bundler-age_gate 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 581cb6ea25c5954f0415555577c5507f39d898b03a47bb88e0421c2ebd9a6e38
+  data.tar.gz: 90aad38a46d9fa7beb86f1e314b27a88dbf4e64c23bf1ea363150d744fa87fb6
+SHA512:
+  metadata.gz: 76100acf78b815815971e534a024375ab7c97c733a82a151187a4112361027314570886beff6d9c2c5c66409e6b9fd27325ca54de5f64722ae7eafe35ec19a2f
+  data.tar.gz: ec2a532a7fbc208c02712efc505d3978b012beb921f282c4c734fd6c2912d38c412eee901810780cce3ef99fd6c4cb707eff907921c1818ae9e9f2a919ff4ec3

data/CHANGELOG.md

@@ -0,0 +1,59 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.3.0] - 2026-01-22
+
+### Added
+- **Multi-source support**: Configure different age requirements per gem source
+  - Public RubyGems (strict) vs private gems (permissive)
+  - Per-source API endpoint configuration
+  - GitHub Packages, Artifactory, and custom registry support
+- **Authentication support**: Bearer tokens for private gem servers
+  - Environment variable substitution (e.g., `${GITHUB_TOKEN}`)
+- **Source detection**: Automatically determines gem sources from Gemfile.lock
+- **Per-source minimum age**: Different requirements for public vs internal gems
+- **CLI override**: Command-line days argument overrides all source configurations
+
+### Changed
+- Violation output now includes source name and required age
+- Configuration structure expanded to support multiple sources
+- Default configuration maintains backwards compatibility (RubyGems only)
+
+## [0.2.0] - 2026-01-22
+
+### Added
+- Configuration file support (`.bundler-age-gate.yml`)
+- Exception handling mechanism with approval workflow
+- Audit logging for compliance (JSON format)
+- CI/CD integration examples:
+  - GitHub Actions with PR comments
+  - GitLab CI
+  - CircleCI
+  - Pre-commit hooks (shell and framework)
+- Configuration examples and templates
+- Comprehensive README documentation for enterprise deployment
+
+### Changed
+- Command now reads from config file for default minimum age
+- Exit messages now include helpful hints for exceptions
+
+### Fixed
+- Plugin compatibility with Bundler 4.x
+
+## [0.1.0] - 2026-01-22
+
+### Added
+- Initial release
+- `bundle age_check [DAYS]` command to verify gem ages
+- RubyGems API integration for release date checking
+- In-memory caching to avoid duplicate API calls
+- Progress indicator with dot-per-gem output
+- Clear violation reporting with release dates
+- Graceful error handling for API failures
+- Exit code 0 for pass, 1 for violations
+
+[0.1.0]: https://github.com/NikoRoberts/bundler-age_gate/releases/tag/v0.1.0

