github jdx/fnox v1.22.0
v1.22.0: Library API and a sticky-provider fix for `fnox set`
on GitHub

latest release: v1.23.0
10 hours ago

v1.22.0 introduces a top-level library API for embedding fnox in Rust applications, and fixes a sharp edge in fnox set that could turn an encrypted secret into plaintext.

Added

Top-level Fnox library API (#442) -- @bglusman

Downstream Rust consumers can now use fnox as a library in three lines instead of replicating the internals of GetCommand::run: 

use fnox::Fnox;

let fnox = Fnox::discover()?;          // walks up + merges parent + local + global config
let value = fnox.get("MY_KEY").await?;
let names = fnox.list()?;

The new Fnox type lives in src/library.rs and is re-exported from the crate root. Highlights:

  • Fnox::discover() mirrors the binary's full config-discovery and merge chain via Config::load_smart, including the FNOX_PROFILE env var.
  • Fnox::open(path) loads an explicit config without the upward-search/merge behavior.
  • Fnox::with_profile("staging") builder for non-default profiles.
  • get() returns FnoxError::SecretNotFound with a populated "Did you mean…" suggestion, matching the CLI's UX so callers don't need to recompute it.
  • Fnox is cheap to clone (Config is held behind an Arc) and safe to hold across .await.

set() is intentionally not part of this first cut; it'll get its own design pass.

Fixed

fnox set no longer silently downgrades encrypted secrets to plaintext (#439) -- @rpendleton

When multiple providers were configured without a default_provider, running fnox set on an existing secret without --provider would write the new value as plaintext while leaving the original provider = "..." key in place. The next fnox get then failed trying to "decrypt" a value that was no longer encrypted.

fnox set now reuses the secret's existing provider before falling back to default_provider or plaintext, so updates stay encrypted and readable without having to pass --provider on every call: 

fnox set --provider age MY_SECRET "original-value"   # encrypted with age
fnox set MY_SECRET "new-value"                       # still encrypted with age

Deterministic provider ordering in the generated schema (#432) -- @jdx

Within-category provider ordering in build/generate_providers.rs was inheriting fs::read_dir order, which is OS- and filesystem-dependent. That non-determinism flowed into docs/public/schema.json and caused autofix.ci to keep reshuffling 100+ lines between runs. A secondary sort by provider name fixes the churn; running fnox schema twice now produces byte-identical output.

Mobile docs banner layout (#437) -- @jdx

At <=640px the announcement banner now switches to a column layout with the close button pinned to the top-right corner, instead of cramming the message and "Read more" link onto one squeezed line.

Changed

  • Docs site nav now shows the current release version (read from Cargo.toml at build time) and a GitHub star count, matching the mise/aube docs (#443) -- @jdx
  • Added a dismissible cross-site announcement banner that fetches its config from jdx.dev/banner.json and respects the expires field (#434, #436) -- @jdx

New Contributors

Full Changelog: v1.21.0...v1.22.0

💚 Sponsor fnox

fnox is maintained by @jdx under en.dev — a small independent studio building developer tooling like mise, aube, hk, and more. Keeping fnox secure, maintained, and free is funded by sponsors.

If fnox is handling secrets or config for you or your team, please consider sponsoring at en.dev. Sponsorships are what let fnox stay independent and the project keep moving.

Check out latest releases or
releases around jdx/fnox v1.22.0

Don't miss a new fnox release

NewReleases is sending notifications on new releases.

Get notifications