This patch release fixes an important bug in how fnox exec resolves secrets that depend on each other. Previously, secrets with interdependencies could be resolved in the wrong order, causing failures when one secret referenced another that hadn't been resolved yet. Now fnox uses Kahn's algorithm to properly sort secrets by their dependency graph before resolution.
Bug Fixes
- Dependency-ordered secret resolution: When secrets reference other secrets (e.g., a connection string that includes a password from another secret), fnox now resolves them in the correct topological order using Kahn's algorithm. This eliminates race conditions and ensures dependent secrets are always available when needed. (#237)
Security
- Guidance for
fnox set: Added documentation clarifying security considerations when passing secret values as command-line arguments, since these may be visible in shell history or process listings. See the documentation for secure alternatives like piping from stdin. (#229)