CHANGELOG.md

Changelog

1.20.0 - 2026-04-04

🚀 Features

• (provider) add Doppler secrets manager provider by @natefaerber in #376

🐛 Bug Fixes

• (ci) pin LocalStack to v4 (last free community version) by @jdx in #379
• (sync) skip post-processing when resolving secrets for sync by @rpendleton in #371

🚜 Refactor

• (providers) extract shared error helpers to FnoxError methods by @jdx in #380

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #369
• update taiki-e/upload-rust-binary-action digest to 0e34102 by @renovate[bot] in #372
• update dependency vue to v3.5.32 by @renovate[bot] in #373
• update rust crate indexmap to v2.13.1 by @renovate[bot] in #378
• update rust crate blake3 to v1.8.4 by @renovate[bot] in #377
• lock file maintenance by @renovate[bot] in #374

New Contributors

• @natefaerber made their first contribution in #376
• @rpendleton made their first contribution in #371

1.19.0 - 2026-03-22

🚀 Features

• add reencrypt subcommand for updating encryption recipients by @jdx in #365

🐛 Bug Fixes

• (set) prompt for secret value when -k flag is used by @jdx in #367

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #360
• lock file maintenance by @renovate[bot] in #362

1.18.0 - 2026-03-13

🚀 Features

• (mcp) add secret allowlist to limit agent access by @jdx in #358
• (sync) add --local-file output target by @florian-lackner365 in #317

🐛 Bug Fixes

• properly handle auth prompt in batch providers by @johnpyp in #349

🚜 Refactor

• (yubikey) dynamically load libusb at runtime by @jdx in #348

🛡️ Security

• (mcp) redact secret values from exec output by @jdx in #357

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #344
• update jdx/mise-action digest to 5228313 by @renovate[bot] in #351
• update swatinem/rust-cache digest to e18b497 by @renovate[bot] in #352
• update taiki-e/upload-rust-binary-action digest to 381995c by @renovate[bot] in #353
• update dependency vue to v3.5.30 by @renovate[bot] in #354
• update rust crate openssl-sys to v0.9.112 by @renovate[bot] in #355
• update rust crate clap to v4.6.0 by @renovate[bot] in #356

New Contributors

• @florian-lackner365 made their first contribution in #317

1.17.0 - 2026-03-09

🚀 Features

• (cloudflare) add Cloudflare API token lease backend by @jdx in #335
• (fido2) bump demand to v2, mask PIN during typing by @jdx in #334
• (get) resolve leased credentials from fnox get by @jdx in #338
• (init) add -f as short alias for --force by @jdx in #329
• (lease) add --all flag, default to creating all leases by @jdx in #337
• (lease) add GitHub App installation token lease backend by @jdx in #342

🐛 Bug Fixes

• (config) fix directory locations to follow XDG spec by @jdx in #336
• (exec) use unix exec and exit silently on subprocess failure by @jdx in #339
• (fido2) remove duplicate touch prompt by @jdx in #332
• (set) write to lowest-priority existing config file by @jdx in #331
• (tui) skip providers requiring interactive auth by @jdx in #333

🛡️ Security

• (ci) retry lint step to handle transient pkl fetch failures by @jdx in #341
• (mcp) add MCP server for secret-gated AI agent access by @jdx in #343
• add guide for fnox sync by @jdx in #328

🔍 Other Changes

• share Rust cache across CI jobs by @jdx in #340

1.16.1 - 2026-03-08

🐛 Bug Fixes

• (set) error on encryption failure; use LocalStack for AWS tests by @jdx in #324

📦️ Dependency Updates

• add Cross.toml to install libudev-dev for linux cross-compilation by @jdx in #326

