basher83/devtools-secrets

DevTools Secrets

Knowledge and guardrails for the mise + fnox + infisical secrets toolchain.

Toolchain Validation

IMPORTANT: Check tool availability before proceeding with any guidance.

• mise: !command -v mise >/dev/null 2>&1 && echo "INSTALLED ($(mise --version 2>/dev/null | head -1))" || echo "MISSING — install with: curl https://mise.run | sh"
• fnox: !command -v fnox >/dev/null 2>&1 && echo "INSTALLED ($(fnox --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g fnox"
• infisical: !command -v infisical >/dev/null 2>&1 && echo "INSTALLED ($(infisical --version 2>/dev/null | head -1))" || echo "MISSING — install with: mise use -g infisical"

If any tool above shows MISSING, stop and help the user install it before proceeding. Do not provide configuration guidance for tools that aren't installed.

Project Config State

• fnox.toml: !test -f fnox.toml && echo "YES" || echo "NO (run: fnox init)"
• .infisical.json: !test -f .infisical.json && cat .infisical.json || echo "NO (run: infisical init)"
• mise.toml env section: !grep -A5 '^\[env\]' mise.toml 2>/dev/null || echo "No env section"

System/Global Config

• mise global config: !test -f ~/.config/mise/config.toml && head -10 ~/.config/mise/config.toml || echo "No global mise config"
• fnox global config: !test -f ~/.config/fnox/config.toml && head -10 ~/.config/fnox/config.toml || echo "No global fnox config"
• infisical logged in: !infisical user get 2>/dev/null | head -3 || echo "Not logged in or not installed"

Tool Roles

| Tool | Role | |------|------| | mise | Task runner + env manager. Orchestrates dev tooling, runs tasks, manages env vars through plugins. | | fnox | Unified secret interface. Abstracts over multiple secret backends (infisical, age, env files) with a single CLI. | | infisical | Remote secrets backend. Stores, syncs, and injects secrets from a central server. |

These tools complement each other: infisical stores secrets remotely, fnox provides a unified local interface to them, and mise orchestrates tasks that consume secrets via fnox.

Integration Chain

The typical flow:

1. fnox.toml defines infisical as a provider with project/environment config
2. fnox exec -- resolves secrets from the provider and injects them as env vars
3. mise tasks can wrap fnox exec to run commands with secrets injected
4. Alternatively, mise env plugins can call fnox directly for auto-injection on cd

Secrets Enforcement

This project enforces secrets hygiene via always-on hooks in .claude/settings.json (not scoped to this skill):

• block-hardcoded-secrets.py — Blocks Edit/Write operations containing hardcoded API keys, tokens, passwords, or known secret prefixes (sk-, ghp_, AKIA, xox[bpras]-)
• block-bare-secret-exports.py — Blocks Bash commands that export secret-like env vars without wrapping in fnox exec or infisical run

These hooks are always active regardless of whether this skill is loaded.

Configuration Patterns

Detailed configuration for each tool is in the reference files:

• @references/mise-integration.md — mise env plugins, tasks, fnox integration
• @references/fnox-configuration.md — fnox.toml structure, providers, profiles
• @references/infisical-patterns.md — infisical CLI, scanning, CI/CD

Gotchas

• Order matters: fnox.toml must exist before fnox exec works. Run fnox init if missing.
• Profile mismatches: fnox profiles (dev/staging/prod) must match infisical environment slugs. A mismatch silently returns empty secrets.
• .infisical.json is safe to commit — it contains project IDs and workspace config, not secrets.
• fnox.toml may contain sensitive paths — review before committing if using age-encrypted file provider.
• mise env plugins run on cd — if a plugin calls fnox and fnox is misconfigured, you get errors on every directory change.
• infisical auth expires — infisical login tokens have a TTL. CI/CD should use INFISICAL_TOKEN (service token) instead.
• Token path scope is explicit — a service token scoped to / cannot access secrets in child paths like /git_actions. Each path requires its own token or use --recursive with the CLI directly.