fnox Release Notes

Highlights

• JSON secrets: Extract individual fields from JSON-formatted secrets using json_path, eliminating the need for jq workarounds.
• Comment preservation: All config-modifying commands now preserve your TOML comments and formatting.

Added

[secrets]
DB_PASS = { provider = "aws", value = "db-credentials", json_path = "password" }
DB_HOST = { provider = "aws", value = "db-config", json_path = "database.host" }

Many secret managers (particularly AWS Secrets Manager) store secrets as JSON blobs. Previously, extracting individual fields required piping through jq, which didn't work with fnox exec or shell integration. The new json_path option extracts a specific field from a JSON secret at resolve time:
[secrets]
DB_PASS = { provider = "aws", value = "db-credentials", json_path = "password" }
DB_HOST = { provider = "aws", value = "db-config", json_path = "database.host" }
Supports dot notation for nested paths and escaped dots (.) for keys containing literal dots. Works with all providers, default values, environment variable fallbacks, and the as_file option.

Fixed

fnox import and fnox remove now preserve TOML comments (#268)
Previously, both commands re-serialized the entire config from the internal Rust struct, destroying all comments, custom formatting, and whitespace. They now edit the TOML document AST directly (the same approach fnox set already used), so your comments stay intact. All config-modifying commands now preserve formatting:

• Command: fnox set — Status: Already preserved
• Command: fnox edit — Status: Already preserved
• Command: fnox import — Status: Fixed in this release
• Command: fnox remove — Status: Fixed in this release

KeePass provider compatibility (#286)
Updated the KeePass provider to work with the keepass crate 0.8.21 API, which changed how database entries and groups are traversed.

Documentation

Fixed incorrect cd . reload instructions in shell integration docs -- the shell hook auto-detects config changes on each prompt, so no manual reload is needed (#265)
Fixed env-specific config example in mise integration guide to use separate mise.{env}.toml files instead of inline sections (#267)

New Contributors

@sweepies made their first contribution in #282
@halms made their first contribution in #247

Full Changelog: v1.12.1...v1.13.0

A small but important bug fix release.

Bug Fixes

• Shell integration now loads global config (#262)
  If you were using fnox activate or shell hooks with only a global config file (~/.config/fnox/config.toml) and no local fnox.toml in your project, your secrets weren't being loaded. This release fixes that—global config is now properly used as a fallback when no local config exists, and changes to global config now trigger reloads as expected.

Documentation

• Condensed development instructions in CLAUDE.md (#260)
• Documentation site now uses dark mode only (#261)

Dependency Updates

• Lock file maintenance by @renovate[bot] (#257)

Full documentation: https://fnox.jdx.dev/

Highlights

Secrets as Files (#250) - Thanks @kfkonrad!

Some applications expect secrets as file paths rather than environment variable values (think certificate files, SSH keys, or apps that refuse env vars for security reasons). The new as_file option writes secrets to temporary files and sets the env var to the file path:

[secrets]
DB_CERT = { provider = "age", value = "...", as_file = true }

With fnox exec, files are automatically cleaned up when your command exits. Files are created with 0600 permissions. See the file-based secrets documentation for details on behavior across different commands.

--no-defaults Flag (#252) - Thanks @jaydenfyi!

When using profiles, fnox normally merges top-level secrets with profile-specific ones. The new --no-defaults flag prevents this, loading only the secrets defined in the selected profile:

fnox exec --profile production --no-defaults -- ./deploy.sh

Useful for strict production environments where you want to ensure no development secrets accidentally leak through.

Bitwarden Secrets Manager Provider (#253) - Thanks @nikuda!

Bitwarden Secrets Manager is a separate product from Bitwarden Password Manager, designed for DevOps and infrastructure secrets. fnox now supports it as the bitwarden-sm provider:

[providers]
bws = { type = "bitwarden-sm", project_id = "your-project-id" }

[secrets]
DATABASE_URL = { provider = "bws", value = "database-url" }

Requires the bws CLI and an access token (BWS_ACCESS_TOKEN). See the provider documentation for setup details.

Documentation

Documented tools=true requirement for mise integration (#245)

New Contributors

Welcome to @nikuda, @jaydenfyi, and @kfkonrad!

Highlights

New config-files Subcommand

This release introduces the config-files subcommand, making it easier to understand exactly which configuration files fnox is loading and in what order. This is particularly useful when debugging complex setups with global configs, profile-specific configs, and local overrides.

• Global configs (~/.config/fnox/config.toml)
• Profile-specific configs (fnox.production.toml)
• Local overrides (fnox.local.toml)
• Parent directory configs (via recursion)

Now you can quickly verify that your configuration hierarchy is set up correctly.
See #238 for details.