1.16.0 - 2026-03-08

🐛 Bug Fixes

• (docs) escape angle brackets in lease create doc by @jdx in #323

🛡️ Security

• (lease) ephemeral credential leasing by @jdx in #318

📦️ Dependency Updates

• update jdx/mise-action digest to e79ddf6 by @renovate[bot] in #312
• publish to crates.io on release by @jdx in #315
• add libudev-dev to release-plz CI workflow by @jdx in #322
• update aws-sdk-rust monorepo to v1.8.15 by @renovate[bot] in #313

1.15.1 - 2026-03-02

🐛 Bug Fixes

• (sync) use sync cache field instead of overwriting provider/value by @jdx in #309

⚡ Performance

• (aws-sm) skip expensive tests on non-release PRs by @jdx in #310
• (provider) use async tokio::process::Command for CLI-based providers by @jdx in #308

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #306

1.15.0 - 2026-03-02

🚀 Features

• (provider) allow auth_command override per-provider in config by @jdx in #305
• (vault) make address field optional and fallback to VAULT_ADDR by @chermed in #301
• add fnox sync command by @jdx in #298
• nushell integration by @tiptenbrink in #304

🐛 Bug Fixes

• (provider) only trigger auth prompt for ProviderAuthFailed errors by @TyceHerrman in #297
• (provider) add missing provider add types and proton-pass vault by @TyceHerrman in #302

New Contributors

• @chermed made their first contribution in #301
• @tiptenbrink made their first contribution in #304

1.14.0 - 2026-02-28

🚀 Features

• (proton-pass) add Proton Pass provider by @TyceHerrman in #292
• Add AWS Profile support for AWS PS and Secrets Manager in provider config by @micahvdk in #290
• encode decode secrets by @pitoniak32 in #273

🐛 Bug Fixes

• (aws-sm) deduplicate secret IDs in batch requests by @jdx in #296

📚 Documentation

• require AI disclosure on GitHub comments by @jdx in #288

📦️ Dependency Updates

• update dependency vue to v3.5.29 by @renovate[bot] in #294
• update rust crate chrono to v0.4.44 by @renovate[bot] in #295

New Contributors

• @pitoniak32 made their first contribution in #273
• @TyceHerrman made their first contribution in #292
• @micahvdk made their first contribution in #290

1.13.0 - 2026-02-21

🚀 Features

• add JSON secrets by @halms in #247

🐛 Bug Fixes

• (config) preserve TOML comments in import and remove by @jdx in #268
• (release) write release notes to file instead of capturing stdout by @jdx in #263
• (release) make release notes editorialization non-blocking by @jdx in #269

📚 Documentation

• (config) fix env-specific config example in mise integration guide by @jdx in #267
• (shell) remove incorrect cd . reload instructions by @jdx in #265
• rename CRUSH.md to AGENTS.md by @sweepies in #282

🔍 Other Changes

• replace gen-release-notes script with communique by @jdx in #285

📦️ Dependency Updates

• update taiki-e/upload-rust-binary-action digest to f391289 by @renovate[bot] in #274
• update rust crate usage-lib to v2.16.2 by @renovate[bot] in #277
• update rust crate clap to v4.5.58 by @renovate[bot] in #276
• update rust crate google-cloud-secretmanager-v1 to v1.5.0 by @renovate[bot] in #278
• update rust crate crossterm to 0.29 by @renovate[bot] in #279
• lock file maintenance by @renovate[bot] in #281
• update aws-sdk-rust monorepo to v1.8.14 by @renovate[bot] in #275
• update keepass to 0.8.21 and adapt to new API by @jdx in #286

New Contributors

• @sweepies made their first contribution in #282
• @halms made their first contribution in #247

1.12.1 - 2026-02-10

🐛 Bug Fixes

• load global config in shell integration hook-env by @jdx in #262

📚 Documentation

• condense CLAUDE.md from 1159 to 96 lines by @jdx in #260

🛡️ Security

• disable light mode in documentation site by @jdx in #261

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #257

1.12.0 - 2026-02-09

🚀 Features

• implement as_file to inject a secret as a file instead of as a value by @kfkonrad in #250
• add a --no-defaults CLI flag by @jaydenfyi in #252

