easy_creds 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e4de9acf2675f1cd6b624e7217d09d36ea2af3a502b1b799d6d5e578f542d719
+  data.tar.gz: c7dac7a501ebfcc89a4aa3caa35bfc4fe817b374076a6c7a745271d6dc467303
+SHA512:
+  metadata.gz: 6bb5396a44b65b2692b6a303196a98073fd2c42c97dcc21ca2fb4b512d05d6b2e2a8f5762f174d932914c16687b82ea072c5685ce5ac8b39d0f74751961931e4
+  data.tar.gz: 9638ad3ce2c9165555d7a1a71aba4b816944cc8db2f5ab8505bda2edc3f75bb0ae9cad80047ff33f6c2e3109ca92478086a7ec6ea646cf796c9ebf2a97fb1100

data/CHANGELOG.md

@@ -0,0 +1,51 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.0.1] - 2026-06-15
+
+### Added
+
+- Static documentation site under `docs/` (GitHub Pages): overview, getting
+  started, CLI & rake reference, TUI navigator, 1Password sync, local overlay,
+  configuration, templates, and Rails integration.
+- `documentation_uri` metadata pointing at the published docs site.
+
+## [0.1.0] - 2026-06-15
+
+First public release, extracted and generalized from fishme/backend
+`lib/credentials_op_sync`.
+
+### Added
+
+- `EasyCreds::Overlay.apply!` now accepts either a Rails application
+  (`apply!(Rails.application)`, the form the installer-generated initializer
+  emits) or the explicit `apply!(creds, root, env)` triple. Previously the
+  installer-written initializer passed a single argument to a 3-arity method,
+  which raised `ArgumentError` at boot.
+- Test suite ported from `credentials_op_sync`: `CredentialsIO`,
+  `Providers::OnePassword`, the local overlay actions, and a dedicated
+  `overlay_test` that locks both `apply!` call forms.
+
+- Interactive TUI (sync, push, pull, init, edit, editor, local overlay management).
+- 1Password CLI provider (`EasyCreds::Providers::OnePassword`) over the
+  `op://<vault>/<env>/<field>` URI scheme.
+- Standalone mode — works outside a Rails project.
+- Onboarding wizard (`easy_creds init`, `easy_creds onboard`).
+- Bundled templates: `rails-fullstack`, `rails-api`, `microservice-minimal`.
+- Thor CLI entrypoint (`easy_creds` binary).
+- Doctor command for health checks.
+- Rails integration via Railtie (`credentials:sync`, `easy_creds:install`,
+  `easy_creds:onboard`).
+- **Rails-derived value generation with fallback** — inside a Rails project the
+  init navigator generates `secret_key_base` / `devise_secret_key` / `crypt_secret`
+  via `rails secret`, and the three `active_record_encryption.*` keys via
+  `rails db:encryption:init`. Falls back to `SecureRandom` when the shell-out
+  fails or when run standalone. This matches the behavior of the original
+  `credentials_op_sync` tool.
+- Provider audit logging to `log/easy_creds.log` when running inside a project.
+
+[0.1.0]: https://github.com/way2do-it/easy_creds/releases/tag/v0.1.0