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Niko Roberts
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,291 @@
+# Bundler::AgeGate
+
+A Bundler plugin that enforces minimum gem age requirements by checking your `Gemfile.lock` against the RubyGems API.
+
+## Why?
+
+Freshly released gems may contain bugs or security vulnerabilities that haven't been discovered yet. This plugin helps you implement a "waiting period" policy before adopting new gem versions in production environments.
+
+## Installation
+
+Install the plugin:
+
+```bash
+bundle plugin install bundler-age_gate
+```
+
+Or add it to your project's plugin list:
+
+```bash
+bundle plugin install bundler-age_gate --local_git=/path/to/bundler-age_gate
+```
+
+## Usage
+
+Check that all gems in your `Gemfile.lock` are at least 7 days old:
+
+```bash
+bundle age_check
+```
+
+Specify a custom minimum age (in days):
+
+```bash
+bundle age_check 14
+```
+
+Check for 30-day minimum:
+
+```bash
+bundle age_check 30
+```
+
+## Configuration
+
+Create a `.bundler-age-gate.yml` file in your project root to customise behaviour:
+
+```yaml
+# Minimum age in days (default: 7)
+minimum_age_days: 7
+
+# Audit log path (default: .bundler-age-gate.log)
+audit_log_path: .bundler-age-gate.log
+
+# Approved exceptions
+exceptions:
+  - gem: rails
+    version: 7.1.3.1
+    reason: "Critical security patch for CVE-2024-12345"
+    approved_by: security-team
+    expires: 2026-02-15
+```
+
+### Exception Workflow
+
+1. Developer encounters age gate violation
+2. Request exception approval (security team, staff engineer, etc.)
+3. Add approved exception to `.bundler-age-gate.yml`
+4. Include reason, approver, and expiry date
+5. Commit configuration with approval documented
+
+**Exception fields:**
+- `gem` (required): Gem name
+- `version` (optional): Specific version, omit for all versions
+- `reason` (required): Explanation for exception
+- `approved_by` (required): Who approved this
+- `expires` (optional): Expiry date (YYYY-MM-DD)
+
+### Audit Logging
+
+All checks are logged to `.bundler-age-gate.log` in JSON format:
+
+```json
+{
+  "timestamp": "2026-01-22T13:45:00Z",
+  "result": "pass",
+  "violations_count": 0,
+  "checked_gems_count": 80,
+  "exceptions_used": 1,
+  "violations": []
+}
+```
+
+**Compliance benefits:**
+- Track all security checks
+- Audit exception usage
+- Demonstrate policy compliance
+- Investigate historical violations
+
+### Multi-Source Support
+
+Configure different age requirements for different gem sources (public vs private):
+
+```yaml
+minimum_age_days: 7  # Global default
+
+sources:
+  # Public RubyGems - strict
+  - name: rubygems
+    url: https://rubygems.org
+    api_endpoint: https://rubygems.org/api/v1/versions/%s.json
+    minimum_age_days: 7
+
+  # Internal GitHub Packages - less strict
+  - name: github-internal
+    url: https://rubygems.pkg.github.com/your-org
+    api_endpoint: https://rubygems.pkg.github.com/your-org/api/v1/versions/%s.json
+    minimum_age_days: 3
+    auth_token: ${GITHUB_TOKEN}  # Environment variable
+
+  # Internal Artifactory - very permissive
+  - name: artifactory
+    url: https://artifactory.company.com/api/gems
+    api_endpoint: https://artifactory.company.com/api/gems/api/v1/versions/%s.json
+    minimum_age_days: 1
+    auth_token: ${ARTIFACTORY_API_KEY}
+```
+
+**Benefits:**
+- Stricter requirements for public gems (supply chain risk)
+- Permissive for internal gems (trusted sources)
+- Per-source API endpoints for private registries
+- Authentication support via environment variables
+- CLI override still applies globally: `bundle age_check 14` enforces 14 days for ALL sources
+
+**How it works:**
+1. Plugin reads `Gemfile.lock` to determine each gem's source
+2. Applies per-source minimum age requirements
+3. Queries appropriate API endpoint with authentication
+4. Reports violations with source context
+
+## How It Works
+
+1. Parses your `Gemfile.lock` using Bundler's built-in parser
+2. Queries the RubyGems API for each gem's release date
+3. Compares the release date against your specified minimum age
+4. Reports any violations and exits with status code 1 if violations are found
+
+**Note:** Currently only supports rubygems.org. Private gem servers or GitHub packages are not yet supported. See [Roadmap](#roadmap) for planned features.
+
+## Features
+
+- **Efficient API usage**: Caches API responses to avoid duplicate requests
+- **Progress indicator**: Prints a dot for each gem checked