📚 Documentation

• document tools=true requirement for mise integration by @jdx in #245
• add opengraph meta tags by @jdx in #256

🔍 Other Changes

• reduce CI bats test parallelism from 3 to 2 tranches by @jdx in #243
• add tone calibration to release notes prompt by @jdx in #251
• Add Bitwarden SM provider by @nikuda in #253

📦️ Dependency Updates

• update autofix-ci/action action to v1.3.3 by @renovate[bot] in #254
• update aws-sdk-rust monorepo to v1.8.13 by @renovate[bot] in #255

New Contributors

• @nikuda made their first contribution in #253
• @jaydenfyi made their first contribution in #252
• @kfkonrad made their first contribution in #250

1.11.0 - 2026-02-01

🚀 Features

• add config-files subcommand by @jdx in #238

🧪 Testing

• (bitwarden) serialize tests to prevent flaky CI failures by @jdx in #242
• add unit tests for dependency resolution level computation by @jdx in #239

1.10.1 - 2026-01-30

🐛 Bug Fixes

• (exec) resolve secrets in dependency order using Kahn's algorithm by @jdx in #237
• don't thank @jdx in LLM-generated release notes by @jdx in #230

📚 Documentation

• add conventional commit guidance to CRUSH.md by @jdx in #226
• clarify fix type is for CLI bugs only by @jdx in #231

🛡️ Security

• (set) add security guidance for secret value argument by @jdx in #229

🔍 Other Changes

• add creative titles to GitHub releases by @jdx in #224
• add mise.local.toml to .gitignore by @jdx in #236

📦️ Dependency Updates

• update rust crate clap to v4.5.56 by @renovate[bot] in #234
• update rust crate google-cloud-secretmanager-v1 to v1.4.0 by @renovate[bot] in #235

1.10.0 - 2026-01-25

🚀 Features

• (1password) add token field supporting secret references by @jdx in #200
• (vault) add namespace option by @pierrop in #220
• add JSON schema for fnox.toml by @jdx in #196
• add --all flag to provider test command by @jdx in #202
• add documentation URLs to error diagnostics by @jdx in #212
• preserve source error chains for JSON/YAML errors by @jdx in #214
• use structured error variants instead of generic Config/Provider by @jdx in #213
• add "Did you mean?" suggestions for typos by @jdx in #204
• add --dry-run flag to data-modifying commands by @jdx in #201
• Support fnox.toml (and variants) dotfiles. by @dharrigan in #141
• add source code spans for better error reporting by @jdx in #205
• use #[related] for validation errors to show all issues at once by @jdx in #211
• add source code span tracking for default_provider errors by @jdx in #209
• add source code span tracking for SecretConfig.value by @jdx in #210
• improve miette error handling with structured provider errors and URLs by @jdx in #216

🐛 Bug Fixes

• update claude CLI model and add bypassPermissions by @jdx in #194
• update claude CLI model and add bypassPermissions by @jdx in #195
• preserve TOML comments in fnox set by @jdx in #223

🚜 Refactor

• convert miette::miette!() to FnoxError in encrypt.rs and list.rs by @jdx in #208
• use structured errors in remove and export commands by @jdx in #206
• use structured errors in import command by @jdx in #207

📚 Documentation

• add comprehensive TUI dashboard guide by @jdx in #203
• add mise integration guide by @jdx in #215

⚡ Performance

• reduce KMS API calls in CI tests by @jdx in #217

🛡️ Security

• add Black Ops One font branding to docs by @jdx in #198

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #197
• update jdx/mise-action digest to 6d1e696 by @renovate[bot] in #218
• update rust crate proc-macro2 to v1.0.106 by @renovate[bot] in #219

New Contributors

• @pierrop made their first contribution in #220
• @dharrigan made their first contribution in #141

