fnox 1.23.0

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145

use super::{ActivateOptions, Shell};
use std::fmt;

pub struct Nushell;

impl Shell for Nushell {
    fn activate(&self, opts: ActivateOptions) -> String {
        let mut out = String::new();
        let exe = opts.exe.to_string_lossy().replace('\\', "/");

        out.push_str("$env.FNOX_SHELL = \"nu\"\n");

        // Helper: apply JSON from fnox hook-env / deactivate in the current shell.
        // Handles {"set": {...}, "unset": [...]} structured output.
        out.push_str(
            r#"
def --env _fnox_apply [json: string] {
    let changes = ($json | from json)
    if "set" in $changes and ($changes.set | is-not-empty) {
        $changes.set | load-env
    }
    if "unset" in $changes and ($changes.unset | is-not-empty) {
        for $var in $changes.unset {
            hide-env -i $var
        }
    }
}
"#,
        );

        // Wrapper function: most subcommands just call the binary directly.
        // `deactivate` and `shell` need to modify the current shell's environment,
        // so the binary outputs JSON that _fnox_apply interprets.
        out.push_str(&format!(
            r#"
def --env --wrapped fnox [...rest] {{
    let command = ($rest | first | default "")
    match $command {{
        "deactivate" => {{
            let result = (do -i {{ ^"{exe}" $command ...($rest | skip 1) }} | complete)
            if ($result.stderr | str trim | is-not-empty) {{
                print -e $result.stderr
            }}
            if $result.exit_code == 0 and ($result.stdout | str trim | is-not-empty) {{
                _fnox_apply $result.stdout
            }}
            if $command == "deactivate" {{
                $env.config = ($env.config | upsert hooks.pre_prompt ($env.config.hooks.pre_prompt? | default [] | where {{ ($in | describe) != "closure" or (view source $in) !~ "_fnox_hook" }}))
                hide-env -i FNOX_SHELL
                hide-env -i __FNOX_SESSION
            }}
        }}
        _ => {{ ^"{exe}" ...$rest }}
    }}
}}
"#,
        ));

        // --no-hook-env: skip registering the prompt hook (used by tests to
        // verify the activation output in isolation).
        if !opts.no_hook_env {
            out.push_str(&format!(
                r#"
def --env _fnox_hook [] {{
    let result = (do -i {{ ^"{exe}" hook-env -s nu }} | complete)
    if ($result.stderr | str trim | is-not-empty) {{
        print -e $result.stderr
    }}
    if $result.exit_code == 0 and ($result.stdout | str trim | is-not-empty) {{
        _fnox_apply $result.stdout
    }}
}}
"#,
            ));

            // Only hook pre_prompt — it fires after every cd anyway (prompt is
            // redrawn), so a separate env_change.PWD hook would just cause a
            // redundant process spawn that early-exit optimises away.
            out.push_str(
                r#"
$env.config = ($env.config | upsert hooks.pre_prompt ($env.config.hooks.pre_prompt? | default [] | append {|| _fnox_hook }))
"#,
            );

            out.push_str("_fnox_hook\n");
        }

        out
    }

    fn deactivate(&self) -> String {
        // Nushell has no eval — deactivation is handled by deactivate_output()
        // producing JSON, and the wrapper function cleaning up hooks/env inline.
        unimplemented!("Nushell uses deactivate_output() instead")
    }

    fn set_env(&self, _key: &str, _value: &str) -> String {
        // Nushell has no eval — hook_env_output() produces JSON directly.
        unimplemented!("Nushell uses hook_env_output() instead")
    }

    fn unset_env(&self, _key: &str) -> String {
        // Nushell has no eval — hook_env_output() produces JSON directly.
        unimplemented!("Nushell uses hook_env_output() instead")
    }

    fn hook_env_output(
        &self,
        added: &[(String, String)],
        removed: &[String],
        session_encoded: &str,
    ) -> String {
        let mut set_map = serde_json::Map::new();
        for (key, value) in added {
            set_map.insert(key.clone(), serde_json::Value::String(value.clone()));
        }
        set_map.insert(
            "__FNOX_SESSION".to_string(),
            serde_json::Value::String(session_encoded.to_string()),
        );
        let unset_list: Vec<serde_json::Value> = removed
            .iter()
            .map(|k| serde_json::Value::String(k.clone()))
            .collect();
        serde_json::json!({"set": set_map, "unset": unset_list}).to_string()
    }

    fn deactivate_output(&self, secret_keys: &[String]) -> String {
        // Output JSON that the wrapper's _fnox_apply can parse.
        // Hook removal and FNOX_SHELL/SESSION cleanup are handled
        // inline by the wrapper function after applying this output.
        let mut unset_keys: Vec<serde_json::Value> = secret_keys
            .iter()
            .map(|k| serde_json::Value::String(k.clone()))
            .collect();
        unset_keys.push(serde_json::Value::String("__FNOX_SESSION".to_string()));
        serde_json::json!({"set": {}, "unset": unset_keys}).to_string()
    }
}

impl fmt::Display for Nushell {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(f, "nu")
    }
}