fnox-providers
Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.
Best use case
fnox-providers is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.
Teams using fnox-providers should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/fnox-providers/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How fnox-providers Compares
| Feature / Agent | fnox-providers | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Fnox - Providers
Configuring encryption and secret storage providers in Fnox for secure secrets management.
## Provider Types
Fnox supports three categories of providers:
1. **Encryption** - Local encryption (age, AWS KMS, Azure, GCP)
2. **Cloud Storage** - Remote secret storage (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Vault)
3. **Password Managers** - Integration with password managers (1Password, Bitwarden, Infisical, pass)
## Age Encryption (Recommended)
### Setup Age Provider
```bash
# Generate age key pair
age-keygen -o ~/.config/fnox/keys/identity.txt
# Get public key
cat ~/.config/fnox/keys/identity.txt | grep "public key"
# age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
```
### Configure Age in fnox.toml
```toml
# fnox.toml (committed)
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]
# fnox.local.toml (gitignored)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"
```
### Store Secrets with Age
```bash
# Set encrypted secret
fnox set DATABASE_PASSWORD
# Prompts for value, encrypts with age public key
# Set from command
echo "secret-value" | fnox set API_KEY --provider age
```
### Team Setup with Age
```toml
# Multiple recipients for team access
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Alice
"age1qw4r...", # Bob
"age1qx5t...", # CI/CD
]
```
## AWS Secrets Manager
### Configure AWS Secrets Manager
```toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Optional: profile = "production"
```
### Store Secrets in AWS
```bash
# Reference AWS secret
fnox set DATABASE_URL --provider aws-sm
# Enter: prod/database-url (AWS secret name)
```
### AWS Secrets Manager Configuration
```toml
[secrets]
DATABASE_URL = {
provider = "aws-sm",
value = "prod/database-url",
description = "Production database connection string"
}
API_KEY = {
provider = "aws-sm",
value = "prod/api-key"
}
```
## AWS KMS Encryption
### Configure AWS KMS
```toml
[providers.kms]
type = "aws-kms"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
region = "us-east-1"
```
### Use AWS KMS
```bash
# Encrypt with KMS
fnox set SECRET_KEY --provider kms
```
## Azure Key Vault
### Configure Azure
```toml
[providers.azure]
type = "azure-kv"
vault_url = "https://my-vault.vault.azure.net"
# Authentication via Azure CLI or environment variables
```
### Azure Secrets
```toml
[secrets]
DATABASE_PASSWORD = {
provider = "azure",
value = "database-password",
description = "Azure Key Vault secret name"
}
```
## GCP Secret Manager
### Configure GCP
```toml
[providers.gcp]
type = "gcp-sm"
project_id = "my-project"
# Authentication via gcloud or service account
```
### GCP Secrets
```toml
[secrets]
API_KEY = {
provider = "gcp",
value = "projects/my-project/secrets/api-key/versions/latest"
}
```
## HashiCorp Vault
### Configure Vault
```toml
[providers.vault]
type = "vault"
address = "https://vault.example.com"
token = { env = "VAULT_TOKEN" } # From environment
```
### Vault Secrets
```toml
[secrets]
DATABASE_URL = {
provider = "vault",
value = "secret/data/prod/database-url"
}
```
## 1Password
### Configure 1Password
```toml
[providers.onepassword]
type = "1password"
# Requires 1Password CLI (op) installed
```
### 1Password References
```toml
[secrets]
API_KEY = {
provider = "onepassword",
value = "op://Production/API Keys/api-key"
}
DATABASE_PASSWORD = {
provider = "onepassword",
value = "op://Production/Database/password"
}
```
## Bitwarden
### Configure Bitwarden
```toml
[providers.bitwarden]
type = "bitwarden"
# Requires Bitwarden CLI (bw) installed and unlocked
```
### Bitwarden Secrets
```toml
[secrets]
STRIPE_KEY = {
provider = "bitwarden",
value = "item-id/field-name"
}
```
## Provider Testing
### Test Provider Configuration
```bash
# Test specific provider
fnox provider test age
fnox provider test aws-sm
# List configured providers
fnox provider list
# Add provider interactively
fnox provider add
# Remove provider
fnox provider remove age
```
## Best Practices
### Choose the Right Provider
```toml
# Development: age (simple, local encryption)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Production: Cloud secret manager
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Team collaboration: 1Password or Bitwarden
[providers.onepassword]
type = "1password"
```
### Use Multiple Providers
```toml
# Different providers for different secrets
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
# Development secrets with age
DEV_API_KEY = { provider = "age", value = "age[...]" }
# Production secrets with AWS
PROD_DATABASE_URL = { provider = "aws-sm", value = "prod/db-url" }
```
### Provider Aliases
```toml
# Name providers descriptively
[providers.prod-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.staging-secrets]
