easy_creds 1.0.1

data/lib/easy_creds/config.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'pathname'
+
+module EasyCreds
+  SyncConfig = Data.define(
+    :vault,
+    :credentials_item,
+    :default_env,
+    :ignore_keys
+  )
+
+  module ConfigLoader
+    CONFIG_FILE = 'config/1password.yml'
+
+    DEFAULTS = SyncConfig.new(
+      vault: nil,
+      credentials_item: 'credentials',
+      default_env: 'development',
+      ignore_keys: []
+    ).freeze
+
+    def self.load(root)
+      path = Pathname.new(root).join(CONFIG_FILE)
+      return DEFAULTS unless path.exist?
+
+      build_config(YAML.safe_load(path.read, symbolize_names: true) || {})
+    end
+
+    def self.build_config(raw)
+      SyncConfig.new(**merge_defaults(raw))
+    end
+    private_class_method :build_config
+
+    def self.merge_defaults(raw)
+      items = (raw[:items] || {}).transform_keys(&:to_sym)
+      {
+        vault: pick(raw[:vault], DEFAULTS.vault),
+        credentials_item: pick(items[:credentials_item], DEFAULTS.credentials_item),
+        default_env: pick(raw[:default_env], DEFAULTS.default_env),
+        ignore_keys: Array(raw[:ignore_keys]).map(&:to_s)
+      }
+    end
+    private_class_method :merge_defaults
+
+    def self.pick(val, default)
+      val&.to_s || default
+    end
+    private_class_method :pick
+  end
+end

data/lib/easy_creds/configuration.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  class Configuration
+    attr_accessor :global_dir,
+                  :default_provider,
+                  :default_vault,
+                  :templates_dir,
+                  :default_template,
+                  :editor,
+                  :log_level,
+                  :schema_version
+
+    def initialize
+      @global_dir       = File.expand_path('~/.easy_creds')
+      @default_provider = :onepassword
+      @default_vault    = nil
+      @templates_dir    = nil
+      @default_template = :default
+      @editor           = ENV['VISUAL'] || ENV.fetch('EDITOR', nil)
+      @log_level        = :debug
+      @schema_version   = 1
+    end
+
+    def resolved_templates_dir
+      @templates_dir || File.join(global_dir, 'templates')
+    end
+
+    def self.load_file(path)
+      return Configuration.new unless File.exist?(path)
+
+      raw = YAML.safe_load_file(path) || {}
+      cfg = Configuration.new
+      cfg.global_dir       = raw['global_dir']       if raw['global_dir']
+      cfg.default_vault    = raw['default_vault']
+      cfg.default_provider = (raw['default_provider']&.to_sym || :onepassword)
+      cfg.default_template = (raw['default_template']&.to_sym || :default)
+      cfg.templates_dir    = raw['templates_dir']
+      cfg.editor           = raw['editor'] || ENV['VISUAL'] || ENV.fetch('EDITOR', nil)
+      cfg.log_level        = (raw['log_level']&.to_sym || :debug)
+      cfg.schema_version   = raw['schema_version'] || 1
+      cfg
+    end
+
+    def self.write_file!(cfg, path)
+      data = {
+        'schema_version'   => 2,
+        'global_dir'       => cfg.global_dir,
+        'default_vault'    => cfg.default_vault,
+        'default_provider' => cfg.default_provider.to_s,
+        'default_template' => cfg.default_template.to_s,
+        'templates_dir'    => cfg.templates_dir,
+        'editor'           => cfg.editor,
+        'log_level'        => cfg.log_level.to_s
+      }.compact
+      FileUtils.mkdir_p(File.dirname(path))
+      File.write(path, data.to_yaml)
+      FileUtils.chmod(0o600, path)
+    end
+  end
+
+  class << self
+    def config
+      @config ||= Configuration.new
+    end
+
+    def configure
+      yield config
+    end
+
+    def reset_config!
+      @config = Configuration.new
+    end
+
+    def load_global_config!
+      path = File.join(config.global_dir, 'config.yml')
+      @config = Configuration.load_file(path)
+    end
+
+    def ensure_default_template!
+      dest = File.join(config.resolved_templates_dir, 'default.yml')
+      return if File.exist?(dest)
+
+      src = File.join(Templates::Registry::BUNDLED_DIR, 'default-beastmode.yml')
+      return unless File.exist?(src)
+
+      FileUtils.mkdir_p(File.dirname(dest))
+      FileUtils.cp(src, dest)
+    end
+  end
+end