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Pawel Niemczyk
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,165 @@
+# easy_creds
+
+Interactive TUI for syncing encrypted Rails credentials with 1Password. Works inside Rails projects or as a standalone CLI.
+
+[![Gem Version](https://badge.fury.io/rb/easy_creds.svg)](https://rubygems.org/gems/easy_creds)
+
+**[💎 RubyGems](https://rubygems.org/gems/easy_creds)**  |  **[📖 Documentation](https://pniemczyk.github.io/easy_creds/)**  |  **[GitHub](https://github.com/pniemczyk/easy_creds)**  |  **[Changelog](CHANGELOG.md)**
+
+## Features
+
+- **Full-screen TUI navigator** — browse all credential keys, generate values, pull from 1Password, or enter manually, all from one interface
+- **Push / pull diff** — see exactly what changed before committing to 1Password
+- **Local overlay** — keep machine-specific secrets in a gitignored `_local.yml.enc` that merges on top of the base credentials at boot
+- **Onboarding wizard** — scaffold an `example.yml` for any new project from bundled or custom templates
+- **Provider abstraction** — 1Password CLI ships in v1; the seam is open for other providers
+
+## Requirements
+
+- Ruby ≥ 3.2
+- [1Password CLI](https://developer.1password.com/docs/cli/) (`op`) installed and signed in
+- Rails ≥ 7.0 (for Rails usage) — or any directory for standalone usage
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem 'easy_creds'
+```
+
+Then run:
+
+```bash
+bundle install
+bin/rails easy_creds:install   # install overlay initializer + gitignore rules
+```
+
+## Quick start (Rails)
+
+```bash
+# First time — scaffold example.yml
+bin/rails easy_creds:onboard
+
+# Day-to-day — open TUI
+bin/rails credentials:sync
+```
+
+## Quick start (standalone CLI)
+
+```bash
+# First time — gem setup + pick vault
+easy_creds init
+
+# Per-project onboarding
+cd /path/to/project
+easy_creds onboard
+
+# Open sync TUI
+easy_creds sync
+```
+
+## CLI reference
+
+| Command | Description |
+|---|---|
+| `easy_creds sync [ENV]` | Open interactive TUI loop |
+| `easy_creds init` | First-time gem setup (global dir, vault) |
+| `easy_creds onboard` | Per-project example.yml wizard |
+| `easy_creds install` | Install overlay initializer + gitignore rules |
+| `easy_creds doctor` | Health check (op CLI, sign-in, vault, project) |
+| `easy_creds template list` | List available templates |
+| `easy_creds version` | Print gem version |
+
+## Rake tasks (Rails)
+
+| Task | Description |
+|---|---|
+| `rails credentials:sync` | Open TUI sync loop |
+| `rails easy_creds:install` | Install overlay initializer + gitignore |
+| `rails easy_creds:onboard` | Per-project onboarding wizard |
+
+## TUI keyboard shortcuts
+
+| Key | Action |
+|---|---|
+| `↑` / `↓` or `k` / `j` | Navigate keys |
+| `PgUp` / `PgDn` | Jump 10 |
+| `Home` / `End` | First / last |
+| `g` | Generate value (default) |
+| `G` | Generate alt value |
+| `b` | Batch generate AR encryption keys (3 keys) |
+| `t` | Use template placeholder |
+| `o` | Fill from 1Password |
+| `m` | Enter manually (hidden input) |
+| `c` | Clear / reset to unset |
+| `T` | Template all unset |
+| `R` | Generate all suggested |
+| `O` | Fill all unset from 1Password |
+| `s` | Save and write `.yml.enc` |
+| `q` | Quit (confirm if unsaved) |
+| `?` / `h` | Toggle help panel |
+
+> **Value generation.** Inside a Rails project, `g` / `b` / `R` derive secrets
+> with Rails itself — `rails secret` for `secret_key_base` / `devise_secret_key`
+> / `crypt_secret`, and `rails db:encryption:init` for the three
+> `active_record_encryption.*` keys. If the shell-out fails or you run
+> standalone (outside a Rails app), generation falls back to `SecureRandom`.
+> `G` (alt) always uses `SecureRandom`.
+
+## Local overlay
+
+The overlay merges a gitignored `config/credentials/<env>_local.yml.enc` on top of the base credentials at boot. Useful for machine-specific overrides (e.g. a local database URL).
+
+```bash
+# Open the local overlay editor
+bin/rails credentials:sync   # → choose Local → Edit (inline)
+# or
+easy_creds sync development  # → Local → Edit
+```
+
+The overlay key (`<env>_local.key`) is never pushed to 1Password.
+
+## Configuration
+
+```ruby
+# config/initializers/easy_creds.rb  (optional)
+EasyCreds.configure do |config|
+  config.global_dir       = '~/.easy_creds'       # default
+  config.default_provider = :onepassword           # default
+  config.default_vault    = nil                    # prompted on first run
+  config.default_template = :rails_fullstack       # default
+end
+```
+
+Precedence (low → high): built-in defaults → `~/.easy_creds/config.yml` → `<project>/config/easy_creds.yml` → `EasyCreds.configure { }`.
+
+## Templates
+
+Three bundled templates:
+
+| Name | Use case |
+|---|---|
+| `rails-fullstack` | Full Rails app (DB, AR encryption, OAuth, S3) |
+| `rails-api` | API-only Rails (DB, AR encryption, OAuth) |
+| `microservice-minimal` | Minimal service (DB URL, one API key) |
+
+Save a custom template:
+
+```bash
+easy_creds template save myapp --from config/credentials/example.yml
+```
+
+## Development
+
+```bash
+cd ~/git/cowork/gems/easy_creds
+bundle install
+bundle exec rake test          # run test suite
+bundle exec exe/easy_creds version
+bundle exec exe/easy_creds doctor
+```
+
+## License
+
+MIT