+- **Clear output**: Shows violating gems with release dates and age
+- **Graceful error handling**: Skips gems that can't be checked (API errors, network issues)
+- **CI-friendly**: Returns appropriate exit codes (0 for pass, 1 for fail)
+- **Configuration file**: Customise settings via `.bundler-age-gate.yml`
+- **Exception handling**: Approve specific gems with documented reasons
+- **Audit logging**: Compliance-ready logs for all checks
+- **Enterprise-ready**: Designed for organisation-wide rollout
+
+## Example Output
+
+```
+🔍 Checking gem ages (minimum: 7 days)...
+📅 Cutoff date: 2026-01-15
+
+Checking 143 gems...
+Progress: ...............................................
+
+⚠️  Found 2 gem(s) younger than 7 days:
+
+  ❌ rails (7.1.3)
+     Released: 2026-01-20 (2 days ago)
+
+  ❌ activerecord (7.1.3)
+     Released: 2026-01-20 (2 days ago)
+
+⛔ Age gate check FAILED
+```
+
+## Use Cases
+
+- **Production deployments**: Ensure stability by waiting for community feedback
+- **Security compliance**: Enforce policies requiring "battle-tested" versions
+- **CI pipelines**: Add as a check in your continuous integration workflow
+- **Risk management**: Reduce exposure to zero-day vulnerabilities in new releases
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+# .github/workflows/gem-security-check.yml
+- name: Install bundler-age_gate
+  run: |
+    gem install bundler-age_gate
+    bundle plugin install bundler-age_gate
+
+- name: Check gem ages
+  run: bundle age_check 7
+```
+
+**Full example:** See [`examples/github-actions.yml`](examples/github-actions.yml) for complete workflow with PR comments and artefact upload.
+
+### GitLab CI
+
+```yaml
+# .gitlab-ci.yml
+gem-age-gate-check:
+  script:
+    - bundle plugin install bundler-age_gate
+    - bundle age_check 7
+```
+
+**Full example:** See [`examples/gitlab-ci.yml`](examples/gitlab-ci.yml)
+
+### CircleCI
+
+```yaml
+# .circleci/config.yml
+- run:
+    name: Check gem ages
+    command: bundle age_check 7
+```
+
+**Full example:** See [`examples/circleci-config.yml`](examples/circleci-config.yml)
+
+### Pre-commit Hooks
+
+#### Shell Script
+
+```bash
+# .git/hooks/pre-commit
+#!/bin/bash
+if git diff --cached --name-only | grep -q "^Gemfile.lock$"; then
+  bundle age_check 7
+fi
+```
+
+**Installation:** See [`examples/pre-commit`](examples/pre-commit)
+
+#### Pre-commit Framework
+
+```yaml
+# .pre-commit-config.yaml
+repos:
+  - repo: local
+    hooks:
+      - id: bundler-age-gate
+        name: Check gem ages
+        entry: bundle age_check 7
+        language: system
+        files: ^Gemfile\.lock$
+```
+
+**Full example:** See [`examples/.pre-commit-config.yaml`](examples/.pre-commit-config.yaml)
+
+## Development
+
+After checking out the repo:
+
+```bash
+bundle install
+```
+
+To test locally:
+
+```bash
+bundle exec rake
+```
+
+## Roadmap
+
+Future enhancements planned:
+
+- [x] **Private gem server support**: ✅ Implemented in v0.3.0
+- [x] **Multi-source detection**: ✅ Implemented in v0.3.0
+- [ ] **Webhook notifications**: Slack/Teams alerts for violations
+- [ ] **Policy-as-code**: YAML policy files with team-specific rules
+- [ ] **Exemption templates**: Pre-approved exception categories (security patches, internal gems)
+- [ ] **Metrics dashboard**: Web dashboard for organisation-wide compliance
+- [ ] **Dependency graph analysis**: Check transitive dependency ages
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/NikoRoberts/bundler-age_gate.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/bundler-age_gate.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "lib/bundler/age_gate/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "bundler-age_gate"
+  spec.version = Bundler::AgeGate::VERSION
+  spec.authors = ["Niko Roberts"]
+  spec.email = ["niko@example.com"]
+
+  spec.summary = "A Bundler plugin to enforce minimum gem age requirements"
+  spec.description = "Checks your Gemfile.lock against the RubyGems API to ensure no gems are younger than a specified number of days"
+  spec.homepage = "https://github.com/NikoRoberts/bundler-age_gate"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/blob/main/CHANGELOG.md"
+
+  spec.files = Dir.glob("lib/**/*") + %w[
+    plugins.rb
+    bundler-age_gate.gemspec
+    README.md
+    LICENSE
+    CHANGELOG.md
+  ].select { |f| File.exist?(f) }
+
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "bundler", ">= 2.0"
+
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rubocop", "~> 1.21"
+end

