Skip to content

v1.30.0: Paranoid env mode and Proton Pass PAT auth

Latest

Choose a tag to compare

@mise-en-dev mise-en-dev released this 09 Jul 21:53
Immutable release. Only release title and notes can be modified.
bec836c

A focused release that hardens fnox's secret exposure model with an exec-only env mode, expands Proton Pass authentication for CI and agent use, and cleans up fnox export defaults.

Added

Exec-only env mode and top-level env default (#604) -- @jdx

The per-secret env field gains a new "exec" state, and a new top-level env sets the default for all secrets. This lets you keep secrets out of the interactive shell -- where AI coding agents and other inherited processes would see them -- while still injecting them into fnox exec subprocesses.

env shell integration / fnox export fnox exec fnox get
true (default) yes yes yes
"exec" (new) no yes yes
false no no yes

One line flips a project to default-deny:

env = "exec"   # nothing enters the interactive shell

[secrets]
DATABASE_URL = { provider = "age", value = "..." }               # exec-only (inherited)
PS1_TOKEN    = { provider = "age", value = "...", env = true }   # explicit opt-back-in

Per-secret env overrides the top-level default, and the default rides normal config merge order so fnox.local.toml can tighten or loosen it per machine. Existing configs parse with identical semantics.

fnox doctor also warns when a shell-hiding top-level env is combined with an ambient FNOX_AGE_KEY in the environment, since that would undermine the whole posture. This eliminates ambient exposure but is not a hard boundary -- anything that can run commands in your shell can still call fnox get/fnox exec itself.

Proton Pass PAT and agent auth (#598) -- @TyceHerrman

The proton-pass provider now supports headless authentication via personal access tokens and audited agent access, so CI and scripted jobs no longer need an interactive pass-cli login --interactive.

export PROTON_PASS_PERSONAL_ACCESS_TOKEN="pst_token::key"
pass-cli login

New provider config field:

[providers.protonpass]
type = "proton-pass"
vault = "Personal"
agent_reason = "fnox secret retrieval"   # for audited agent access

fnox now passes through the full set of PROTON_PASS_* variables (PAT, agent reason, session dir, key provider, encryption key, Linux keyring) plus matching FNOX_PROTON_PASS_* aliases, and includes them in the daemon config fingerprint so cached values invalidate when auth env changes. Error messages point at the right knob when a session, key, or agent reason is missing.

Fixed

Daemon respects daemon_cache = false for default-provider secrets (#599) -- @TyceHerrman

The daemon's cache check only consulted a secret's explicit provider, so secrets that resolved through default_provider skipped the effective provider's daemon_cache setting. Cache decisions now use the effective provider in all paths (explicit provider, default_provider, and auto-selection), so opting out of daemon caching actually opts you out.

fnox export no longer leaks env = false secrets (#604) -- @jdx

fnox export previously resolved with include_env_false=true and never filtered on env, so secrets marked "only accessible via fnox get" were still included in export output -- and picked up by tools like mise-env-fnox that consume fnox export --format json. Export now follows the same shell semantics as hook-env. Pass --all for the full dump when you want it explicitly.

Changed

fnox export omits the metadata header by default (#603) -- @jdx

The env and shell export formats no longer emit the # Exported from profile: ... / # Total secrets: ... comment block by default -- output is now clean assignment lines only, easier to source or feed into other tooling. Pass --header to restore the previous behavior:

fnox export --format env --header

JSON, YAML, and TOML output are unchanged.

Redesigned logo (#595) -- @jdx

New fox-in-keyhole mark matching the fnox.jdx.dev site theme.

Full Changelog: v1.29.0...v1.30.0

💚 Sponsor fnox

fnox is maintained by @jdx, an open source developer for entire.io, the title sponsor of the jdx.dev open source tools including mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.

If fnox is handling secrets or config for you or your team, please consider sponsoring at jdx.dev. Sponsorships are what let fnox stay independent and the project keep moving.