Documentation/Specialized/Fnox
šŸ”¬

Fnox

v1.3.0Apache 2.0

Validation and quality enforcement for Fnox secrets management with configuration checking and provider validation.

specializedskillhookfnoxsecretsvalidationsecurityconfigurationencryptionqualityenforcement

Installation

Install han binary (required for hooks to work):

curl -fsSL https://han.guru/install.sh | bash

Then install this plugin:

han plugin install fnox

Overview

Validation and quality enforcement for Fnox secrets management projects.

What This Plugin Provides

Validation Hooks

  • Configuration Validation: Runs fnox doctor to check fnox.toml configuration
  • Provider Verification: Validates provider configurations and connectivity
  • Secrets Verification: Ensures secrets can be resolved correctly
  • Automatic Execution: Validates when you finish conversations in Claude Code

Skills

This plugin provides the following skills:

  • configuration: Managing fnox.toml structure, secrets, profiles, and hierarchical configurations
  • providers: Configuring encryption (age, AWS KMS) and secret storage (AWS Secrets Manager, Azure Key Vault, GCP, Vault, 1Password, Bitwarden)
  • security-best-practices: Security guidelines for key management, access control, and secrets lifecycle

Installation

Install via the Han marketplace:

bash
han plugin install fnox

Or install manually:

bash
claude plugin marketplace add thebushidocollective/han
claude plugin install fnox@han

Usage

Once installed, this plugin automatically validates your Fnox configuration:

  • When you finish a conversation with Claude Code
  • Before commits (when combined with git hooks)
  • Validates fnox.toml syntax, provider configurations, and secret accessibility

What Gets Validated

Configuration Checks

  • fnox.toml syntax and structure
  • Provider definitions and configuration
  • Secret references and accessibility
  • Profile configurations
  • Import statement validity

Provider Validation

  • Provider connectivity and authentication
  • Encryption key availability
  • Cloud provider credentials
  • Password manager CLI availability

Security Checks

  • Unencrypted sensitive data warnings
  • Private key exposure detection
  • Configuration best practices

Requirements

  • Fnox 0.1.0+ installed
  • Projects using fnox.toml for secrets management
  • Appropriate provider CLIs installed (age, AWS CLI, gcloud, etc.)

Example Project Structure

my-project/
ā”œā”€ā”€ fnox.toml              # Main secrets configuration
ā”œā”€ā”€ fnox.local.toml        # Local overrides (gitignored)
ā”œā”€ā”€ fnox.production.toml   # Production profile
ā”œā”€ā”€ fnox.staging.toml      # Staging profile
ā”œā”€ā”€ .gitignore             # Ignore fnox.local.toml
ā””ā”€ā”€ src/

Common Validation Errors

Missing Provider Definition

toml
# āŒ Invalid
[secrets]
API_KEY = { provider = "nonexistent", value = "..." }

# āœ… Valid
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]

[secrets]
API_KEY = { provider = "age", value = "age[...]" }

Unencrypted Sensitive Data

toml
# āŒ Invalid (security warning)
[secrets]
DATABASE_PASSWORD = "plain-text-password"

# āœ… Valid
[secrets]
DATABASE_PASSWORD = { provider = "age", value = "age[...]" }

Invalid Provider Configuration

toml
# āŒ Invalid
[providers.age]
# Missing required fields

# āœ… Valid
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]

Security Best Practices

Always Use Encryption

toml
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]

[secrets]
SENSITIVE_DATA = { provider = "age", value = "age[...]" }

Separate Public and Private Config

toml
# fnox.toml (committed)
[providers.age]
public_keys = ["age1ql3z..."]

# fnox.local.toml (gitignored)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"

Use Profiles for Environments

bash
# Development
fnox exec -- node app.js

# Production
FNOX_PROFILE=production fnox exec -- node app.js

Skills

šŸ“–

fnox-configuration

Use when configuring Fnox secrets management with fnox.toml. Covers file structure, secrets definition, profiles, and hierarchical configurations.

šŸ“–

fnox-providers

Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.

šŸ“–

fnox-security-best-practices

Use when implementing secure secrets management with Fnox. Covers encryption, key management, access control, and security hardening.

Hooks

āš ļø

Token Usage Notice

Hooks run automatically during Claude Code sessions and their output is sent to the model for processing. This may increase token usage and associated costs. Consider disabling hooks you don't need via han-config.yml.

šŸ›‘

Stop

Runs when the main Claude Code agent has finished responding. Can verify task completion, check quality gates, or ensure documentation requirements are met before the session ends.

fnox doctor