data/lib/bundler/age_gate/audit_logger.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "json"
+require "time"
+
+module Bundler
+  module AgeGate
+    class AuditLogger
+      def initialize(log_path)
+        @log_path = log_path
+      end
+
+      def log_check(result:, violations:, exceptions_used:, checked_gems_count:)
+        entry = {
+          timestamp: Time.now.iso8601,
+          result: result, # "pass" or "fail"
+          violations_count: violations.size,
+          checked_gems_count: checked_gems_count,
+          exceptions_used: exceptions_used,
+          violations: violations.map do |v|
+            {
+              gem: v[:name],
+              version: v[:version],
+              release_date: v[:release_date].iso8601,
+              age_days: v[:age_days],
+              excepted: v[:excepted] || false,
+              exception_reason: v[:exception_reason]
+            }
+          end
+        }
+
+        append_log(entry)
+      end
+
+      private
+
+      def append_log(entry)
+        File.open(@log_path, "a") do |f|
+          f.puts(JSON.generate(entry))
+        end
+      rescue StandardError => e
+        # Silently fail if logging doesn't work - don't block the main flow
+        warn "⚠️  Failed to write audit log: #{e.message}"
+      end
+    end
+  end
+end

data/lib/bundler/age_gate/command.rb

@@ -0,0 +1,203 @@
+# frozen_string_literal: true
+
+require "bundler"
+require "net/http"
+require "json"
+require "time"
+require_relative "config"
+require_relative "audit_logger"
+
+module Bundler
+  module AgeGate
+    class Command
+      def initialize(days = nil)
+        @config = Config.new
+        @cli_override_days = days&.to_i
+        @cache = {}
+        @violations = []
+        @excepted_violations = []
+        @audit_logger = AuditLogger.new(@config.audit_log_path)
+        @checked_gems_count = 0
+        @source_map = {}  # gem_name => source_url
+      end
+
+      def execute
+        lockfile_path = File.join(Dir.pwd, "Gemfile.lock")
+
+        unless File.exist?(lockfile_path)
+          puts "❌ Gemfile.lock not found in current directory"
+          exit 1
+        end
+
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file(lockfile_path))
+        gems = lockfile.specs
+
+        # Build source map from lockfile
+        build_source_map(lockfile)
+
+        # Display configuration
+        if @cli_override_days
+          puts "🔍 Checking gem ages (CLI override: #{@cli_override_days} days for all sources)..."
+          puts "📅 Cutoff date: #{Time.now - (@cli_override_days * 24 * 60 * 60)}"
+        else
+          puts "🔍 Checking gem ages (per-source configuration)..."
+          @config.sources.each do |source|
+            puts "  📦 #{source.name}: #{source.minimum_age_days} days"
+          end
+        end
+        puts ""
+
+        puts "Checking #{gems.size} gems..."
+        print "Progress: "
+
+        gems.each do |spec|
+          check_gem(spec)
+          print "."
+        end
+
+        puts "\n\n"
+        display_results
+      end
+
+      private
+
+      def build_source_map(lockfile)
+        # Parse REMOTE sections from lockfile to map gems to sources
+        lockfile_content = File.read(File.join(Dir.pwd, "Gemfile.lock"))
+        current_source = nil
+
+        lockfile_content.each_line do |line|
+          if line.match(/^\s*remote: (.+)$/)
+            current_source = line.match(/^\s*remote: (.+)$/)[1].strip
+          elsif line.match(/^\s{4}(\S+)/) && current_source
+            gem_name_with_version = line.strip
+            gem_name = gem_name_with_version.split(/\s+/).first
+            @source_map[gem_name] = current_source
+          end
+        end
+      end
+
+      def check_gem(spec)
+        gem_name = spec.name
+        gem_version = spec.version.to_s
+
+        # Skip if already checked
+        cache_key = "#{gem_name}@#{gem_version}"
+        return if @cache.key?(cache_key)
+
+        @checked_gems_count += 1
+
+        # Determine source and minimum age for this gem
+        gem_source_url = @source_map[gem_name] || "https://rubygems.org"
+        source_config = @config.source_for_url(gem_source_url)
+        min_age_days = @cli_override_days || source_config.minimum_age_days
+        cutoff_date = Time.now - (min_age_days * 24 * 60 * 60)
+
+        release_date = fetch_gem_release_date(gem_name, gem_version, source_config)
+
+        if release_date.nil?
+          # Couldn't determine date, skip silently
+          @cache[cache_key] = :unknown
+          return
+        end
+
+        @cache[cache_key] = release_date
+
+        if release_date > cutoff_date
+          age_days = ((Time.now - release_date) / (24 * 60 * 60)).round
+          violation = {
+            name: gem_name,
+            version: gem_version,
+            release_date: release_date,
+            age_days: age_days,
+            source: source_config.name,
+            required_age: min_age_days
+          }
+
+          # Check if this gem has an exception
+          if @config.gem_excepted?(gem_name, gem_version)
+            violation[:excepted] = true
+            violation[:exception_reason] = @config.exception_reason(gem_name, gem_version)
+            @excepted_violations << violation
+          else
+            @violations << violation
+          end
+        end
+      rescue StandardError => e
+        # Silently handle errors for individual gems
+        @cache[cache_key] = :error
+      end
+
+      def fetch_gem_release_date(gem_name, gem_version, source_config)
+        uri = URI(format(source_config.api_endpoint, gem_name))
+
+        response = Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", read_timeout: 10) do |http|
+          request = Net::HTTP::Get.new(uri.path)
+
+          # Add authentication header if configured
+          if source_config.auth_token
+            request["Authorization"] = "Bearer #{source_config.auth_token}"
+          end
+
+          http.request(request)
+        end
+
+        unless response.is_a?(Net::HTTPSuccess)
+          return nil
+        end
+
+        versions_data = JSON.parse(response.body)
+        version_info = versions_data.find { |v| v["number"] == gem_version }
+
+        return nil unless version_info && version_info["created_at"]
+
+        Time.parse(version_info["created_at"])
+      rescue StandardError
+        nil
+      end
+
+      def display_results
+        # Show excepted violations first (if any)
+        unless @excepted_violations.empty?
+          puts "ℹ️  #{@excepted_violations.size} gem(s) have approved exceptions:\n\n"
+
+          @excepted_violations.sort_by { |v| v[:age_days] }.each do |violation|
+            puts "  ⚠️  #{violation[:name]} (#{violation[:version]}) [#{violation[:source]}]"
+            puts "     Released: #{violation[:release_date].strftime('%Y-%m-%d')} (#{violation[:age_days]} days ago, requires #{violation[:required_age]} days)"
+            puts "     Exception: #{violation[:exception_reason]}"
+            puts ""
+          end
+        end
+
+        # Log audit entry
+        result = @violations.empty? ? "pass" : "fail"
+        all_violations = @violations + @excepted_violations
+        @audit_logger.log_check(
+          result: result,
+          violations: all_violations,
+          exceptions_used: @excepted_violations.size,
+          checked_gems_count: @checked_gems_count
+        )
+
+        # Display final result
+        if @violations.empty?
+          puts "✅ All gems meet their source-specific age requirements"
+          puts "🎉 Safe to proceed!"
+          exit 0
+        else
+          puts "⚠️  Found #{@violations.size} gem(s) that don't meet age requirements:\n\n"
+
+          @violations.sort_by { |v| v[:age_days] }.each do |violation|
+            puts "  ❌ #{violation[:name]} (#{violation[:version]}) [#{violation[:source]}]"
+            puts "     Released: #{violation[:release_date].strftime('%Y-%m-%d')} (#{violation[:age_days]} days ago, requires #{violation[:required_age]} days)"
+            puts ""
+          end
+
+          puts "⛔ Age gate check FAILED"
+          puts "\n💡 To add an exception, create .bundler-age-gate.yml with approved exceptions"
+          exit 1
+        end
+      end
+    end
+  end
+end

