DevTools Secrets
Knowledge and guardrails for the mise + fnox + infisical secrets toolchain.
Toolchain Validation
IMPORTANT: Check tool availability before proceeding with any guidance.
- - mise: !�INLINECODE0
- fnox: !�INLINECODE1
- infisical: !�INLINECODE2
If any tool above shows MISSING, stop and help the user install it before
proceeding. Do not provide configuration guidance for tools that aren't
installed.
Project Config State
- - fnox.toml: !�INLINECODE3
- .infisical.json: !�INLINECODE4
- mise.toml env section: !�INLINECODE5
System/Global Config
- - mise global config: !�INLINECODE6
- fnox global config: !�INLINECODE7
- infisical logged in: !�INLINECODE8
Tool Roles
| Tool | Role |
|---|
| mise | Task runner + env manager. Orchestrates dev tooling, runs tasks, manages env vars through plugins. |
| fnox |
Unified secret interface. Abstracts over multiple secret backends (infisical, age, env files) with a single CLI. |
|
infisical | Remote secrets backend. Stores, syncs, and injects secrets from a central server. |
These tools complement each other: infisical stores secrets remotely, fnox
provides a unified local interface to them, and mise orchestrates tasks that
consume secrets via fnox.
Integration Chain
The typical flow:
- 1. fnox.toml defines infisical as a provider with project/environment config
fnox exec -- resolves secrets from the provider and injects them as env vars- mise tasks can wrap
fnox exec to run commands with secrets injected - Alternatively, mise env plugins can call fnox directly for auto-injection on �INLINECODE11
Secrets Enforcement
This project enforces secrets hygiene via always-on hooks in
.claude/settings.json (not scoped to this skill):
- -
block-hardcoded-secrets.py — Blocks Edit/Write operations containing
hardcoded API keys, tokens, passwords, or known secret prefixes (sk-, ghp_,
AKIA, xox[bpras]-)
- -
block-bare-secret-exports.py — Blocks Bash commands that �INLINECODE15
secret-like env vars without wrapping in
fnox exec or �INLINECODE17
These hooks are always active regardless of whether this skill is loaded.
Configuration Patterns
Detailed configuration for each tool is in the reference files:
- - @references/mise-integration.md — mise env plugins, tasks, fnox integration
- @references/fnox-configuration.md — fnox.toml structure, providers, profiles
- @references/infisical-patterns.md — infisical CLI, scanning, CI/CD
Gotchas
- - Order matters: fnox.toml must exist before
fnox exec works. Run
fnox init if missing.
- - Profile mismatches: fnox profiles (dev/staging/prod) must match infisical
environment slugs. A mismatch silently returns empty secrets.
- -
.infisical.json is safe to commit — it contains project IDs and
workspace config, not secrets.
- -
fnox.toml may contain sensitive paths — review before committing if
using age-encrypted file provider.
- - mise env plugins run on
cd — if a plugin calls fnox and fnox is
misconfigured, you get errors on every directory change.
- - infisical auth expires —
infisical login tokens have a TTL. CI/CD
should use
INFISICAL_TOKEN (service token) instead.
- - Token path scope is explicit — a service token scoped to
/ cannot
access secrets in child paths like
/git_actions. Each path requires its
own token or use
--recursive with the CLI directly.
DevTools Secrets
关于 mise + fnox + infisical 密钥工具链的知识与防护措施。
工具链验证
重要提示:在提供任何指导前,请先检查工具是否可用。
- - mise: !command -v mise >/dev/null 2>&1 && echo 已安装 ($(mise --version 2>/dev/null | head -1)) || echo 缺失 — 安装方式: curl https://mise.run | sh
- fnox: !command -v fnox >/dev/null 2>&1 && echo 已安装 ($(fnox --version 2>/dev/null | head -1)) || echo 缺失 — 安装方式: mise use -g fnox
- infisical: !command -v infisical >/dev/null 2>&1 && echo 已安装 ($(infisical --version 2>/dev/null | head -1)) || echo 缺失 — 安装方式: mise use -g infisical
如果以上任何工具显示缺失,请先停止并帮助用户安装该工具,然后再继续。不要为未安装的工具提供配置指导。
项目配置状态
- - fnox.toml: !test -f fnox.toml && echo 是 || echo 否 (运行: fnox init)
- .infisical.json: !test -f .infisical.json && cat .infisical.json || echo 否 (运行: infisical init)
- mise.toml 环境变量部分: !grep -A5 ^\[env\] mise.toml 2>/dev/null || echo 无环境变量部分
系统/全局配置
- - mise 全局配置: !test -f ~/.config/mise/config.toml && head -10 ~/.config/mise/config.toml || echo 无全局 mise 配置
- fnox 全局配置: !test -f ~/.config/fnox/config.toml && head -10 ~/.config/fnox/config.toml || echo 无全局 fnox 配置
- infisical 登录状态: !infisical user get 2>/dev/null | head -3 || echo 未登录或未安装
工具角色
| 工具 | 角色 |
|---|
| mise | 任务运行器 + 环境变量管理器。编排开发工具、运行任务、通过插件管理环境变量。 |
| fnox |
统一密钥接口。通过单一 CLI 抽象多个密钥后端(infisical、age、环境文件)。 |
|
infisical | 远程密钥后端。从中央服务器存储、同步和注入密钥。 |
这些工具相互补充:infisical 远程存储密钥,fnox 提供统一的本地接口,mise 编排通过 fnox 消费密钥的任务。
集成链
典型流程:
- 1. fnox.toml 将 infisical 定义为提供者,并配置项目/环境设置
- fnox exec -- 从提供者解析密钥并将其注入为环境变量
- mise 任务 可以包装 fnox exec 来运行注入密钥的命令
- 或者,mise 环境插件 可以直接调用 fnox 实现 cd 时的自动注入
密钥强制执行
本项目通过 .claude/settings.json 中的始终开启钩子强制执行密钥卫生规范(不限于此技能范围):
- - block-hardcoded-secrets.py — 阻止包含硬编码 API 密钥、令牌、密码或已知密钥前缀(sk-、ghp_、AKIA、xox[bpras]-)的编辑/写入操作
- block-bare-secret-exports.py — 阻止未包装在 fnox exec 或 infisical run 中的 export 密钥类环境变量的 Bash 命令
无论是否加载此技能,这些钩子始终处于活动状态。
配置模式
每个工具的详细配置请参考以下文件:
- - @references/mise-integration.md — mise 环境插件、任务、fnox 集成
- @references/fnox-configuration.md — fnox.toml 结构、提供者、配置文件
- @references/infisical-patterns.md — infisical CLI、扫描、CI/CD
注意事项
- - 顺序很重要:fnox.toml 必须在 fnox exec 工作之前存在。如果缺失,请运行 fnox init。
- 配置文件不匹配:fnox 配置文件(开发/预发布/生产)必须与 infisical 环境标识符匹配。不匹配会静默返回空密钥。
- .infisical.json 可以安全提交 — 它包含项目 ID 和工作区配置,不包含密钥。
- fnox.toml 可能包含敏感路径 — 如果使用 age 加密文件提供者,提交前请审查。
- mise 环境插件在 cd 时运行 — 如果插件调用 fnox 且 fnox 配置错误,每次切换目录都会报错。
- infisical 认证会过期 — infisical login 令牌有 TTL。CI/CD 应使用 INFISICALTOKEN(服务令牌)代替。
- 令牌路径范围是显式的 — 作用域为 / 的服务令牌无法访问 /gitactions 等子路径中的密钥。每个路径需要自己的令牌,或直接使用 --recursive 参数。
