v1.18.0 strengthens MCP server security with automatic output redaction and a secret allowlist, adds a --local-file option to fnox sync for keeping sync caches out of your committed config, and fixes auth prompt handling in batch providers. The YubiKey provider also no longer requires libusb to be installed just to start the binary.
Highlights
- MCP output redaction -- The
exectool now automatically replaces resolved secret values with[REDACTED]in stdout/stderr before returning output to the agent, closing a gap where agents could exfiltrate secrets via commands likeprintenv. - MCP secret allowlist -- A new
mcp.secretsconfig option restricts which secrets the MCP server exposes to AI agents, with dependency-aware warnings at startup. fnox sync --local-file-- Sync overrides can now be written tofnox.local.toml(gitignored) instead of the main config file, keeping your committed config clean.- YubiKey dynamic libusb loading -- The binary no longer hard-links libusb, so it starts normally on systems without libusb installed. Users get a clear error with install instructions only when they actually use the YubiKey provider.
Added
MCP exec output redaction (#357) -- @jdx
The MCP exec tool now scans stdout/stderr for resolved secret values and replaces them with [REDACTED] before returning output to the agent. This prevents agents from exfiltrating secrets via commands like printenv or echo $SECRET. Redaction uses Aho-Corasick leftmost-longest matching for correctness and is enabled by default. To disable (not recommended):
[mcp]
redact_output = false
MCP secret allowlist (#358) -- @jdx
A new mcp.secrets config option restricts which secrets the MCP server resolves and exposes. Unlisted secrets are never resolved (avoiding unnecessary auth prompts) and are invisible to both get_secret and exec. At startup, fnox warns if the allowlist contains unknown names or if an allowlisted secret depends on another secret not in the list.
[mcp]
secrets = ["GITHUB_TOKEN", "NPM_TOKEN"] # only these are available to the agent
When omitted, all profile secrets are available (backward compatible).
fnox sync --local-file output target (#317) -- @florian-lackner365
fnox sync now accepts a --local-file flag that writes sync overrides to the local override file (fnox.local.toml or .fnox.local.toml) next to your config file, instead of modifying the main config. This keeps encrypted sync caches out of version control. The flag requires the config filename to be fnox.toml or .fnox.toml (other filenames are rejected) and conflicts with --global.
fnox sync -p age --local-file
# writes to fnox.local.toml (add to .gitignore)
Fixed
Auth prompts now work in batch providers (#349) -- @johnpyp
When a batch provider (e.g. AWS KMS resolving multiple secrets at once) returned an auth error, the auth_command fallback was not triggered -- the secrets were silently skipped. Batch resolution now detects auth errors in the results, runs the configured auth command (e.g. aws sso login), and retries the batch.
Changed
YubiKey provider loads libusb dynamically (#348) -- @jdx
The yubico_manager crate has been replaced with a minimal reimplementation that loads libusb at runtime via libloading. Previously, libusb was linked at build time, which caused the binary to crash on startup (dyld errors on macOS) for users who did not have Homebrew libusb installed -- even if they never used the YubiKey provider. Now the binary starts normally on all systems, and users who try to use the YubiKey provider without libusb get a clear error with platform-specific install instructions.
New Contributors
- @florian-lackner365 made their first contribution in #317
- @johnpyp made their first contribution in #349
Full Changelog: v1.17.0...v1.18.0