jdx/fnox v1.20.0

v1.20.0: Doppler Provider and Sync Fix for json_path

on GitHub

v1.20.0 adds a new Doppler secrets manager provider and fixes a bug where fnox sync would corrupt secrets that use json_path extraction.

Added

Doppler secrets manager provider (#376) -- @natefaerber

fnox now supports Doppler as a secrets provider. The provider uses the Doppler CLI under the hood and supports project/config scoping, service token authentication, and efficient batch fetching via --json.

[providers]
app-prod = { type = "doppler", project = "my-app", config = "prd" }
app-dev  = { type = "doppler", project = "my-app", config = "dev" }

[secrets]
PROD_DB_URL = { provider = "app-prod", value = "DATABASE_URL" }
DEV_DB_URL  = { provider = "app-dev",  value = "DATABASE_URL" }

All configuration fields (project, config, token) are optional -- when omitted, the provider falls back to the Doppler CLI's own defaults (from doppler setup or environment variables like DOPPLER_TOKEN). Authentication works via interactive login, service tokens in config, or the DOPPLER_TOKEN / FNOX_DOPPLER_TOKEN environment variables.

You can add a Doppler provider interactively with:

fnox provider add my-doppler doppler

See the full Doppler provider documentation for setup instructions, CI/CD examples, and multi-environment patterns.

Fixed

fnox sync no longer corrupts secrets that use json_path (#371) -- @rpendleton

When syncing secrets that use json_path, the sync command was applying json_path extraction before caching the value. This meant the cached sync value contained only the extracted field (e.g. "admin") instead of the full raw secret (e.g. {"username":"admin","password":"secret123"}). On subsequent reads, json_path would be applied again to the already-extracted value, failing with "Failed to parse JSON secret".

The fix introduces SecretConfig::for_raw_resolve(), which strips post-processing fields (json_path, sync, default) before resolving. Both sync and reencrypt now use this method, ensuring raw provider values are always cached and future post-processing steps only need updating in one place.

New Contributors

• @natefaerber made their first contribution in #376
• @rpendleton made their first contribution in #371

Full Changelog: v1.19.0...v1.20.0