data/lib/bundler/age_gate/config.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module Bundler
+  module AgeGate
+    class Config
+      attr_reader :minimum_age_days, :exceptions, :audit_log_path, :sources
+
+      DEFAULT_RUBYGEMS_SOURCE = {
+        "name" => "rubygems",
+        "url" => "https://rubygems.org",
+        "api_endpoint" => "https://rubygems.org/api/v1/versions/%s.json",
+        "minimum_age_days" => nil # Uses global default
+      }.freeze
+
+      DEFAULT_CONFIG = {
+        "minimum_age_days" => 7,
+        "exceptions" => [],
+        "audit_log_path" => ".bundler-age-gate.log",
+        "sources" => [DEFAULT_RUBYGEMS_SOURCE]
+      }.freeze
+
+      def initialize(config_path = ".bundler-age-gate.yml")
+        @config_path = config_path
+        @config = load_config
+        @minimum_age_days = @config["minimum_age_days"]
+        @exceptions = @config["exceptions"] || []
+        @audit_log_path = @config["audit_log_path"]
+        @sources = (@config["sources"] || [DEFAULT_RUBYGEMS_SOURCE]).map { |s| SourceConfig.new(s, @minimum_age_days) }
+      end
+
+      def source_for_url(source_url)
+        # Normalise URLs for comparison
+        normalised_url = normalise_source_url(source_url)
+
+        @sources.find do |source|
+          normalise_source_url(source.url) == normalised_url
+        end || @sources.first # Default to first source (usually rubygems)
+      end
+
+      def gem_excepted?(gem_name, gem_version)
+        @exceptions.any? do |exception|
+          matches_gem?(exception, gem_name, gem_version) && !expired?(exception)
+        end
+      end
+
+      def exception_reason(gem_name, gem_version)
+        exception = @exceptions.find do |ex|
+          matches_gem?(ex, gem_name, gem_version) && !expired?(ex)
+        end
+        exception&.dig("reason")
+      end
+
+      private
+
+      def load_config
+        if File.exist?(@config_path)
+          user_config = YAML.safe_load_file(@config_path, permitted_classes: [Date, Time])
+          DEFAULT_CONFIG.merge(user_config || {})
+        else
+          DEFAULT_CONFIG
+        end
+      rescue StandardError => e
+        warn "⚠️  Failed to load config from #{@config_path}: #{e.message}"
+        warn "Using default configuration"
+        DEFAULT_CONFIG
+      end
+
+      def matches_gem?(exception, gem_name, gem_version)
+        exception["gem"] == gem_name &&
+          (exception["version"].nil? || exception["version"] == gem_version)
+      end
+
+      def expired?(exception)
+        return false unless exception["expires"]
+
+        expiry_date = parse_date(exception["expires"])
+        expiry_date && Time.now > expiry_date
+      end
+
+      def parse_date(date_string)
+        Time.parse(date_string.to_s)
+      rescue ArgumentError
+        nil
+      end
+
+      def normalise_source_url(url)
+        # Remove trailing slashes and convert to lowercase for comparison
+        url.to_s.downcase.chomp("/")
+      end
+    end
+
+    # Represents a gem source configuration
+    class SourceConfig
+      attr_reader :name, :url, :api_endpoint, :minimum_age_days, :auth_token
+
+      def initialize(config, global_minimum_age_days)
+        @name = config["name"] || "unknown"
+        @url = config["url"]
+        @api_endpoint = config["api_endpoint"]
+        @minimum_age_days = config["minimum_age_days"] || global_minimum_age_days
+        @auth_token = resolve_auth_token(config["auth_token"])
+      end
+
+      private
+
+      def resolve_auth_token(token_config)
+        return nil unless token_config
+
+        # Support environment variable substitution: ${VAR_NAME}
+        if token_config.match?(/\$\{(.+)\}/)
+          var_name = token_config.match(/\$\{(.+)\}/)[1]
+          ENV[var_name]
+        else
+          token_config
+        end
+      end
+    end
+  end
+end

