fix(infisical): support CLI session auth as fallback

[rcdailey]

The Infisical provider currently requires explicit credentials (INFISICAL_TOKEN or INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET). If neither is set, it fails with "Authentication not found", even when the user has an active CLI session from infisical login.

This is inconsistent with how the Infisical CLI itself works. Running infisical secrets get ... without --token uses the cached session just fine.

The fix: when no explicit credentials are configured, skip passing --token and let the CLI use its own session. The priority is:

1. INFISICAL_TOKEN / FNOX_INFISICAL_TOKEN (explicit token, used as-is)
2. INFISICAL_CLIENT_ID + INFISICAL_CLIENT_SECRET (universal auth login, token cached)
3. CLI session fallback (no --token passed, CLI manages its own auth)

test_connection() also needed updating since it previously just checked for a token. When using CLI session auth, it now runs a secrets list command as a connectivity check instead.

All existing cargo tests pass. I've tested this against a self-hosted Infisical instance with infisical login session auth.

[greptile-apps]

Greptile Summary

This PR adds CLI session auth as a third fallback for the Infisical provider: when neither INFISICAL_TOKEN nor INFISICAL_CLIENT_ID/INFISICAL_CLIENT_SECRET are set, --token is omitted from CLI invocations and the Infisical CLI uses its cached session from infisical login. test_connection() is updated to run a live secrets list check for this path since there is no token to validate locally.

Two minor P2 notes: the --output json flag passed to infisical secrets list in test_connection() is not shown in the CLI docs for that subcommand (only for secrets get) and should be confirmed; and the bats skip logic still requires explicit credentials, so the new CLI session happy path has no bats test coverage.

Confidence Score: 5/5

Safe to merge; the change is minimal, well-scoped, and the prior P0/P1 concerns from earlier rounds are fully resolved.

All remaining findings are P2: one verification suggestion about an undocumented CLI flag and one test coverage gap. Neither blocks merge nor introduces correctness issues.

src/providers/infisical.rs line 435 (verify secrets list --output json is supported by the CLI) and test/infisical.bats (no happy-path bats test for CLI session auth).

Important Files Changed

Filename	Overview
src/providers/infisical.rs	Adds Option<String> return to get_auth_token() enabling CLI session fallback; updates execute_infisical_command to omit --token when None; updates test_connection() to run secrets list as a live connectivity check for the CLI session path.
test/infisical.bats	Updates 'fails gracefully' test to accept CLI session error variants; bats skip logic still requires explicit credentials, leaving the happy-path CLI session fallback untested by the suite.
docs/providers/infisical.md	Well-updated docs describe all three auth tiers (CLI session, service token, universal auth) with an accurate Quick Start and troubleshooting sections.
mise.toml	Adds infisical = 'latest' and rust = 'latest' tool entries to the mise toolchain configuration.

Sequence Diagram

sequenceDiagram
    participant User
    participant fnox
    participant InfisicalProvider
    participant InfisicalCLI

    User->>fnox: fnox get SECRET
    fnox->>InfisicalProvider: get_secret("SECRET")
    InfisicalProvider->>InfisicalProvider: execute_infisical_command(args)
    InfisicalProvider->>InfisicalProvider: get_auth_token()

    alt INFISICAL_TOKEN set
        InfisicalProvider-->>InfisicalProvider: Ok(Some(token))
        InfisicalProvider->>InfisicalCLI: infisical secrets get ... --token token
    else CLIENT_ID + CLIENT_SECRET set
        InfisicalProvider->>InfisicalCLI: infisical login --method universal-auth ...
        InfisicalCLI-->>InfisicalProvider: cached token
        InfisicalProvider->>InfisicalCLI: infisical secrets get ... --token cached_token
    else No explicit credentials (new)
        InfisicalProvider-->>InfisicalProvider: Ok(None)
        InfisicalProvider->>InfisicalCLI: infisical secrets get ... (no --token)
        Note over InfisicalCLI: CLI uses cached session from infisical login
    end

    InfisicalCLI-->>InfisicalProvider: JSON output
    InfisicalProvider-->>fnox: secret value
    fnox-->>User: secret value

Loading

_{Reviews (5): Last reviewed commit: "fix(infisical): support CLI session auth..." | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request updates the Infisical provider to support CLI session authentication when explicit credentials (like environment variables or client secrets) are not provided. It modifies get_auth_token to return an optional token and updates test_connection to perform a connectivity check using the secrets list command when falling back to the CLI session. A review comment suggests that test_connection should be refactored to always execute this probe command, ensuring that explicit credentials are also verified for validity and project accessibility rather than assuming success immediately.

[jdx]

The code change looks good! One thing — the docs at docs/providers/infisical.md should be updated to reflect that CLI session auth now works as a fallback. Currently the docs present INFISICAL_TOKEN or universal auth as required steps.

Key spots:

• Quick Start (step 3): Says "Get a service token or universal auth token" as if mandatory — with this change, infisical login alone is sufficient
• "Get Authentication Token" section: Could use an "Option C: CLI Session Auth" noting that no env vars are needed if you've run infisical login
• Usage section: Shows export INFISICAL_TOKEN=... as a required first step
• Token Management: Implies a token is always needed

This comment was generated by Claude Code.

[rcdailey]

Updated the docs per your review. Changes:

• Rewrote the Quick Start to use infisical login alone (removed the mandatory token/universal-auth steps)
• Restructured "Get Authentication Token" into three options: CLI session (simplest), service token (CI/CD), and universal auth (machine identity). Also added the auth priority order at the top of the section.
• Updated Usage to show that fnox get/fnox exec work directly with CLI session auth
• Rewrote Token Management to clarify tokens are only needed for CI/CD, not local dev
• Replaced the "Service Token vs Universal Auth" section with a three-way comparison that includes CLI session auth
• Updated best practices to recommend CLI session auth for local dev

Also fixed the Infisical provider fails gracefully with missing credentials bats test. With CLI session fallback, the CLI now tries an interactive login instead of returning auth_failed, so the test accepts either auth_failed or cli_failed.