RubyGems - familia - Versions diffs - 2.0.0.pre3 → 2.0.0.pre5 - Mend

familia 2.0.0.pre3 → 2.0.0.pre5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (135) hide show

checksums.yaml +4 -4
data/.gitignore +3 -0
data/.rubocop_todo.yml +17 -17
data/CLAUDE.md +3 -3
data/Gemfile +5 -1
data/Gemfile.lock +18 -3
data/README.md +36 -157
data/TEST_COVERAGE.md +40 -0
data/docs/overview.md +359 -0
data/docs/wiki/API-Reference.md +270 -0
data/docs/wiki/Encrypted-Fields-Overview.md +64 -0
data/docs/wiki/Home.md +49 -0
data/docs/wiki/Implementation-Guide.md +183 -0
data/docs/wiki/Security-Model.md +143 -0
data/lib/familia/base.rb +18 -27
data/lib/familia/connection.rb +6 -5
data/lib/familia/{datatype → data_type}/commands.rb +2 -5
data/lib/familia/{datatype → data_type}/serialization.rb +8 -10
data/lib/familia/{datatype → data_type}/types/hashkey.rb +2 -2
data/lib/familia/{datatype → data_type}/types/list.rb +17 -18
data/lib/familia/{datatype → data_type}/types/sorted_set.rb +17 -17
data/lib/familia/{datatype → data_type}/types/string.rb +2 -1
data/lib/familia/{datatype → data_type}/types/unsorted_set.rb +17 -18
data/lib/familia/{datatype.rb → data_type.rb} +10 -12
data/lib/familia/encryption/manager.rb +102 -0
data/lib/familia/encryption/provider.rb +49 -0
data/lib/familia/encryption/providers/aes_gcm_provider.rb +103 -0
data/lib/familia/encryption/providers/secure_xchacha20_poly1305_provider.rb +184 -0
data/lib/familia/encryption/providers/xchacha20_poly1305_provider.rb +118 -0
data/lib/familia/encryption/registry.rb +50 -0
data/lib/familia/encryption.rb +178 -0
data/lib/familia/encryption_request_cache.rb +68 -0
data/lib/familia/features/encrypted_fields/encrypted_field_type.rb +153 -0
data/lib/familia/features/encrypted_fields.rb +28 -0
data/lib/familia/features/expiration.rb +107 -77
data/lib/familia/features/quantization.rb +5 -9
data/lib/familia/features/relatable_objects.rb +2 -4
data/lib/familia/features/safe_dump.rb +14 -17
data/lib/familia/features/transient_fields/redacted_string.rb +159 -0
data/lib/familia/features/transient_fields/single_use_redacted_string.rb +62 -0
data/lib/familia/features/transient_fields/transient_field_type.rb +139 -0
data/lib/familia/features/transient_fields.rb +47 -0
data/lib/familia/features.rb +40 -24
data/lib/familia/field_type.rb +270 -0
data/lib/familia/horreum/connection.rb +8 -11
data/lib/familia/horreum/{commands.rb → database_commands.rb} +7 -19
data/lib/familia/horreum/definition_methods.rb +453 -0
data/lib/familia/horreum/{class_methods.rb → management_methods.rb} +19 -229
data/lib/familia/horreum/serialization.rb +46 -18
data/lib/familia/horreum/settings.rb +10 -2
data/lib/familia/horreum/utils.rb +9 -10
data/lib/familia/horreum.rb +18 -10
data/lib/familia/logging.rb +14 -14
data/lib/familia/settings.rb +39 -3
data/lib/familia/utils.rb +45 -0
data/lib/familia/version.rb +1 -1
data/lib/familia.rb +2 -1
data/try/core/base_enhancements_try.rb +115 -0
data/try/core/connection_try.rb +0 -1
data/try/core/errors_try.rb +0 -1
data/try/core/familia_extended_try.rb +3 -4
data/try/core/familia_try.rb +0 -1
data/try/core/pools_try.rb +2 -2
data/try/core/secure_identifier_try.rb +0 -1
data/try/core/settings_try.rb +0 -1
data/try/core/utils_try.rb +0 -1
data/try/{datatypes → data_types}/boolean_try.rb +1 -2
data/try/{datatypes → data_types}/datatype_base_try.rb +2 -3
data/try/{datatypes → data_types}/hash_try.rb +1 -2
data/try/{datatypes → data_types}/list_try.rb +1 -2
data/try/{datatypes → data_types}/set_try.rb +1 -2