data/exe/easy_creds

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'easy_creds'
+
+EasyCreds::ThorCLI.start(ARGV)

data/lib/easy_creds/actions/edit.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+# rubocop:disable Naming/PredicateMethod
+
+require 'tty-spinner'
+
+module EasyCreds
+  module Actions
+    module Edit
+      def self.call(ctx, local: false)
+        label = local ? "#{ctx.env}_local" : ctx.env
+        Theme.section("Edit — credentials/#{label}.yml.enc")
+
+        unless ctx.io.key_exists?(ctx.env, local: local)
+          Theme.failure('No local key. Run `init` or `pull` first.')
+          return
+        end
+
+        local_hash, remote_fields = load_data(ctx, local: local)
+        local_flat  = Flatten.dot(local_hash)
+        modified    = run_edit_loop(ctx, local_flat, remote_fields, local: local)
+
+        persist(ctx, local_flat, label, local: local, modified: modified)
+      end
+
+      private_class_method def self.run_edit_loop(ctx, local_flat, remote_flat, local:)
+        modified = false
+        loop do
+          puts ''
+          all_keys = (local_flat.keys | remote_flat.keys).sort
+          choices  = all_keys.map do |k|
+            { name: format_key_choice(k, local_flat, remote_flat, local: local), value: k }
+          end
+          choices << { name: Theme.dim('─── done ───'), value: :done }
+
+          key = ctx.prompt.select('Pick a key to edit:', choices, cycle: true, filter: true, per_page: 15)
+          break if key == :done
+
+          modified = true if edit_key(ctx, key, local_flat, remote_flat, local: local)
+        end
+        modified
+      end
+
+      private_class_method def self.load_data(ctx, local:)
+        if local
+          spinner = TTY::Spinner.new('[:spinner] Reading...', format: :dots)
+          spinner.auto_spin
+          result = ctx.io.read(ctx.env, local: true)
+          spinner.stop('')
+          [result, {}]
+        else
+          spinner = TTY::Spinner.new('[:spinner] Fetching...', format: :dots)
+          spinner.auto_spin
+          result        = ctx.io.read(ctx.env)
+          remote_fields = ctx.op.item(ctx.env) || {}
+          spinner.stop('')
+          [result, remote_fields]
+        end
+      end
+
+      private_class_method def self.persist(ctx, local_flat, label, local:, modified:)
+        unless modified
+          Theme.notice('No changes made')
+          return
+        end
+
+        ctx.io.write(ctx.env, Flatten.unflatten(local_flat), local: local)
+        Theme.success("Saved config/credentials/#{label}.yml.enc")
+
+        Actions::Push.call(ctx) if !local && ctx.prompt.yes?('Push changes to 1Password now?')
+      end
+
+      private_class_method def self.format_key_choice(key, local_flat, remote_flat, local: false)
+        in_local  = local_flat.key?(key)
+        in_remote = remote_flat.key?(key)
+        hint      = Generators.hint_for(key)
+
+        flags = []