Testing Improvements

• Bitwarden tests are now serialized to prevent flaky CI failures (#242)
• Added unit tests for dependency resolution level computation (#239)

For full documentation, visit fnox.jdx.dev.

This patch release fixes an important bug in how fnox exec resolves secrets that depend on each other. Previously, secrets with interdependencies could be resolved in the wrong order, causing failures when one secret referenced another that hadn't been resolved yet. Now fnox uses Kahn's algorithm to properly sort secrets by their dependency graph before resolution.

Bug Fixes

• Dependency-ordered secret resolution: When secrets reference other secrets (e.g., a connection string that includes a password from another secret), fnox now resolves them in the correct topological order using Kahn's algorithm. This eliminates race conditions and ensures dependent secrets are always available when needed. (#237)

Security

• Guidance for fnox set: Added documentation clarifying security considerations when passing secret values as command-line arguments, since these may be visible in shell history or process listings. See the documentation for secure alternatives like piping from stdin. (#229)

Documentation

• Improved conventional commit guidance in contributor documentation (#226, #231)

Dependency Updates

• Updated clap to v4.5.56 (#234)
• Updated google-cloud-secretmanager-v1 to v1.4.0 (#235)

This release focuses heavily on developer experience with significantly improved error messages throughout fnox. Errors now include documentation URLs, source code spans pointing to exact locations in your config files, "Did you mean?" suggestions for typos, and structured error chains that show the full context of what went wrong. These improvements make debugging configuration issues much faster and more intuitive.

Additionally, this release adds HashiCorp Vault namespace support for enterprise users, a JSON schema for editor autocompletion, a new --dry-run flag for safely previewing changes, and support for dotfile variants of fnox.toml.

Highlights

• Dramatically improved error messages - Errors now show source code spans highlighting exactly where problems occur in your config files, include links to relevant documentation, and suggest corrections for typos like "Did you mean 'aws-sm'?" (#204, #205, #212, #216) by @jdx
• HashiCorp Vault namespace support - Enterprise Vault users can now specify namespaces in their provider configuration (#220) by @pierrop
• JSON schema for fnox.toml - Get autocompletion and validation in your editor when editing fnox configuration files (#196) by @jdx
• --dry-run flag - Preview what fnox set, fnox remove, and other data-modifying commands will do before making changes (#201) by @jdx
• --all flag for provider test - Test all configured providers at once with fnox provider test --all (#202) by @jdx
• Dotfile support - fnox now recognizes .fnox.toml and other dotfile variants for projects that prefer hidden config files (#141) by @dharrigan
• 1Password token field - The 1Password provider now supports a token field that can reference secrets from other providers, enabling more flexible authentication setups (#200) by @jdx

Bug Fixes

• Preserve TOML comments - fnox set no longer strips comments from your fnox.toml file (#223) by @jdx

Documentation

• New TUI dashboard guide for the interactive terminal interface (#203)
• New mise integration guide for using fnox with mise task runner (#215)

New Contributors

Welcome to our new contributors!

• @pierrop made their first contribution in #220
• @dharrigan made their first contribution in #141

Full Changelog: v1.9.2...v1.10.0

Fnox v1.8.0 brings significant performance improvements for AWS users and expands enterprise support with a new Passwordstate provider. This release focuses on making fnox faster and more reliable for teams managing secrets at scale.
The standout improvements include dramatically faster secret retrieval for AWS Parameter Store users through batched operations, and enhanced concurrency for AWS KMS operations. These changes mean that applications using many AWS-based secrets will start up noticeably faster.

Highlights

• New Passwordstate Provider - Enterprise teams can now integrate with Click Studios Passwordstate, a popular on-premises password management solution. This addition makes fnox more accessible to organizations with strict data sovereignty requirements. Thanks to @davidolrik for contributing this feature! (#147) Learn more about configuring the Passwordstate provider.
• AWS Performance Boost - AWS Parameter Store operations now use intelligent batching to retrieve multiple secrets in parallel, while AWS KMS concurrency has been increased from 10 to 100 concurrent operations. For applications with dozens or hundreds of secrets, this can reduce startup time from minutes to seconds. Thanks to @johnpyp for this optimization! (#180)

Bug Fixes

• Better AWS Authentication - Fixed issues with AWS SSO authentication and improved error messages when AWS operations fail. If you've struggled with cryptic AWS SDK errors or couldn't use fnox with AWS SSO, this update resolves those pain points. Thanks to @daghoidahl for these improvements! (#173)

Documentation

• The providers documentation has been updated to properly include AWS Parameter Store in all listings, making it easier to discover and use this powerful provider. Thanks to @johnpyp! (#178)