data/try/{datatypes → data_types}/sorted_set_try.rb +1 -2
data/try/{datatypes → data_types}/string_try.rb +1 -2
data/try/debugging/README.md +32 -0
data/try/debugging/cache_behavior_tracer.rb +91 -0
data/try/debugging/encryption_method_tracer.rb +138 -0
data/try/debugging/provider_diagnostics.rb +110 -0
data/try/edge_cases/hash_symbolization_try.rb +0 -1
data/try/edge_cases/json_serialization_try.rb +0 -1
data/try/edge_cases/reserved_keywords_try.rb +42 -11
data/try/encryption/config_persistence_try.rb +192 -0
data/try/encryption/encryption_core_try.rb +328 -0
data/try/encryption/instance_variable_scope_try.rb +31 -0
data/try/encryption/module_loading_try.rb +28 -0
data/try/encryption/providers/aes_gcm_provider_try.rb +178 -0
data/try/encryption/providers/xchacha20_poly1305_provider_try.rb +169 -0
data/try/encryption/roundtrip_validation_try.rb +28 -0
data/try/encryption/secure_memory_handling_try.rb +125 -0
data/try/features/encrypted_fields_core_try.rb +117 -0
data/try/features/encrypted_fields_integration_try.rb +220 -0
data/try/features/encrypted_fields_no_cache_security_try.rb +205 -0
data/try/features/encrypted_fields_security_try.rb +370 -0
data/try/features/encryption_fields/aad_protection_try.rb +53 -0
data/try/features/encryption_fields/context_isolation_try.rb +120 -0
data/try/features/encryption_fields/error_conditions_try.rb +116 -0
data/try/features/encryption_fields/fresh_key_derivation_try.rb +122 -0
data/try/features/encryption_fields/fresh_key_try.rb +163 -0
data/try/features/encryption_fields/key_rotation_try.rb +117 -0
data/try/features/encryption_fields/memory_security_try.rb +37 -0
data/try/features/encryption_fields/missing_current_key_version_try.rb +23 -0
data/try/features/encryption_fields/nonce_uniqueness_try.rb +54 -0
data/try/features/encryption_fields/thread_safety_try.rb +199 -0
data/try/features/expiration_try.rb +0 -1
data/try/features/feature_dependencies_try.rb +159 -0
data/try/features/quantization_try.rb +0 -1
data/try/features/real_feature_integration_try.rb +148 -0
data/try/features/relatable_objects_try.rb +0 -1
data/try/features/safe_dump_advanced_try.rb +0 -1
data/try/features/safe_dump_try.rb +0 -1
data/try/features/transient_fields/redacted_string_try.rb +248 -0
data/try/features/transient_fields/refresh_reset_try.rb +164 -0
data/try/features/transient_fields/simple_refresh_test.rb +50 -0
data/try/features/transient_fields/single_use_redacted_string_try.rb +310 -0
data/try/features/transient_fields_core_try.rb +181 -0
data/try/features/transient_fields_integration_try.rb +260 -0
data/try/helpers/test_helpers.rb +42 -0
data/try/horreum/base_try.rb +157 -3
data/try/horreum/class_methods_try.rb +27 -36
data/try/horreum/enhanced_conflict_handling_try.rb +176 -0
data/try/horreum/field_categories_try.rb +118 -0
data/try/horreum/field_definition_try.rb +96 -0
data/try/horreum/initialization_try.rb +0 -1
data/try/horreum/relations_try.rb +0 -1
data/try/horreum/serialization_persistent_fields_try.rb +165 -0
data/try/horreum/serialization_try.rb +2 -3
data/try/memory/memory_basic_test.rb +73 -0
data/try/memory/memory_detailed_test.rb +121 -0
data/try/memory/memory_docker_ruby_dump.sh +80 -0
data/try/memory/memory_search_for_string.rb +83 -0
data/try/memory/test_actual_redactedstring_protection.rb +38 -0
data/try/models/customer_safe_dump_try.rb +0 -1
data/try/models/customer_try.rb +0 -1
data/try/models/datatype_base_try.rb +1 -2
data/try/models/familia_object_try.rb +0 -1
metadata +85 -18

