fnox 0.1.0

A flexible secret management tool supporting multiple providers and encryption methods
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

# Example fnox configuration file
#
# This file demonstrates the various features of fnox:
# - Multiple environments (default, staging, production)
# - Different secret sources (encrypted, provider, default, env var)
# - Per-secret metadata (description, if_missing behavior)
# - Provider configuration
# - Configuration imports and merging

# Optional: Import other configuration files
import = [
    # "../shared-config.toml",
    # "/etc/fnox/global.toml"
]

# Optional: Stop parent directory search at this level
# root = true

# Optional: Configure encryption
# Generate a key with: age-keygen -o ~/.config/fnox/age.txt
# Copy the public key (age1...) to the recipients list below
[encryption]
key_type = "age"
recipients = [
    "age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"
]

# Optional: Configure secret providers
[providers.onepass]
type = "1password"
vault = "Development"

[providers.aws_prod]
type = "aws"
region = "us-east-1"
prefix = "myapp/"

[providers.vault_dev]
type = "vault"
address = "http://localhost:8200"
path = "secret/myapp"

# Default profile secrets (top level)
# Used when --profile is not specified or FNOX_PROFILE is not set
[secrets]

# Example: Encrypted secret
# This will be automatically encrypted when you run: fnox set DATABASE_URL <value>
DATABASE_URL = { description = "Database connection string", if_missing = "error", encrypted = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0..." }

# Example: Secret fetched from current environment variable
# If NPM_TOKEN is set in the environment, it will be used
# Otherwise, a warning will be shown (if_missing = "warn")
NPM_TOKEN = { description = "NPM registry authentication token", if_missing = "warn" }

# Example: Secret with a default value
# If NODE_ENV is not set in the environment, "development" will be used
NODE_ENV = { default = "development" }

# Example: Simple encrypted secret (no metadata)
API_KEY = { encrypted = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0..." }

# Example: Secret with provider reference
# This will be fetched from the 1Password vault at runtime
STRIPE_KEY = { description = "Stripe API key", provider = "onepass", key = "stripe-dev-key", if_missing = "warn" }

# Staging profile
# Use with: fnox exec --profile staging -- <command>
# Or set: export FNOX_PROFILE=staging
[profiles.staging.secrets]

# Fetch from AWS Secrets Manager
DATABASE_URL = { description = "Staging database connection", provider = "aws_prod", key = "staging/database-url", if_missing = "error" }

# Fetch from 1Password
NPM_TOKEN = { provider = "onepass", key = "npm-token", if_missing = "error" }

# Simple default value
NODE_ENV = { default = "staging" }

# Encrypted value specific to staging
API_KEY = { encrypted = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0..." }

# Production profile
# Use with: fnox exec --profile production -- <command>
[profiles.production.secrets]

# Production secrets are typically fetched from a secure provider
DATABASE_URL = { description = "Production database (read-write)", provider = "aws_prod", key = "prod/database-url", if_missing = "error" }

REDIS_URL = { description = "Production Redis cluster", provider = "aws_prod", key = "prod/redis-url", if_missing = "error" }

NPM_TOKEN = { provider = "onepass", if_missing = "error" }

NODE_ENV = { default = "production" }

# Critical secrets are encrypted
API_KEY = { encrypted = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0..." }
JWT_SECRET = { encrypted = "YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0..." }

# Custom profile example
# You can create any number of custom profiles
[profiles.ci.secrets]
DATABASE_URL = { default = "postgresql://localhost:5432/test" }
NODE_ENV = { default = "test" }
CI = { default = "true" }

# Example commands:
#
# Initialize:
#   fnox init
#
# Set a secret (will be encrypted if encryption is configured):
#   fnox set DATABASE_URL "postgresql://user:pass@localhost/db"
#   fnox set API_KEY "secret-key" --profile production
#
# Set only metadata (value from env var):
#   fnox set NPM_TOKEN --description "NPM token" --if-missing warn
#
# Get a secret:
#   fnox get DATABASE_URL
#   fnox get API_KEY --profile production
#
# List secrets:
#   fnox list
#   fnox list --profile production --values
#
# Run a command with secrets:
#   fnox exec -- npm start
#   fnox exec --profile production -- node app.js
#   fnox exec --profile staging -- ./deploy.sh
#
# Manage providers:
#   fnox provider list
#   fnox provider add my-vault vault
#   fnox provider remove my-vault
#
# Configuration features:
# - Recursive loading: fnox searches parent directories for fnox.toml files
# - Import files: Use import = ["path/to/config.toml"] to include other configs
# - Root boundary: Set root = true to stop parent directory search
# - Explicit paths: Use -c path/to/config.toml to bypass recursive search