+        flags << Theme.ok('L') if in_local
+        flags << Theme.dim('-') unless in_local
+        unless local
+          flags << Theme.info('R') if in_remote
+          flags << Theme.dim('-') unless in_remote
+        end
+        flags << Theme.dim(' ⚡') if hint
+
+        "#{Theme.key_tag(key.ljust(45))} #{flags.join}"
+      end
+
+      private_class_method def self.edit_key(ctx, key, local_flat, remote_flat, local: false)
+        hint       = Generators.hint_for(key)
+        local_val  = local_flat[key]
+        remote_val = remote_flat[key]
+
+        puts ''
+        puts "  #{Theme.bold(key)}"
+        puts "  #{Theme.dim('local: ')}  #{local_val  ? '(set)' : Theme.dim('(missing)')}"
+        puts "  #{Theme.dim('remote:')}  #{remote_val ? '(set)' : Theme.dim('(missing)')}" unless local
+        puts "  #{Theme.dim('generator:')} #{hint}" if hint
+
+        action = ctx.prompt.select('Action:', build_choices(hint, remote_val, local_val, local: local), cycle: false)
+        apply_edit(action, ctx, local_flat, key: key, remote_val: remote_val)
+      end
+
+      private_class_method def self.build_choices(hint, remote_val, local_val, local:)
+        choices = []
+        choices << { name: "generate  (#{hint})", value: :generate } if hint
+        choices << { name: 'enter new value',      value: :enter }
+        choices << { name: 'use remote value',     value: :use_remote } if remote_val && !local
+        choices << { name: 'delete (remove key)',  value: :delete } if local_val
+        choices << { name: 'cancel',               value: :cancel }
+        choices
+      end
+
+      private_class_method def self.apply_edit(action, ctx, local_flat, key:, remote_val:)
+        hint = Generators.hint_for(key)
+        case action
+        when :generate  then apply_generate(hint, key, local_flat, ctx)
+        when :enter     then apply_enter(ctx, key, local_flat)
+        when :use_remote
+          local_flat[key] = remote_val
+          puts "  #{Theme.ok('Copied from remote')}"
+          true
+        when :delete
+          local_flat.delete(key)
+          puts "  #{Theme.warn('Deleted')}"
+          true
+        when :cancel then false
+        end
+      end
+
+      private_class_method def self.apply_generate(hint, key, local_flat, ctx)
+        val = Generators.generate(hint, root: ctx.root)
+        if val.is_a?(Hash)
+          val.each { |k, v| local_flat[k] = v }
+          puts "  #{Theme.ok("Generated #{val.size} key(s)")}"
+        else
+          local_flat[key] = val
+          puts "  #{Theme.ok('Generated')}"
+        end
+        true
+      end
+
+      private_class_method def self.apply_enter(ctx, key, local_flat)
+        val = ctx.prompt.ask('  Value (input hidden):') { |q| q.echo(false) }
+        return false if val.blank?
+
+        local_flat[key] = val
+        puts "  #{Theme.ok('Set')}"
+        true
+      end
+    end
+  end
+end
+
+# rubocop:enable Naming/PredicateMethod