data/try/encryption/encryption_core_try.rb ADDED Viewed

@@ -0,0 +1,328 @@
+# try/encryption/encryption_core_try.rb
+require_relative '../helpers/test_helpers'
+require_relative '../../lib/familia/encryption'
+require 'base64'
+# Test constants will be redefined in each test since variables don't persist
+## Basic round-trip encryption and decryption works
+test_keys = { v1: Base64.strict_encode64('a' * 32), v2: Base64.strict_encode64('b' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "sensitive data here"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v2
+encrypted = Familia::Encryption.encrypt(plaintext, context: context)
+decrypted = Familia::Encryption.decrypt(encrypted, context: context)
+decrypted
+#=> "sensitive data here"
+## Encrypted data contains expected JSON structure
+test_keys = { v1: Base64.strict_encode64('a' * 32), v2: Base64.strict_encode64('b' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "sensitive data here"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v2
+encrypted = Familia::Encryption.encrypt(plaintext, context: context)
+encrypted_data = JSON.parse(encrypted, symbolize_names: true)
+encrypted_data[:algorithm]
+#=> "xchacha20poly1305"
+## Encrypted data includes current key version
+test_keys = { v1: Base64.strict_encode64('a' * 32), v2: Base64.strict_encode64('b' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "sensitive data here"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v2
+encrypted = Familia::Encryption.encrypt(plaintext, context: context)
+encrypted_data = JSON.parse(encrypted, symbolize_names: true)
+encrypted_data[:key_version]
+#=> "v2"## Nonce is unique - same plaintext encrypts to different ciphertext
+test_keys = { v1: Base64.strict_encode64('a' * 32), v2: Base64.strict_encode64('b' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "sensitive data here"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v2
+encrypted1 = Familia::Encryption.encrypt(plaintext, context: context)
+encrypted2 = Familia::Encryption.encrypt(plaintext, context: context)
+encrypted1 != encrypted2
+#=> true
+## But both decrypt to same plaintext
+test_keys = { v1: Base64.strict_encode64('a' * 32), v2: Base64.strict_encode64('b' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "sensitive data here"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v2
+encrypted1 = Familia::Encryption.encrypt(plaintext, context: context)
+encrypted2 = Familia::Encryption.encrypt(plaintext, context: context)
+decrypted1 = Familia::Encryption.decrypt(encrypted1, context: context)
+decrypted2 = Familia::Encryption.decrypt(encrypted2, context: context)
+[decrypted1, decrypted2]
+#=> ["sensitive data here", "sensitive data here"]
+## Nil plaintext returns nil
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+Familia::Encryption.encrypt(nil, context: 'test')
+#=> nil
+## Empty string plaintext returns nil
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+Familia::Encryption.encrypt("", context: 'test')
+#=> nil
+## AAD prevents decryption with wrong additional data - raises EncryptionError
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "sensitive data here"
+additional_data = "user123:email@example.com"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted = Familia::Encryption.encrypt(plaintext, context: context, additional_data: additional_data)
+begin
+  Familia::Encryption.decrypt(encrypted, context: context, additional_data: "wrong_aad")
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message.include?("Decryption failed")
+end
+#=> true
+## Unknown algorithm raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+# Create encrypted data with unknown algorithm. Error should not leak algorithm details.
+invalid_encrypted = {
+  algorithm: "unknown-cipher",
+  key_version: "v1",
+  nonce: Base64.strict_encode64("x" * 12),
+  ciphertext: Base64.strict_encode64("encrypted_data"),
+  auth_tag: Base64.strict_encode64("y" * 16)
+}.to_json
+Familia::Encryption.decrypt(invalid_encrypted, context: context)
+#=!> Familia::EncryptionError
+#==> error.message.include?("Unsupported algorithm")
+#==> error.message.include?("unknown-cipher")
+## Malformed JSON raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+Familia::Encryption.decrypt("invalid json {", context: context)
+#=!> Familia::EncryptionError
+#==> error.message.include?("Decryption failed")
+## Invalid base64 nonce raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+# Create encrypted data with invalid base64 nonce
+invalid_encrypted = {
+  algorithm: "aes-256-gcm",
+  key_version: "v1",
+  nonce: "invalid_base64!@#",
+  ciphertext: Base64.strict_encode64("encrypted_data"),
+  auth_tag: Base64.strict_encode64("y" * 16)
+}.to_json
+begin
+  Familia::Encryption.decrypt(invalid_encrypted, context: context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message.include?("Decryption failed")
+end
