This release introduces the fnox sync command for re-encrypting remote secrets with a local provider, adds Nushell as a supported shell, and lets you override the authentication command on a per-provider basis. It also includes several provider fixes and fills gaps in provider add coverage.
Highlights
fnox synccommand: Fetch secrets from remote providers and re-encrypt them locally (e.g., with age or AWS KMS) for CI/CD pipelines or offline environments.- Nushell integration: Full shell integration support for Nushell, including automatic secret loading on directory change.
- Per-provider
auth_command: Override or disable the default auth prompt command for any provider instance in your config. - Vault address fallback: The HashiCorp Vault provider no longer requires
addressin config -- it falls back toVAULT_ADDRautomatically.
Added
fnox sync command (#298) -- @jdx
Syncs secrets from remote providers to a local encryption provider. This is useful for CI/CD environments or offline setups where you want secrets encrypted locally (e.g., with age) rather than fetched from a remote provider at runtime.
# Sync all remote secrets to your age provider
fnox sync -p age
# Preview what would be synced
fnox sync -p age --dry-run
# Sync only secrets from a specific source provider
fnox sync -p age --source aws
# Sync specific keys or filter by regex
fnox sync -p age MY_SECRET ANOTHER_SECRET
fnox sync -p age --filter "^DB_"Supports --force to skip confirmation, --global to write to the global config, and --source/--filter/positional key arguments for filtering.
Nushell integration (#304) -- Thanks @tiptenbrink!
fnox now supports Nushell (0.96+) as a shell integration target. Since Nushell doesn't support eval, the integration uses a JSON-based protocol where hook-env and deactivate output structured JSON that a Nushell wrapper function interprets.
# Add to your Nushell config (find it via $nu.config-path):
mkdir ($nu.data-dir | path join "vendor/autoload")
fnox activate nu | save -f ($nu.data-dir | path join "vendor/autoload/fnox.nu")Per-provider auth_command override (#305) -- @jdx
You can now override the authentication command for any provider instance. This is particularly useful for alternative CLI backends like rbw for Bitwarden:
[providers]
# Use rbw instead of the default bw CLI
rbw = { type = "bitwarden", backend = "rbw", auth_command = "rbw unlock" }
# Custom AWS SSO login
aws = { type = "aws-sm", region = "us-east-1", auth_command = "aws sso login --profile myprofile" }
# Disable auth prompting entirely for this provider
vault = { type = "vault", auth_command = "" }The instance-level auth_command takes priority over the built-in default for each provider type. Setting it to an empty string disables the auth prompt.
HashiCorp Vault address is now optional (#301) -- Thanks @chermed!
The Vault provider's address field is no longer required in config. If omitted, fnox falls back to the FNOX_VAULT_ADDR or VAULT_ADDR environment variable, which is convenient in environments where Vault connectivity is already configured via environment variables.
[providers]
# address will be read from VAULT_ADDR
vault = { type = "vault", path = "secret/myapp" }fnox provider add now covers all provider types (#302) -- Thanks @TyceHerrman!
The provider add command was missing several provider types that were already supported. It now accepts: bitwarden, bitwarden-sm, keepass, keychain, password-store, plain, and proton-pass. A --vault flag was also added for specifying the default Proton Pass vault:
fnox provider add mypass proton-pass --vault "Personal"Fixed
Auth prompt no longer fires for non-auth errors (#297) -- Thanks @TyceHerrman!
Previously, any provider error (including "secret not found" or "field does not exist") would trigger the interactive authentication prompt. Now the prompt only appears for actual authentication failures (ProviderAuthFailed). This also improves the Infisical provider's error classification -- CLI stderr is now parsed into proper error variants (auth failures, secret-not-found, API errors) instead of being lumped into a generic CLI error, and batch mode preserves these structured errors instead of double-wrapping them.
New Contributors
- @chermed made their first contribution in #301
- @tiptenbrink made their first contribution in #304
Full Changelog: v1.14.0...v1.15.0