that resolved through default_provider skipped the effective provider's daemon_cache setting. Cache decisions now use the effective provider in all paths (explicit provider, default_provider, and auto-selection), so opting out of daemon caching actually opts you out.
fnox export no longer leaks env = false secrets (#604) -- @jdx
fnox export previously resolved with include_env_false=true and never filtered on env, so secrets marked "only accessible via fnox get" were still included in export output -- and picked up by tools like mise-env-fnox that consume fnox export --format json. Export now follows the same shell semantics as hook-env. Pass --all for the full dump when you want it explicitly.
Changed
fnox export omits the metadata header by default (#603) -- @jdx
The env and shell export formats no longer emit the # Exported from profile: ... / # Total secrets: ... comment block by default -- output is now clean assignment lines only, easier to source or feed into other tooling. Pass --header to restore the previous behavior:
fnox export --format env --headerJSON, YAML, and TOML output are unchanged.
Redesigned logo (#595) -- @jdx
New fox-in-keyhole mark matching the fnox.jdx.dev site theme.
Full Changelog: v1.29.0...v1.30.0
💚 Sponsor fnox
fnox is maintained by @jdx, an open source developer for entire.io, the title sponsor of the jdx.dev open source tools including mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.
If fnox is handling secrets or config for you or your team, please consider sponsoring at jdx.dev. Sponsorships are what let fnox stay independent and the project keep moving.