Skip to content(if available)orjump to list(if available)

fnox, a secret manager that pairs well with mise

fnox, a secret manager that pairs well with mise

13 comments

·October 27, 2025
Visit

mackross

Love the thought put into mise and now fnox. They’re a joy to use.

azazel75

Any pointers to the cited mise, that I must admit I know nothing about?

cjp

https://github.com/jdx/mise

It's a generic version manager (replacing nvm/pyenv/etc). It also does direnv and tasks.

yoavm

mise.jdx.dev/

domenkozar

It's cool to see almost verbatim copy of https://secretspec.dev :) I'm glad mise is catching up on https://devenv.sh features though.

kstrauser

How do you figure? I'm not involved with either project, but to my outsider eyes it seems like two completely different implementations of the same basic idea, which configuration that only looks necessarily similar to (i.e. there are only so many ways to write "here's how to look for secrets in 1Password" using TOML, which is a common configuration language and also one heavily used in the Rust ecosystem).

Also, devenv and mise also feel like different animals to me. I can't imagine many scenarios where I'd use them interchangeably.

domenkozar

Look at the problem statement, it's exactly the same. When I designed secretspec, I researched the space and no other tool approached secrets in such a way.

Syntax of toml is almost identical, the CLI as well.

It even has the same vocabulary.

I didn't dig deeper though, but I'd be surprised not to find more :)

kstrauser

I almost feel like we're looking at different things. From secretspec[0]:

  [project]
  name = "web-api"
  revision = "2.1.0"
  extends = ["../shared/base", "../shared/auth"]
  
  [profiles.default]
  # Inherits DATABASE_URL, LOG_LEVEL from base
  # Inherits JWT_SECRET, SESSION_SECRET from auth
  # Service-specific additions:
  STRIPE_API_KEY = { description = "Stripe payment API", required = true }
  REDIS_URL = { description = "Redis cache connection", required = true }
  PORT = { description = "Server port", required = false, default = "3000" }
From fnox[1]:

  [secrets.DATABASE_URL]
  provider = "onepass"
  value = "Database"  # ← Item name in 1Password (fetches 'password' field)
  
  [secrets.DB_USERNAME]
  provider = "onepass"
  value = "Database/username"  # ← Specific field
  
  [secrets.API_KEY]
  provider = "onepass"
  value = "op://Development/API Keys/credential"  # ←
Is the similarity that they both refer to providers (as did Terraform and countless other config tools before it)? Or profiles (like aws-cli and countless other config tools before it)? Because other than that, I'm not really seeing it. And if I hadn't seen either of these, and my boss ordered me to implement something like them, I almost guarantee I'd use similar names for things because those are the common terms for them in industry.

Honestly, I'm not invested in either of these. They both look nifty, but I couldn't personally care less if either (or both or neither) of these catch on and become standards. I'm only commenting here because your statement here and on the linked discussion[2] ("it's almost a verbatim copy") seems incredibly aggressive, and to me, quite offputting. They don't look alike at all to me, other than that they both aim to do similar things and thus will have some natural overlap in terminology.

[0]https://secretspec.dev/concepts/declarative/

[1]https://github.com/jdx/fnox

[2]https://github.com/jdx/mise/discussions/6779#discussioncomme...

cultureulterior

There's no explanation or link to mise from that page that I can see. I now know what mise is, but that's from googling

fishgoesblub

The link in the post is literally on the Mise Github page. One click and you're on the main page reading the detailed README.

cultureulterior

It's a dev tool manager

hackernewscunts

[dead]

augunrik

From the initial feature set it sounds like Mozilla SOPS.