1.9.2 - 2026-01-19

🚀 Features

• add interactive TUI dashboard using ratatui by @jdx in #188

🐛 Bug Fixes

• gen-release-notes improvements by @jdx in #191

🔍 Other Changes

• exclude CHANGELOG.md from prettier by @jdx in #190

1.9.1 - 2026-01-19

🐛 Bug Fixes

• use positional args in gen-release-notes by @jdx in #187

1.9.0 - 2026-01-19

🚀 Features

• add authentication prompting for expired credentials by @jdx in #184
• add LLM-generated editorialized release notes by @jdx in #185

🐛 Bug Fixes

• remove LLM generation from release-plz by @jdx in #186

🚜 Refactor

• (edit) batch resolve secrets by profile for efficiency by @johnpyp in #182

1.8.0 - 2026-01-17

🚀 Features

• add passwordstate provider by @davidolrik in #147
• aws-ps batch concurrency, aws-kms 10 -> 100 concurrency by @johnpyp in #180

🐛 Bug Fixes

• resolve clippy unused_assignments warnings in error.rs by @jdx in #174
• improve AWS SDK error messages and enable SSO support by @daghoidahl in #173

📚 Documentation

• add AWS Parameter store to sidebar and provider lists by @johnpyp in #178

🧪 Testing

• Add missing skip logic to aws_parameter_store.bats by @jdx in #145

🛡️ Security

• (deps) update azure-sdk-for-rust monorepo to 0.30 by @renovate[bot] in #144

📦️ Dependency Updates

• pin dependencies by @renovate[bot] in #133
• update rust crate demand to v1.8.0 by @renovate[bot] in #134
• lock file maintenance by @renovate[bot] in #137
• update rust crate usage-lib to v2.9.0 by @renovate[bot] in #143
• update rust crate age to v0.11.2 by @renovate[bot] in #149
• update aws-sdk-rust monorepo to v1.8.12 by @renovate[bot] in #148
• update rust crate gcp_auth to v0.12.5 by @renovate[bot] in #151
• update rust crate dbus to v0.9.10 by @renovate[bot] in #150
• update rust crate google-cloud-secretmanager-v1 to v1.2.0 by @renovate[bot] in #153
• update rust crate reqwest to v0.12.25 by @renovate[bot] in #152
• lock file maintenance by @renovate[bot] in #154
• update dependency vue to v3.5.26 by @renovate[bot] in #156
• update rust crate console to v0.16.2 by @renovate[bot] in #157
• lock file maintenance by @renovate[bot] in #162
• update rust crate arc-swap to v1.8.0 by @renovate[bot] in #167
• update rust crate chrono to v0.4.43 by @renovate[bot] in #176
• update aws-sdk-rust monorepo to v1.98.0 by @renovate[bot] in #177

New Contributors

• @johnpyp made their first contribution in #180
• @daghoidahl made their first contribution in #173
• @davidolrik made their first contribution in #147

1.7.0 - 2025-11-27

🚀 Features

• (init) improve wizard with traits and missing providers by @jdx in #129
• add KeePass provider support by @jdx in #123
• add AWS Parameter Store provider support by @jdx in #126
• support global config file for machine-wide secrets by @jdx in #128
• add secret references in provider configuration by @jdx in #131

🐛 Bug Fixes

• (set) always write to local config, create override for parent secrets by @jdx in #122

🚜 Refactor

• simplify Provider trait by removing key_file parameter by @jdx in #124

📚 Documentation

• add KeePass provider documentation by @jdx in #125

⚡ Performance

• (tests) reduce AWS Secrets Manager API calls by @jdx in #127

1.6.1 - 2025-11-26

🐛 Bug Fixes

• (edit) preserve all user edits including non-secret config by @jdx in #119

🚜 Refactor

• (age) use age crate for encryption instead of CLI by @KokaKiwi in #112
• (password-store) implement Provider trait with put_secret returning key by @KokaKiwi in #117