data/lib/easy_creds/credentials_io.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require 'yaml'
+require 'pathname'
+require 'securerandom'
+require 'active_support/encrypted_configuration'
+
+module EasyCreds
+  class CredentialsIO
+    GITIGNORE_RULE       = '/config/credentials/*.key'
+    LOCAL_GITIGNORE_RULE = '/config/credentials/*_local.yml.enc'
+
+    def initialize(root, git_repo: true)
+      @root     = Pathname.new(root)
+      @git_repo = git_repo
+    end
+
+    def read(env, local: false)
+      content = configuration(env, local: local).read
+      return {} if content.blank?
+
+      YAML.safe_load(content, symbolize_names: true, permitted_classes: [Symbol, Date, Time]) || {}
+    rescue ActiveSupport::EncryptedFile::MissingKeyError
+      {}
+    end
+
+    def write(env, hash, local: false)
+      configuration(env, local: local).write(hash.deep_stringify_keys.to_yaml)
+    end
+
+    def key_exists?(env, local: false)
+      key_path(env, local: local).exist?
+    end
+
+    def key_value(env, local: false)
+      key_path(env, local: local).read.strip
+    rescue Errno::ENOENT
+      nil
+    end
+
+    def write_key(env, value, local: false)
+      path = key_path(env, local: local)
+      path.dirname.mkpath
+      path.write(value)
+      path.chmod(0o600)
+    end
+
+    def ensure_key!(env, local: false)
+      return if key_exists?(env, local: local)
+
+      write_key(env, SecureRandom.hex(16), local: local)
+    end
+
+    def read_raw(env, local: false)
+      content = configuration(env, local: local).read
+      content.presence || "--- {}\n"
+    rescue ActiveSupport::EncryptedFile::MissingKeyError
+      "--- {}\n"
+    end
+
+    def write_raw(env, yaml_str, local: false)
+      configuration(env, local: local).write(yaml_str)
+    end
+
+    def enc_exists?(env, local: false)
+      enc_path(env, local: local).exist?
+    end
+
+    def gitignore_has_rule?
+      return false unless @git_repo
+
+      gitignore_path.exist? && gitignore_path.read.include?(GITIGNORE_RULE)
+    end
+
+    def add_gitignore_rule!
+      return unless @git_repo
+
+      gitignore_path.open('a') { |f| f.puts("\n#{GITIGNORE_RULE}") }
+    end
+
+    def gitignore_has_local_rule?
+      return false unless @git_repo
+
+      gitignore_path.exist? && gitignore_path.read.include?(LOCAL_GITIGNORE_RULE)
+    end
+
+    def add_local_gitignore_rule!
+      return unless @git_repo
+      return if gitignore_has_local_rule?
+
+      gitignore_path.open('a') { |f| f.puts('', LOCAL_GITIGNORE_RULE) }
+    end
+
+    def example_template
+      path = @root.join('config/credentials/example.yml')
+      return {} unless path.exist?
+
+      YAML.safe_load(path.read, symbolize_names: true) || {}
+    rescue Psych::SyntaxError
+      {}
+    end
+
+    private
+
+    def gitignore_path
+      @root.join('.gitignore')
+    end
+
+    def configuration(env, local: false)
+      ActiveSupport::EncryptedConfiguration.new(
+        config_path: enc_path(env, local: local).to_s,
+        key_path: key_path(env, local: local).to_s,
+        env_key: local ? 'RAILS_MASTER_KEY_LOCAL_UNUSED' : 'RAILS_MASTER_KEY',
+        raise_if_missing_key: false
+      )
+    end
+
+    def enc_path(env, local: false)
+      suffix = local ? '_local' : ''
+      @root.join("config/credentials/#{env}#{suffix}.yml.enc")
+    end
+
+    def key_path(env, local: false)
+      suffix = local ? '_local' : ''
+      @root.join("config/credentials/#{env}#{suffix}.key")
+    end
+  end
+end

