fnox Integration
envpkt integrates with fnox for secret resolution and injection. fnox handles access; envpkt handles awareness.
Scaffolding from fnox
Section titled “Scaffolding from fnox”Generate envpkt.toml entries from an existing fnox.toml:
envpkt init --from-fnoxThis creates [meta.*] sections for each secret defined in fnox, pre-populating the service field where possible.
Orphan Detection
Section titled “Orphan Detection”When both fnox.toml and envpkt.toml exist, envpkt audit detects orphaned keys:
- In envpkt but not in fnox — metadata exists but no secret source
- In fnox but not in envpkt — secret exists but no metadata
Secret Injection
Section titled “Secret Injection”envpkt exec injects fnox secrets into the subprocess environment:
envpkt exec -- node server.jsThe execution flow:
- Load
envpkt.toml - Run pre-flight audit
- Resolve secrets from fnox
- Inject into subprocess environment
- Execute the command
Profiles
Section titled “Profiles”Use fnox profiles for environment-specific secrets:
envpkt exec --profile staging -- node server.jsenvpkt exec --profile production -- ./deploy.shAgent Identity
Section titled “Agent Identity”envpkt supports encrypted agent identity via age keys:
[agent]name = "data-pipeline"identity = "keys/agent.age"recipient = "age1..."The identity field points to an age-encrypted key file. The recipient field is the agent’s public key for encryption.
Library API
Section titled “Library API”import { detectFnox, fnoxAvailable, fnoxGet, compareFnoxAndEnvpkt } from "envpkt"
// Check if fnox is availableconst available = fnoxAvailable()
// Detect fnox.tomlconst detected = detectFnox()
// Compare fnox and envpkt keysconst comparison = compareFnoxAndEnvpkt(fnoxConfig, envpktConfig)