data/lib/bundler/age_gate/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Bundler
+  module AgeGate
+    VERSION = "0.3.0"
+  end
+end

data/lib/bundler/age_gate.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require_relative "age_gate/version"
+
+module Bundler
+  module AgeGate
+    class Error < StandardError; end
+  end
+end

data/plugins.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require_relative "lib/bundler/age_gate/command"
+
+class AgeCheck < Bundler::Plugin::API
+  command "age_check"
+
+  def exec(_command, args)
+    days = args.first || "7"
+
+    unless days.match?(/^\d+$/)
+      puts "❌ Invalid argument: '#{days}' is not a valid number of days"
+      puts "Usage: bundle age_check [DAYS]"
+      exit 1
+    end
+
+    Bundler::AgeGate::Command.new(days).execute
+  end
+end

metadata

@@ -0,0 +1,113 @@
+--- !ruby/object:Gem::Specification
+name: bundler-age_gate
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Niko Roberts
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-01-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+description: Checks your Gemfile.lock against the RubyGems API to ensure no gems are
+  younger than a specified number of days
+email:
+- niko@example.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- bundler-age_gate.gemspec
+- lib/bundler/age_gate.rb
+- lib/bundler/age_gate/audit_logger.rb
+- lib/bundler/age_gate/command.rb
+- lib/bundler/age_gate/config.rb
+- lib/bundler/age_gate/version.rb
+- plugins.rb
+homepage: https://github.com/NikoRoberts/bundler-age_gate
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/NikoRoberts/bundler-age_gate
+  source_code_uri: https://github.com/NikoRoberts/bundler-age_gate
+  changelog_uri: https://github.com/NikoRoberts/bundler-age_gate/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: A Bundler plugin to enforce minimum gem age requirements
+test_files: []