data/lib/easy_creds/actions/editor_edit.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'tempfile'
+require 'shellwords'
+require 'yaml'
+
+module EasyCreds
+  module Actions
+    module EditorEdit
+      def self.call(ctx, local: false)
+        label = local ? "#{ctx.env}_local" : ctx.env
+        Theme.section("Editor — credentials/#{label}.yml.enc")
+
+        unless ctx.io.key_exists?(ctx.env, local: local)
+          Theme.failure('No local key. Run `init` or `pull` first.')
+          return
+        end
+
+        editor_cmd = resolve_editor
+        unless editor_cmd
+          Theme.failure("$VISUAL / $EDITOR is not set.\n  Examples: export EDITOR=\"code --wait\"")
+          return
+        end
+
+        yaml_str = ctx.io.read_raw(ctx.env, local: local)
+        saved    = edit_in_editor(ctx, label, yaml_str, editor_cmd, local: local)
+        Actions::Push.call(ctx) if !local && saved && ctx.prompt.yes?('Push changes to 1Password now?')
+      end
+
+      private_class_method def self.edit_in_editor(ctx, label, yaml_str, editor_cmd, local:)
+        saved = false
+        Tempfile.create(["credentials_#{label}_", '.yml']) do |f|
+          f.write(yaml_str)
+          f.flush
+          File.chmod(0o600, f.path)
+          puts "  #{Theme.dim("#{editor_cmd.first} #{f.path}")}"
+          puts "  #{Theme.dim('(save and close the file to continue)')}"
+          puts ''
+          system(*editor_cmd, f.path)
+          saved = apply_edit(ctx, f.path, yaml_str, label, local: local)
+        end
+        saved
+      end
+
+      private_class_method def self.apply_edit(ctx, path, original, label, local:)
+        new_yaml = File.read(path)
+        begin
+          YAML.safe_load(new_yaml, permitted_classes: [Symbol, Date, Time])
+        rescue Psych::SyntaxError => e
+          Theme.failure("YAML syntax error — not saved: #{e.message}")
+          return false
+        end
+        return Theme.notice('No changes made') || false if new_yaml == original
+
+        ctx.io.write_raw(ctx.env, new_yaml, local: local)
+        Theme.success("Saved config/credentials/#{label}.yml.enc")
+        true
+      end
+
+      private_class_method def self.resolve_editor
+        raw = ENV['VISUAL'].presence || ENV['EDITOR'].presence
+        return nil unless raw
+
+        Shellwords.split(raw)
+      rescue ArgumentError
+        [raw]
+      end
+    end
+  end
+end

data/lib/easy_creds/actions/init.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'tty-spinner'
+
+module EasyCreds
+  module Actions
+    module Init
+      def self.call(ctx)
+        Theme.section("Init — bootstrap credentials/#{ctx.env}.yml.enc")
+        return unless overwrite?(ctx)
+
+        template = load_template(ctx)
+        return unless template
+
+        remote_fields = fetch_remote(ctx)
+        state = build_state(template, remote_fields, ctx.config.ignore_keys)
+        run_navigator(state, ctx)
+      end
+
+      private_class_method def self.overwrite?(ctx)
+        return true unless ctx.io.enc_exists?(ctx.env)
+
+        Theme.warning("config/credentials/#{ctx.env}.yml.enc already exists.")
+        ctx.prompt.yes?('Continue and overwrite with a new file?', default: false)
+      end
+
+      private_class_method def self.load_template(ctx)
+        tpl = ctx.io.example_template
+        return tpl unless tpl.empty?
+
+        Theme.failure('config/credentials/example.yml not found. Cannot bootstrap.')
+        nil
+      end
+
+      private_class_method def self.fetch_remote(ctx)
+        spinner = TTY::Spinner.new('[:spinner] Checking 1Password for existing values...', format: :dots)
+        spinner.auto_spin
+        fields = Flatten.dot(ctx.op.item(ctx.env) || {})
+        spinner.stop('')
+        fields
+      end
+
+      private_class_method def self.run_navigator(state, ctx)
+        puts ''
+        Theme.notice("Opening navigator — #{state.total} keys from example.yml")
+        puts ''
+        sleep 0.8
+
+        result = Views::InitTree.run(state, ctx)
+        result == :saved ? save!(state, ctx) : Theme.warning('Init aborted — no files written.')
+      end
+
+      private_class_method def self.build_state(template, remote_fields, ignore_keys)
+        entries = Flatten.dot(template).filter_map do |key, placeholder|
+          next if ignore_keys.include?(key)
+
+          Entry.new(
+            key: key,
+            placeholder: placeholder,
+            hint: Generators.hint_for(key),
+            op_value: remote_fields[key]
+          )
+        end
+        InitState.new(entries: entries, op_values: remote_fields)
+      end
+
+      private_class_method def self.save!(state, ctx)
+        env         = ctx.env
+        result_flat = state.entries.reject { |e| e.source == :unset }.to_h { |e| [e.key, e.value] }
+
+        ctx.io.ensure_key!(env) unless ctx.io.key_exists?(env)
+        ensure_gitignore(ctx)
+
+        ctx.io.write(env, Flatten.unflatten(result_flat))
+        Theme.success("Wrote config/credentials/#{env}.yml.enc (#{result_flat.size} keys)")
+
+        offer_push(ctx, env)
+      end
+
+      private_class_method def self.ensure_gitignore(ctx)
+        return if ctx.io.gitignore_has_rule?
+
+        ctx.io.add_gitignore_rule!
+        Theme.notice('Added /config/credentials/*.key to .gitignore')
+      end
+
+      private_class_method def self.offer_push(ctx, env)
+        puts ''
+        Actions::Push.call(ctx) if ctx.prompt.yes?("Push these credentials to op://#{ctx.config.vault}/#{env} now?")
+      end
+    end
+  end
+end