📚 Documentation

• add password-store provider documentation by @KokaKiwi in #111

📦️ Dependency Updates

• lock file maintenance by @renovate[bot] in #113
• lock file maintenance by @renovate[bot] in #114

New Contributors

• @renovate[bot] made their first contribution in #114

1.6.0 - 2025-11-21

🚀 Features

• add password-store provider with GPG-encrypted local storage by @KokaKiwi in #102

🐛 Bug Fixes

• prevent config hierarchy duplication in fnox set command by @jdx in #107
• preserve newly created profile sections in edit command by @jdx in #108

📚 Documentation

• add looping example for age provider by @Lailanater in #106

New Contributors

• @Lailanater made their first contribution in #106
• @KokaKiwi made their first contribution in #102

1.5.2 - 2025-11-19

🐛 Bug Fixes

• (ci) vendor dbus dependency for cross-compilation by @jdx in #99

1.5.1 - 2025-11-18

🐛 Bug Fixes

• (ci) configure dbus dependencies for cross-compilation by @jdx in #97

1.5.0 - 2025-11-18

🚀 Features

• (bitwarden) rbw support (experimental) by @nilleb in #91

🐛 Bug Fixes

• (ci) bitwarden setup by @nilleb in #92
• (ci) install dbus dependencies for release workflow by @jdx in #96

1.4.0 - 2025-11-15

🚀 Features

• (bitwarden) specify profile by @nilleb in #90

🐛 Bug Fixes

• (ci) make final job fail if any dependencies fail by @jdx in #74
• (ci) install dbus dependencies for autofix and release-plz workflows by @jdx in #89
• (docs) imports -> import by @lttb in #84
• (edit) add .toml extension, decrypt secrets properly, and support adding new secrets by @jdx in #88
• (keychain) use Secret Service backend for Linux by @jdx in #86
• respect --profile/-P CLI flag when loading config files by @jdx in #87

🔍 Other Changes

• shellcheck/shfmt by @jdx in #77

New Contributors

• @nilleb made their first contribution in #90
• @lttb made their first contribution in #84

1.3.0 - 2025-11-01

🚀 Features

• add support for fnox.$FNOX_PROFILE.toml config files by @jdx in #64
• add Infisical provider with CLI integration and self-hosted CI by @jdx in #67

🐛 Bug Fixes

• (tests) skip keychain tests in CI when gnome-keyring-daemon unavailable by @jdx in #72
• (tests) let gnome-keyring-daemon create its own control directory by @jdx in #73
• add unique namespacing to parallel provider tests by @jdx in #68

🚜 Refactor

• remove unused env_diff module and __FNOX_DIFF by @jdx in #70

⚡ Performance

• parallelize CI tests across GHA workers using tranches by @jdx in #65

🛡️ Security

• (security) store only hashes in __FNOX_SESSION instead of plaintext secrets by @jdx in #71

1.2.3 - 2025-11-01

🐛 Bug Fixes

• support FNOX_AGE_KEY by @Cantido in #60
• use inline tables by default in TOML output and preserve existing format by @jdx in #62
• enhance edit command to decrypt secrets before editing by @jdx in #63

📚 Documentation

• use single-line TOML syntax with section headers by @jdx in #51
• clean up documentation and organize providers sidebar by @jdx in cd019c0

🛡️ Security

• warn about multiline secrets in ci-redact by @jdx in #53

🔍 Other Changes

• add semantic PR title validation by @jdx in #61

New Contributors

• @Cantido made their first contribution in #60

1.2.2 - 2025-10-29

🐛 Bug Fixes

• resolve secrets from providers when using --values flag in list command by @jdx in #47
• hook-env now inherits providers from parent configs by @jdx in #37

🚜 Refactor

• change profile flag from -p to -P by @jdx in #42

📚 Documentation

• clean up local overrides docs by @jdx in #46

🔍 Other Changes

• Update commands reference link to CLI reference by @thomascjohnson in #44
• add autofix.ci workflow for automatic linting fixes by @jdx in #45