data/lib/easy_creds/differ.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  module Differ
+    Change = Data.define(:kind, :key, :side)
+    # kind: :added (remote-only), :removed (local-only), :modified (differs)
+    # side: :local, :remote, :both
+
+    def self.compare(local:, remote:)
+      local_flat  = Flatten.dot(local)
+      remote_flat = Flatten.dot(remote)
+      all_keys    = (local_flat.keys | remote_flat.keys).sort
+
+      all_keys.each_with_object([]) do |key, changes|
+        change = classify_change(key, local_flat, remote_flat)
+        changes << change if change
+      end
+    end
+
+    def self.classify_change(key, local_flat, remote_flat)
+      kind, side = change_kind(
+        local_flat.key?(key), remote_flat.key?(key),
+        local_flat[key], remote_flat[key]
+      )
+      Change.new(kind: kind, key: key, side: side) if kind
+    end
+    private_class_method :classify_change
+
+    def self.change_kind(in_local, in_remote, local_val, remote_val)
+      return %i[removed local] if in_local && !in_remote
+      return %i[added remote] if !in_local && in_remote
+
+      %i[modified both] if local_val.to_s != remote_val.to_s
+    end
+    private_class_method :change_kind
+
+    def self.empty?(changes)
+      changes.empty?
+    end
+  end
+end

data/lib/easy_creds/doctor.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  class Doctor
+    def initialize(root: nil, verbose: false)
+      @root    = root ? Pathname.new(root) : detect_root
+      @verbose = verbose
+      @checks  = []
+    end
+
+    def run
+      check_op_installed
+      check_op_signed_in
+      check_vault
+      check_project
+      check_gitignore
+
+      print_summary
+      @checks.all? { |c| c[:ok] }
+    end
+
+    private
+
+    def check_op_installed
+      ok = system('which op > /dev/null 2>&1')
+      add_check('op CLI installed', ok, ok ? nil : 'Install with: brew install 1password-cli')
+    end
+
+    def check_op_signed_in
+      return add_check('op signed in', false, 'op not installed') unless op_available?
+
+      email = `op whoami --format=json 2>/dev/null`.then { |raw| parse_email(raw) }
+      add_check('op signed in', !email.nil?, email ? nil : 'Run: op signin', email)
+    end
+
+    def check_vault
+      return add_check('vault reachable', false, 'op not signed in') unless op_signed_in?
+
+      config = ConfigLoader.load(@root)
+      vault  = config.vault
+      return add_check('vault configured', false, 'No vault set. Run: easy_creds init') unless vault
+
+      `op vault get #{vault.shellescape} 2>/dev/null`
+      add_check("vault #{vault}", $CHILD_STATUS.success?, $CHILD_STATUS.success? ? nil : "Vault '#{vault}' not found")
+    end
+
+    def check_project
+      rails = @root.join('config/application.rb').exist?
+      kind  = rails ? "Rails (#{@root})" : "Standalone (#{File.basename(@root)})"
+      add_check("project detected: #{kind}", true)
+    end
+
+    def check_gitignore
+      io = CredentialsIO.new(@root)
+      ok = io.gitignore_has_rule?
+      add_check('credentials/*.key in .gitignore', ok,
+                ok ? nil : 'Run: easy_creds install  or  bin/rails easy_creds:install')
+    end
+
+    def add_check(label, passed, hint = nil, detail = nil)
+      @checks << { label: label, ok: passed, hint: hint, detail: detail }
+      icon = passed ? Theme.ok(Theme::ICONS[:ok]) : Theme.warn(Theme::ICONS[:warn])
+      line = "  #{icon}  #{label}"
+      line += "  #{Theme.dim(detail)}" if detail && @verbose
+      puts line
+      puts "     #{Theme.dim("→ #{hint}")}" if hint && !passed
+    end
+
+    def print_summary
+      puts ''
+      failures = @checks.reject { |c| c[:ok] }
+      if failures.empty?
+        Theme.success('All checks passed')
+      else
+        Theme.failure("#{failures.size} check(s) failed")
+      end
+    end
+
+    def op_available?
+      @checks.find { |c| c[:label] == 'op CLI installed' }&.dig(:ok)
+    end
+
+    def op_signed_in?
+      @checks.find { |c| c[:label] == 'op signed in' }&.dig(:ok)
+    end
+
+    def parse_email(raw)
+      data = JSON.parse(raw)
+      data['email']
+    rescue JSON::ParserError, TypeError
+      nil
+    end
+
+    def detect_root
+      dir = Pathname.new(Dir.pwd)
+      dir = dir.parent until dir.root? || dir.join('config/application.rb').exist?
+      dir.root? ? Pathname.new(Dir.pwd) : dir
+    end
+  end
+end