+#=> true
+## Invalid base64 auth_tag raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+# Create encrypted data with invalid base64 auth_tag
+invalid_encrypted = {
+  algorithm: "aes-256-gcm",
+  key_version: "v1",
+  nonce: Base64.strict_encode64("x" * 12),
+  ciphertext: Base64.strict_encode64("encrypted_data"),
+  auth_tag: "invalid_base64!@#"
+}.to_json
+begin
+  Familia::Encryption.decrypt(invalid_encrypted, context: context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message.include?("Decryption failed")
+end
+#=> true
+## Wrong nonce size raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+# Create encrypted data with wrong nonce size (8 bytes instead of 12)
+invalid_encrypted = {
+  algorithm: "aes-256-gcm",
+  key_version: "v1",
+  nonce: Base64.strict_encode64("x" * 8),
+  ciphertext: Base64.strict_encode64("encrypted_data"),
+  auth_tag: Base64.strict_encode64("y" * 16)
+}.to_json
+begin
+  Familia::Encryption.decrypt(invalid_encrypted, context: context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message.include?("Invalid encrypted data")
+end
+#=> true
+## Wrong auth_tag size raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+# Create encrypted data with wrong auth_tag size (8 bytes instead of 16)
+invalid_encrypted = {
+  algorithm: "aes-256-gcm",
+  key_version: "v1",
+  nonce: Base64.strict_encode64("x" * 12),
+  ciphertext: Base64.strict_encode64("encrypted_data"),
+  auth_tag: Base64.strict_encode64("y" * 8)
+}.to_json
+begin
+  Familia::Encryption.decrypt(invalid_encrypted, context: context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message.include?("Invalid encrypted data")
+end
+#=> true
+## Missing required fields raises sanitized error
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+# Create encrypted data missing nonce field
+invalid_encrypted = {
+  algorithm: "aes-256-gcm",
+  key_version: "v1",
+  ciphertext: Base64.strict_encode64("encrypted_data"),
+  auth_tag: Base64.strict_encode64("y" * 16)
+}.to_json
+begin
+  Familia::Encryption.decrypt(invalid_encrypted, context: context)
+  "should_not_reach_here"
+rescue Familia::EncryptionError => e
+  e.message.include?("Decryption failed")
+end
+#=> true
+## Algorithm-specific encryption: XChaCha20Poly1305 round-trip
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "xchacha20poly1305 test data"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted_xchacha = Familia::Encryption.encrypt_with('xchacha20poly1305', plaintext, context: context)
+decrypted_xchacha = Familia::Encryption.decrypt(encrypted_xchacha, context: context)
+decrypted_xchacha
+#=> "xchacha20poly1305 test data"
+## Algorithm-specific encryption: AES-GCM round-trip
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "aes-256-gcm test data"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted_aes = Familia::Encryption.encrypt_with('aes-256-gcm', plaintext, context: context)
+decrypted_aes = Familia::Encryption.decrypt(encrypted_aes, context: context)
+decrypted_aes
+#=> "aes-256-gcm test data"
+## XChaCha20Poly1305 has correct algorithm in encrypted data
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "algorithm check"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted_xchacha = Familia::Encryption.encrypt_with('xchacha20poly1305', plaintext, context: context)
+encrypted_data_xchacha = JSON.parse(encrypted_xchacha, symbolize_names: true)
+encrypted_data_xchacha[:algorithm]
+#=> "xchacha20poly1305"
+## AES-GCM has correct algorithm in encrypted data
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "algorithm check"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted_aes = Familia::Encryption.encrypt_with('aes-256-gcm', plaintext, context: context)
+encrypted_data_aes = JSON.parse(encrypted_aes, symbolize_names: true)
+encrypted_data_aes[:algorithm]
+#=> "aes-256-gcm"
+## XChaCha20Poly1305 uses 24-byte nonces
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "nonce size test"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted_xchacha = Familia::Encryption.encrypt_with('xchacha20poly1305', plaintext, context: context)
+encrypted_data_xchacha = JSON.parse(encrypted_xchacha, symbolize_names: true)
+nonce_bytes_xchacha = Base64.strict_decode64(encrypted_data_xchacha[:nonce])
+nonce_bytes_xchacha.length
+#=> 24
+## AES-GCM uses 12-byte nonces
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+context = "TestModel:secret_field:user123"
+plaintext = "nonce size test"
+Familia.config.encryption_keys = test_keys
+Familia.config.current_key_version = :v1
+encrypted_aes = Familia::Encryption.encrypt_with('aes-256-gcm', plaintext, context: context)
+encrypted_data_aes = JSON.parse(encrypted_aes, symbolize_names: true)
+nonce_bytes_aes = Base64.strict_decode64(encrypted_data_aes[:nonce])
+nonce_bytes_aes.length
+#=> 12
+# TEARDOWN
+Thread.current[:familia_key_cache]&.clear if Thread.current[:familia_key_cache]