New Contributors

• @thomascjohnson made their first contribution in #44

1.2.1 - 2025-10-28

🛡️ Security

• (import) require --provider flag to prevent plaintext storage by @jdx in #35

1.2.0 - 2025-10-28

🚀 Features

• add support for fnox.local.toml local config overrides by @jdx in #30
• add batch secret resolution to improve performance by @jdx in #31

🐛 Bug Fixes

• import command now reads from input file instead of config file by @jdx in #28

📚 Documentation

• Add VitePress documentation and GitHub Pages deployment by @jdx in #32

🔍 Other Changes

• Update URLs to use custom domain fnox.jdx.dev and remove DOCS_DEPLOYMENT.md by @jdx in 79a2c78
• Remove DOCS_DEPLOYMENT.md by @jdx in dd9cb7b
• Remove ONEPASSWORD.md (content migrated to docs) by @jdx in 622baa3
• Add fnox vault logo by @jdx in 95a100f
• Add auto-generated CLI reference documentation by @jdx in 582af5b
• Show CLI Reference in sidebar on all pages by @jdx in a19d6d1
• Remove 'When to Use' sections from provider docs by @jdx in 9fc9a75
• Add custom dark theme with Fort Knox styling by @jdx in 9c83a2e
• Fix dead links to /reference/commands by @jdx in 86762d8

1.1.0 - 2025-10-27

🚀 Features

• add top-level secret inheritance for profiles by @jdx in #21
• add global if_missing configuration with priority chain by @jdx in #22

🐛 Bug Fixes

• SSH key support in age provider by @jdx in #26

1.0.1 - 2025-10-26

🐛 Bug Fixes

• default to warn instead of error for missing secrets by @jdx in #20
• expand tilde (~) in FNOX_AGE_KEY_FILE path by @pepicrft in #17
• make the onepassword vault name optional by @btkostner in #15
• do not require OP_SERVICE_ACCOUNT_TOKEN for 1password by @btkostner in #16

🛡️ Security

• skip age setup and redact tests for fork PRs by @jdx in #18

🔍 Other Changes

• (ci) add retry action for integration tests by @jdx in #19
• (release) add macOS code signing to release workflow by @jdx in #11
• wip by @jdx in b164101
• Update README.md by @jdx in 10ac17e

New Contributors

• @btkostner made their first contribution in #16
• @pepicrft made their first contribution in #17

1.0.0 - 2025-10-20

🐛 Bug Fixes

• Remove duplicate openssl-sys from main dependencies by @jdx in 8b4c8c7

0.2.2 - 2025-10-20

🐛 Bug Fixes

• Clean up Azure CLI directory in test teardown by @jdx in #5
• Make vendored OpenSSL Linux-only to fix Windows builds by @jdx in #6

0.2.1 - 2025-10-20

🐛 Bug Fixes

• Enable vendored OpenSSL for cross-compilation by @jdx in #3

0.2.0 - 2025-10-20

🚀 Features

• Add release workflow for building multi-platform binaries by @jdx in 04b63c7

🐛 Bug Fixes

• Remove label requirement from PR creation in release-plz by @jdx in 354d0a1
• Use FNOX_GH_TOKEN for PR creation permissions by @jdx in decca13
• Use FNOX_GH_TOKEN in release workflow by @jdx in 64c774b
• Remove incorrect [secrets] section assertions from init tests by @jdx in 7496483

🔍 Other Changes

• Fix Bitwarden provider to use --session flag and close stdin by @jdx in 9dcfe86

New Contributors

• @mise-en-dev made their first contribution in #2

[0.1.0] - 2025-10-20

🐛 Bug Fixes

• Handle repos with no tags in release-plz script by @jdx in 3fb62c6

🔍 Other Changes

• init by @jdx in 8a39de2

New Contributors

• @jdx made their first contribution