feat: initial vx implementation — vault-backed secret manager for monorepos

Implements the full vx CLI tool addressing four fnox limitations:
1. Token auto-renewal via background daemon (50% TTL renewal)
2. Nested Vault keys via ${env} path templating (single base_path)
3. Workspace-scoped secret loading (bun workspace detection)
4. Parallel secret resolution via errgroup (65 seq → ~17 concurrent)

Packages:
- cmd/: cobra CLI (exec, login, daemon, token, list, validate, migrate, version)
- internal/config: TOML parser, workspace detection, config merging
- internal/resolver: parallel Vault reads, path grouping, template interpolation
- internal/vault: Vault SDK client, KV v2 reads, OIDC + AppRole auth
- internal/token: token sink, renewal daemon, PID management
- internal/exec: child process runner, signal forwarding
- internal/migrate: fnox.toml → vx.toml converter

CI/CD: GitHub Actions (test + release), GoReleaser, multi-arch Docker images

Author: nadilas

.github/workflows/ci.yml

@@ -0,0 +1,39 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Download dependencies
+        run: go mod download
+
+      - name: Build
+        run: go build ./...
+
+      - name: Vet
+        run: go vet ./...
+
+      - name: Test
+        run: go test -race -coverprofile=coverage.out ./...
+
+      - name: Upload coverage
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.out

.github/workflows/release.yml

@@ -0,0 +1,41 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,20 @@
+# Binaries
+vx
+*.exe
+*.dll
+*.so
+*.dylib
+
+# Build output
+dist/
+coverage.out
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db

.goreleaser.yml

@@ -0,0 +1,72 @@
+project_name: vx
+
+before:
+  hooks:
+    - go mod tidy
+    - go test ./...
+
+builds:
+  - id: vx
+    main: .
+    binary: vx
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -X go.dot.industries/vx/cmd.version={{.Version}}
+      - -X go.dot.industries/vx/cmd.commit={{.ShortCommit}}
+      - -X go.dot.industries/vx/cmd.date={{.Date}}
+
+archives:
+  - id: default
+    format: tar.gz
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    format_overrides:
+      - goos: windows
+        format: zip
+
+checksum:
+  name_template: "checksums.txt"
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^chore:"
+
+dockers:
+  - image_templates:
+      - "ghcr.io/dotindustries/vx:{{ .Version }}-amd64"
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+    goarch: amd64
+    dockerfile: Dockerfile.release
+
+  - image_templates:
+      - "ghcr.io/dotindustries/vx:{{ .Version }}-arm64"
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/arm64"
+    goarch: arm64
+    dockerfile: Dockerfile.release
+
+docker_manifests:
+  - name_template: "ghcr.io/dotindustries/vx:{{ .Version }}"
+    image_templates:
+      - "ghcr.io/dotindustries/vx:{{ .Version }}-amd64"
+      - "ghcr.io/dotindustries/vx:{{ .Version }}-arm64"
+
+  - name_template: "ghcr.io/dotindustries/vx:latest"
+    image_templates:
+      - "ghcr.io/dotindustries/vx:{{ .Version }}-amd64"
+      - "ghcr.io/dotindustries/vx:{{ .Version }}-arm64"

Dockerfile

@@ -0,0 +1,13 @@
+FROM golang:1.25-alpine AS builder
+
+WORKDIR /src
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /vx .
+
+FROM alpine:3.21
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /vx /usr/local/bin/vx
+ENTRYPOINT ["vx"]

Dockerfile.release

@@ -0,0 +1,3 @@
+FROM scratch
+COPY vx /vx
+ENTRYPOINT ["/vx"]

cmd/daemon.go

@@ -0,0 +1,140 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+
+	"go.dot.industries/vx/internal/token"
+)
+
+func init() {
+	rootCmd.AddCommand(daemonCmd)
+	daemonCmd.AddCommand(daemonStartCmd)
+	daemonCmd.AddCommand(daemonStopCmd)
+	daemonCmd.AddCommand(daemonStatusCmd)
+}
+
+var daemonCmd = &cobra.Command{
+	Use:   "daemon",
+	Short: "Manage the token renewal daemon",
+	Long:  `The daemon automatically renews your Vault token before it expires.`,
+}
+
+var daemonStartCmd = &cobra.Command{
+	Use:   "start",
+	Short: "Start the token renewal daemon in the foreground",
+	Args:  cobra.NoArgs,
+	RunE:  runDaemonStart,
+}
+
+var daemonStopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "Stop the running token renewal daemon",
+	Args:  cobra.NoArgs,
+	RunE:  runDaemonStop,
+}
+
+var daemonStatusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "Show the daemon status",
+	Args:  cobra.NoArgs,
+	RunE:  runDaemonStatus,
+}
+
+func runDaemonStart(cmd *cobra.Command, args []string) error {
+	cfg, _, err := loadConfig()
+	if err != nil {
+		return err
+	}
+
+	renewer := token.NewTokenRenewer(cfg.Vault.Address)
+	daemon := token.NewDaemon(renewer)
+
+	if daemon.IsRunning() {
+		return fmt.Errorf("daemon is already running")
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	if err := daemon.Start(ctx); err != nil {
+		return fmt.Errorf("starting daemon: %w", err)
+	}
+
+	log.Info().Msg("daemon started, press Ctrl+C to stop")
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+	<-sigCh
+
+	log.Info().Msg("stopping daemon...")
+	if err := daemon.Stop(); err != nil {
+		log.Warn().Err(err).Msg("error stopping daemon")
+	}
+
+	return nil
+}
+
+func runDaemonStop(cmd *cobra.Command, args []string) error {
+	pidPath := token.PIDPath()
+
+	data, err := os.ReadFile(pidPath)
+	if err != nil {
+		return fmt.Errorf("daemon is not running (no PID file)")
+	}
+
+	pid := 0
+	if _, err := fmt.Sscanf(string(data), "%d", &pid); err != nil {
+		return fmt.Errorf("invalid PID file: %w", err)
+	}
+
+	proc, err := os.FindProcess(pid)
+	if err != nil {
+		return fmt.Errorf("finding daemon process: %w", err)
+	}
+
+	if err := proc.Signal(syscall.SIGTERM); err != nil {
+		return fmt.Errorf("sending stop signal: %w", err)
+	}
+
+	if err := os.Remove(pidPath); err != nil && !os.IsNotExist(err) {
+		log.Warn().Err(err).Msg("removing PID file")
+	}
+
+	log.Info().Int("pid", pid).Msg("daemon stopped")
+
+	return nil
+}
+
+func runDaemonStatus(cmd *cobra.Command, args []string) error {
+	cfg, _, err := loadConfig()
+	if err != nil {
+		return err
+	}
+
+	renewer := token.NewTokenRenewer(cfg.Vault.Address)
+	daemon := token.NewDaemon(renewer)
+
+	status, err := daemon.Status()
+	if err != nil {
+		return fmt.Errorf("checking daemon status: %w", err)
+	}
+
+	if !status.Running {
+		fmt.Println("Daemon: not running")
+		return nil
+	}
+
+	fmt.Printf("Daemon: running (PID %d)\n", status.PID)
+	if !status.LastRenewal.IsZero() {
+		fmt.Printf("Last renewal: %s\n", status.LastRenewal.Format("2006-01-02 15:04:05"))
+	}
+
+	return nil
+}