data/lib/easy_creds/env_picker.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'pathname'
+
+module EasyCreds
+  module EnvPicker
+    def self.available(project_or_root)
+      dir = if project_or_root.respond_to?(:environments_dir)
+              project_or_root.environments_dir
+            else
+              Pathname.new(project_or_root.to_s).join('config/environments')
+            end
+
+      return ['default'] if dir.nil? || !dir.exist?
+
+      envs = dir.glob('*.rb').map { |f| f.basename('.rb').to_s }.sort
+      envs.empty? ? ['default'] : envs
+    end
+
+    def self.default_index(envs, default_env)
+      envs.index(default_env) || 0
+    end
+  end
+end

data/lib/easy_creds/flatten.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  module Flatten
+    def self.dot(hash, prefix = nil)
+      hash.each_with_object({}) do |(key, value), result|
+        full_key = prefix ? "#{prefix}.#{key}" : key.to_s
+        if value.is_a?(Hash)
+          result.merge!(dot(value, full_key))
+        else
+          result[full_key] = value
+        end
+      end
+    end
+
+    def self.unflatten(flat)
+      flat.each_with_object({}) do |(key, value), result|
+        parts = key.to_s.split('.')
+        leaf  = parts.pop
+        node  = parts.reduce(result) { |acc, part| acc[part.to_sym] ||= {} }
+        node[leaf.to_sym] = value
+      end
+    end
+  end
+end

data/lib/easy_creds/generators.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require 'securerandom'
+require 'open3'
+require 'yaml'
+
+module EasyCreds
+  module Generators
+    KNOWN = {
+      /\bsecret_key_base\b/ => :secret_key_base,
+      /\bdevise_secret_key\b/ => :devise_secret_key,
+      /\bcrypt_secret\b/ => :crypt_secret,
+      /active_record_encryption\./ => :ar_encryption
+    }.freeze
+
+    def self.hint_for(key)
+      KNOWN.each { |pattern, name| return name if key.match?(pattern) }
+      nil
+    end
+
+    def self.secret_key_base = SecureRandom.hex(64)
+    def self.devise_secret_key = SecureRandom.hex(64)
+    def self.crypt_secret      = SecureRandom.hex(32)
+    def self.random_hex(len = 32)   = SecureRandom.hex(len)
+    def self.random_alpha(len = 32) = SecureRandom.alphanumeric(len)
+
+    # Rails-derived Active Record Encryption keys via `rails db:encryption:init`.
+    # Falls back to independent SecureRandom keys when run outside a Rails
+    # project (nil root) or when the shell-out fails.
+    def self.ar_encryption_keys(root = nil)
+      return random_ar_encryption_keys if root.nil?
+
+      stdout, _stderr, status = Open3.capture3(
+        'bundle', 'exec', 'rails', 'db:encryption:init',
+        chdir: root.to_s
+      )
+      return random_ar_encryption_keys unless status.success?
+
+      # Output looks like:
+      #   active_record_encryption:
+      #     primary_key: ...
+      #     deterministic_key: ...
+      #     key_derivation_salt: ...
+      section = stdout[/active_record_encryption:.*\z/m]
+      return random_ar_encryption_keys unless section
+
+      data  = YAML.safe_load(section)
+      inner = data&.dig('active_record_encryption') || {}
+      return random_ar_encryption_keys if inner.empty?
+
+      inner.transform_keys { |k| "active_record_encryption.#{k}" }
+    rescue StandardError => e
+      warn "⚠️  db:encryption:init failed: #{e.message}"
+      random_ar_encryption_keys
+    end
+
+    def self.random_ar_encryption_keys
+      {
+        'active_record_encryption.primary_key' => SecureRandom.hex(32),
+        'active_record_encryption.deterministic_key' => SecureRandom.hex(32),
+        'active_record_encryption.key_derivation_salt' => SecureRandom.hex(32)
+      }
+    end
+
+    # Shells out to `rails secret` (canonical secret_key_base style).
+    # Falls back to SecureRandom on a nil root or any failure.
+    def self.rails_secret(root: nil)
+      return SecureRandom.hex(64) if root.nil?
+
+      stdout, _err, status = Open3.capture3(
+        'bundle', 'exec', 'rails', 'secret',
+        chdir: root.to_s
+      )
+      return SecureRandom.hex(64) unless status.success?
+
+      line = stdout.lines.find { |l| l.strip =~ /\A[0-9a-f]{64,}\z/ }
+      line ? line.strip : SecureRandom.hex(64)
+    rescue StandardError
+      SecureRandom.hex(64)
+    end
+
+    def self.default_for(hint, root: nil)
+      case hint
+      when :secret_key_base, :devise_secret_key, :crypt_secret
+        rails_secret(root: root)
+      when :ar_encryption
+        ar_encryption_keys(root)
+      else
+        random_hex(32)
+      end
+    end
+
+    def self.alternative_for(hint)
+      case hint
+      when :secret_key_base, :devise_secret_key then random_hex(64)
+      when :crypt_secret then random_hex(32)
+      else random_alpha(32)
+      end
+    end
+
+    def self.bulk_for(hint)
+      case hint
+      when :secret_key_base, :devise_secret_key then random_hex(64)
+      when :ar_encryption then nil
+      else random_hex(32)
+      end
+    end
+
+    def self.generate(hint, root: nil)
+      default_for(hint, root: root)
+    end
+  end
+end

