Using fnox to inject Hashicorp Vault env vars with mise

[KyleChamberlin]

I use mise to manage my env vars. We also use Hashicorp Vault to manage secrets. the setup we currently just use a handful of scripts to manage takes an environment (dev, qa, prod, etc) and then grabs all the vault secrets for the application for that env with the vault cli and then exports them as ENV vars.

I am trying to make this a bit less painful, more secure, and leverage tools rather than raw scripts.

I love using mise to manage env vars, and I already inject my team's vault URI and namespace into everyone's env vars.

I had previously tried cobbling together a solution using mise directly, and found it clumsy. now that I see fnox, I really want to use that. the issue I run into is that at my company the vault tokens are restricted to only a 2h ttl. so I end up having to re-authenticate multiple times per day, and I really liked when I was running with the mise integration I could cache the secrets for a full day so I could avoid re-authing especially when the secrets were unlikely to change on that time scale. (and I could just invalidate the cache when I needed to update them)

so I have a few questions rolled into one here.

1. how should i get the VAULT_TOKEN into the env for fnox? I am manually exporting the var every time I login now, but this is cumbersome, and I would rather these tokens get injected lazily or automatically.
2. is there a way to get fnox to re-use secret values for a configurable amount of time without re-checking? i would love to define some kind of TTL or cache-window for these secrets
3. is there a mise plugin or similar I can use to get the env vars managed by fnox without having my team update their shell config? (a lot of them complained about having to update it just to get mise working, so I am trying to avoid pushing more change like this)