data/lib/easy_creds/actions/local/delete.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'pathname'
+
+module EasyCreds
+  module Actions
+    module Local
+      module Delete
+        def self.call(ctx)
+          env = ctx.env
+          Theme.section("Local overlay — delete #{env}_local")
+
+          enc_exists = ctx.io.enc_exists?(env, local: true)
+          key_exists = ctx.io.key_exists?(env, local: true)
+
+          return Theme.notice("No local overlay files found for #{env}.") unless enc_exists || key_exists
+
+          preview_files(env, enc_exists, key_exists)
+          return Theme.notice('Cancelled') unless ctx.prompt.yes?('Are you sure?', default: false)
+
+          perform_delete(Pathname.new(ctx.root), env, enc_exists, key_exists)
+        end
+
+        private_class_method def self.preview_files(env, enc_exists, key_exists)
+          puts ''
+          puts '  This will permanently delete:'
+          puts "  #{Theme.warn("config/credentials/#{env}_local.yml.enc")}" if enc_exists
+          puts "  #{Theme.warn("config/credentials/#{env}_local.key")}"     if key_exists
+          puts ''
+        end
+
+        private_class_method def self.perform_delete(root, env, enc_exists, key_exists)
+          delete_file(root.join("config/credentials/#{env}_local.yml.enc"), "#{env}_local.yml.enc") if enc_exists
+          delete_file(root.join("config/credentials/#{env}_local.key"),     "#{env}_local.key")     if key_exists
+        end
+
+        private_class_method def self.delete_file(path, label)
+          path.delete
+          Theme.success("Deleted #{label}")
+        end
+      end
+    end
+  end
+end

data/lib/easy_creds/actions/local/edit.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  module Actions
+    module Local
+      module Edit
+        def self.call(ctx)
+          Actions::Edit.call(ctx, local: true)
+        end
+      end
+    end
+  end
+end

data/lib/easy_creds/actions/local/editor_edit.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  module Actions
+    module Local
+      module EditorEdit
+        def self.call(ctx)
+          Actions::EditorEdit.call(ctx, local: true)
+        end
+      end
+    end
+  end
+end

data/lib/easy_creds/actions/local/init.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module EasyCreds
+  module Actions
+    module Local
+      module Init
+        def self.call(ctx)
+          Theme.section("Local overlay — init #{ctx.env}_local")
+
+          if ctx.io.enc_exists?(ctx.env, local: true)
+            Theme.notice("#{ctx.env}_local.yml.enc already exists. Use `edit` or `editor-edit` to modify it.")
+            return
+          end
+
+          create_overlay!(ctx)
+        end
+
+        private_class_method def self.create_overlay!(ctx)
+          ctx.io.add_local_gitignore_rule!
+          ctx.io.ensure_key!(ctx.env, local: true)
+          ctx.io.write(ctx.env, {}, local: true)
+
+          puts ''
+          Theme.success("Created config/credentials/#{ctx.env}_local.yml.enc")
+          Theme.success("Created config/credentials/#{ctx.env}_local.key")
+
+          Local::EditorEdit.call(ctx) if ctx.prompt.yes?('Open in editor now?')
+        end
+      end
+    end
+  end
+end