type = "aws-sm"
region = "us-west-2"
[secrets]
DATABASE_URL = { provider = "prod-secrets", value = "prod/db" }
```
## Common Patterns
### Development to Production Migration
```toml
# fnox.toml (development)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[secrets]
DATABASE_URL = { provider = "age", value = "age[...]" }
# fnox.production.toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
DATABASE_URL = { provider = "aws-sm", value = "prod/database-url" }
```
### Multi-Region Setup
```toml
[providers.us-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.eu-secrets]
type = "aws-sm"
region = "eu-west-1"
[secrets]
US_API_ENDPOINT = { provider = "us-secrets", value = "us/api-endpoint" }
EU_API_ENDPOINT = { provider = "eu-secrets", value = "eu/api-endpoint" }
```
### Hybrid Approach
```toml
# Development secrets: age encryption
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Shared team secrets: 1Password
[providers.team]
type = "1password"
# Production secrets: AWS
[providers.prod]
type = "aws-sm"
region = "us-east-1"
[secrets]
DEV_DATABASE_URL = { provider = "age", value = "age[...]" }
TEAM_SLACK_WEBHOOK = { provider = "team", value = "op://Team/Slack/webhook" }
PROD_DATABASE_URL = { provider = "prod", value = "prod/db-url" }
```
## Anti-Patterns
### Don't Hardcode Credentials
```toml
# Bad: Hardcoded credentials
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
access_key_id = "AKIAIOSFODNN7EXAMPLE" # NEVER DO THIS
secret_access_key = "wJalrXUtnFEMI/..." # NEVER DO THIS
# Good: Use AWS credentials chain
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Credentials from ~/.aws/credentials or environment
```
### Don't Mix Provider Types Unnecessarily
```toml
# Bad: Too many providers for simple project
[providers.age]
type = "age"
[providers.aws-sm]
type = "aws-sm"
[providers.azure]
type = "azure-kv"
[providers.gcp]
type = "gcp-sm"
# Good: Choose one appropriate provider
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
```
### Don't Share Private Keys
```toml
# Bad: Private key in config
[providers.age]
identity = "AGE-SECRET-KEY-..." # NEVER COMMIT THIS
# Good: Reference external file
[providers.age]
identity = "~/.config/fnox/keys/identity.txt" # Gitignored
```
## Provider-Specific Features
### Age: Multiple Recipients
```toml
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Team member 1
"age1qw4r...", # Team member 2
"age1qx5t...", # CI/CD system
]
```
### AWS: Cross-Account Access
```toml
[providers.shared-secrets]
type = "aws-sm"
region = "us-east-1"
role_arn = "arn:aws:iam::123456789012:role/CrossAccountSecretsRole"
```
### Vault: Namespace Support
```toml
[providers.vault-prod]
type = "vault"
address = "https://vault.example.com"
namespace = "production"
token = { env = "VAULT_TOKEN" }
```
## Related Skills
- **configuration**: Managing fnox.toml structure and secrets
- **security-best-practices**: Security guidelines for providersRelated Skills
symfony:api-platform-state-providers
Use when symfony api platform state providers
bgo
Automates the complete Blender build-go workflow, from building and packaging your extension/add-on to removing old versions, installing, enabling, and launching Blender for quick testing and iteration.
acc-psr-coding-style-knowledge
PSR-1 and PSR-12 coding standards knowledge base for PHP 8.5 projects. Provides quick reference for basic coding standard and extended coding style with detection patterns, examples, and antipattern identification. Use for code style audits and compliance reviews.
acc-detect-test-smells
Detects test antipatterns and code smells in PHP test suites. Identifies 15 smells (Logic in Test, Mock Overuse, Fragile Tests, Mystery Guest, etc.) with fix recommendations and refactoring patterns for testability.
acc-create-value-object
Generates DDD Value Objects for PHP 8.5. Creates immutable, self-validating objects with equality comparison. Includes unit tests.
acc-create-unit-test
Generates PHPUnit unit tests for PHP 8.5. Creates isolated tests with AAA pattern, proper naming, attributes, and one behavior per test. Supports Value Objects, Entities, Services.
acc-create-test-double
Generates test doubles (Mocks, Stubs, Fakes, Spies) for PHP 8.5. Creates appropriate double type based on testing needs with PHPUnit MockBuilder patterns.
acc-create-psr7-http-message
Generates PSR-7 HTTP Message implementations for PHP 8.5. Creates Request, Response, Stream, Uri, and ServerRequest classes with immutability. Includes unit tests.
acc-create-policy
Generates Policy pattern for PHP 8.5. Creates encapsulated business rules for authorization, validation, and domain constraints. Includes unit tests.
acc-create-null-object
Generates Null Object pattern for PHP 8.5. Creates safe default implementations eliminating null checks. Includes unit tests.
acc-create-command
Generates CQRS Commands and Handlers for PHP 8.5. Creates immutable command DTOs with handlers that modify state. Includes unit tests.
acc-analyze-test-coverage
Analyzes PHP codebase for test coverage gaps. Detects untested classes, methods, branches, exception paths, and edge cases. Provides actionable recommendations.