data/lib/easy_creds/init_state.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  class Entry
+    attr_accessor :key, :placeholder, :hint, :value, :source
+
+    def initialize(key:, placeholder:, hint:, op_value: nil)
+      @key         = key
+      @placeholder = placeholder
+      @hint        = hint
+      @op_value    = op_value
+      @value       = nil
+      @source      = :unset
+    end
+
+    def set? = source != :unset
+    attr_reader :op_value
+
+    def masked_value
+      return nil unless value
+
+      len = value.to_s.length
+      "#{'●' * [len, 8].min} (#{len} chars)"
+    end
+  end
+
+  class InitState
+    attr_reader   :entries, :op_values
+    attr_accessor :cursor, :scroll_offset, :dirty
+
+    def initialize(entries:, op_values: {})
+      @entries       = entries
+      @op_values     = op_values
+      @cursor        = 0
+      @scroll_offset = 0
+      @dirty         = false
+    end
+
+    def current   = entries[cursor]
+    def set_count = entries.count(&:set?)
+    def total     = entries.size
+
+    def move_up(steps = 1)   = @cursor = [@cursor - steps, 0].max
+    def move_down(steps = 1) = @cursor = [@cursor + steps, entries.size - 1].min
+    def move_first       = @cursor = 0
+    def move_last        = @cursor = entries.size - 1
+
+    def set_entry(entry, value:, source:)
+      entry.value  = value
+      entry.source = source
+      @dirty       = true
+    end
+
+    def clear_entry(entry)
+      entry.value  = nil
+      entry.source = :unset
+    end
+
+    def adjust_scroll(cursor_tree_idx, content_rows)
+      @scroll_offset = cursor_tree_idx if cursor_tree_idx < @scroll_offset
+      @scroll_offset = cursor_tree_idx - content_rows + 1 if cursor_tree_idx >= @scroll_offset + content_rows
+      @scroll_offset = [@scroll_offset, 0].max
+    end
+  end
+end

data/lib/easy_creds/installer.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  class Installer
+    INITIALIZER_PATH = 'config/initializers/00_credentials_local_overlay.rb'
+    GITIGNORE_PATH   = '.gitignore'
+    GITIGNORE_RULE   = "/config/credentials/*.key\n"
+
+    INITIALIZER_CONTENT = <<~RUBY
+      # frozen_string_literal: true
+
+      # Merge config/credentials/<env>_local.yml.enc on top of the base credentials.
+      # The local overlay is gitignored and never pushed to 1Password — use it for
+      # machine-specific overrides (e.g. a local database URL different from staging).
+      require 'easy_creds/overlay'
+      EasyCreds::Overlay.apply!(Rails.application)
+    RUBY
+
+    def initialize(root)
+      @root = Pathname.new(root)
+    end
+
+    def run
+      install_initializer
+      install_gitignore
+    end
+
+    private
+
+    def install_initializer
+      target = @root.join(INITIALIZER_PATH)
+      if target.exist?
+        Theme.notice("#{INITIALIZER_PATH} already exists — skipped")
+        return
+      end
+
+      target.parent.mkpath
+      target.write(INITIALIZER_CONTENT)
+      Theme.success("Created #{INITIALIZER_PATH}")
+    end
+
+    def install_gitignore
+      gitignore = @root.join(GITIGNORE_PATH)
+      content   = gitignore.exist? ? gitignore.read : ''
+
+      if content.include?('credentials/*.key')
+        Theme.notice('.gitignore already has credentials/*.key rule — skipped')
+        return
+      end
+
+      File.open(gitignore, 'a') { |f| f.write(GITIGNORE_RULE) }
+      Theme.success('Added /config/credentials/*.key to .gitignore')
+    end
+  end
+end