Summary
Adopt the fnox CLI for secret injection and profiles. Migrate sensitive variables from .env.submit (Chrome Web Store / Firefox AMO publish credentials) and optional .env (e.g. WXT_GA_API_SECRET for the WXT build) so secrets can be encrypted in fnox.toml (or provider-backed) instead of local dotenv files.
Background
- WXT exposes only
WXT_* / VITE_* to import.meta.env (WXT env docs). Example: WXT_GA_API_SECRET in src/app.config.ts.
.env.submit is for store submission (CHROME_*, FIREFOX_*, etc.) — not bundled in the extension; consumed by submit/CI tooling. It is gitignored (.env*).- Fnox injects env via
fnox exec -- <command> or shell integration; use profiles (e.g. dev vs submit/production) per Fnox profiles.
Proposed work
- Install
fnox, fnox init, optional age encryption; optionally pin CLI in mise.toml.
- Inventory: map
.env.submit keys vs WXT_* build vars; assign Fnox profiles (e.g. submit for store creds, default/dev for GA).
- Migrate:
fnox set per profile; configure FNOX_IF_MISSING for CI (env reference).
- Scripts: wrap submit/release and dev/build commands with
fnox exec --profile … -- or document fnox activate for shells.
- CI: add
FNOX_AGE_KEY / FNOX_AGE_KEY_FILE; run submit/build with the right profile.
- Docs:
AGENTS.md + update .cursor/skills/ if package.json scripts or release steps change (skill maintenance).
- Cleanup: stop relying on a populated local
.env.submit; optional .env.example with names only.
Verification
- Submit flow gets the same env names as before via Fnox.
pnpm build / pnpm dev still receive WXT_GA_API_SECRET when required.- E2E unchanged (
CI only unless we add vars).
- Zips do not leak submit secrets (
wxt.config already excludes *.env*).
Risks
- Contributor onboarding: document Fnox vs optional
.env.example.
- Avoid dual maintenance of
.env.submit and Fnox after migration.
- If
.env.submit was ever exposed, rotate store credentials at Google/Mozilla.
References
Summary
Adopt the fnox CLI for secret injection and profiles. Migrate sensitive variables from
.env.submit(Chrome Web Store / Firefox AMO publish credentials) and optional.env(e.g.WXT_GA_API_SECRETfor the WXT build) so secrets can be encrypted infnox.toml(or provider-backed) instead of local dotenv files.Background
WXT_*/VITE_*toimport.meta.env(WXT env docs). Example:WXT_GA_API_SECRETinsrc/app.config.ts..env.submitis for store submission (CHROME_*,FIREFOX_*, etc.) — not bundled in the extension; consumed by submit/CI tooling. It is gitignored (.env*).fnox exec -- <command>or shell integration; use profiles (e.g. dev vs submit/production) per Fnox profiles.Proposed work
fnox,fnox init, optional age encryption; optionally pin CLI inmise.toml..env.submitkeys vsWXT_*build vars; assign Fnox profiles (e.g.submitfor store creds, default/dev for GA).fnox setper profile; configureFNOX_IF_MISSINGfor CI (env reference).fnox exec --profile … --or documentfnox activatefor shells.FNOX_AGE_KEY/FNOX_AGE_KEY_FILE; run submit/build with the right profile.AGENTS.md+ update.cursor/skills/ifpackage.jsonscripts or release steps change (skill maintenance)..env.submit; optional.env.examplewith names only.Verification
pnpm build/pnpm devstill receiveWXT_GA_API_SECRETwhen required.CIonly unless we add vars).wxt.configalready excludes*.env*).Risks
.env.example..env.submitand Fnox after migration..env.submitwas ever exposed, rotate store credentials at Google/Mozilla.References