data/try/encryption/instance_variable_scope_try.rb ADDED Viewed

@@ -0,0 +1,31 @@
+# try/encryption/debug3_try.rb
+# - Tests instance variable scoping in tryouts framework
+# - Validates that variables persist within test sections
+require 'base64'
+require_relative '../helpers/test_helpers'
+@test_keys = {
+  v1: Base64.strict_encode64('a' * 32)
+}
+## Check if instance variables work
+@test_keys.nil?
+#=> false
+## Check if we can access specific key
+@test_keys[:v1].nil?
+#=> false
+## Set config and check immediately in same test
+Familia.config.encryption_keys = @test_keys
+Familia.config.current_key_version = :v1
+result = Familia::Encryption.encrypt('test', context: 'test')
+result.nil?
+#=> false
+# TEARDOWN

data/try/encryption/module_loading_try.rb ADDED Viewed

@@ -0,0 +1,28 @@
+# try/encryption/debug_try.rb
+# - Tests that the encryption module loads correctly
+# - Validates basic configuration setup
+require 'base64'
+require_relative '../helpers/test_helpers'
+# Test basic functionality
+## Check if encryption module loads
+defined?(Familia::Encryption)
+#=> "constant"
+## Set and check configuration directly in test
+Familia.encryption_keys = { v1: Base64.strict_encode64('a' * 32) }
+Familia.encryption_keys.is_a?(Hash)
+#=> true
+## Set and check current key version directly in test
+Familia.current_key_version = :v1
+Familia.current_key_version
+#=> :v1
+# TEARDOWN
+# Clean up

data/try/encryption/providers/aes_gcm_provider_try.rb ADDED Viewed

@@ -0,0 +1,178 @@
+# try/encryption/providers/aes_gcm_provider_try.rb
+require_relative '../../helpers/test_helpers'
+require 'base64'
+## AES-GCM provider availability check (always available with OpenSSL)
+Familia::Encryption::Providers::AESGCMProvider.available?
+#=> true
+## AES-GCM provider initialization
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+[provider.algorithm, provider.nonce_size, provider.auth_tag_size]
+#=> ['aes-256-gcm', 12, 16]
+## AES-GCM provider priority is fallback
+Familia::Encryption::Providers::AESGCMProvider.priority
+#=> 50
+## AES-GCM nonce generation produces correct size
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+nonce = provider.generate_nonce
+nonce.bytesize
+#=> 12
+## AES-GCM key derivation with HKDF
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+master_key = Base64.strict_decode64(test_keys[:v1])
+context = 'test-context'
+derived_key = provider.derive_key(master_key, context)
+derived_key.bytesize
+#=> 32
+## AES-GCM key derivation produces different keys for different contexts
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+master_key = Base64.strict_decode64(test_keys[:v1])
+derived_key1 = provider.derive_key(master_key, 'context1')
+derived_key2 = provider.derive_key(master_key, 'context2')
+derived_key1 != derived_key2
+#=> true
+## AES-GCM encryption produces expected structure
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test encryption data'
+result = provider.encrypt(plaintext, key)
+[result.has_key?(:nonce), result.has_key?(:ciphertext), result.has_key?(:auth_tag)]
+#=> [true, true, true]
+## AES-GCM encryption nonce is 12 bytes
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test encryption data'
+result = provider.encrypt(plaintext, key)
+result[:nonce].bytesize
+#=> 12
+## AES-GCM encryption auth tag is 16 bytes
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test encryption data'
+result = provider.encrypt(plaintext, key)
+result[:auth_tag].bytesize
+#=> 16
+## AES-GCM round-trip encryption/decryption
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'AES-GCM round-trip test'
+encrypted = provider.encrypt(plaintext, key)
+decrypted = provider.decrypt(encrypted[:ciphertext], key, encrypted[:nonce], encrypted[:auth_tag])
+decrypted
+#=> 'AES-GCM round-trip test'
+## AES-GCM encryption with AAD (Additional Authenticated Data)
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test with aad'
+aad = 'additional-authenticated-data'
+encrypted = provider.encrypt(plaintext, key, aad)
+decrypted = provider.decrypt(encrypted[:ciphertext], key, encrypted[:nonce], encrypted[:auth_tag], aad)
+decrypted
+#=> 'test with aad'
+## AES-GCM AAD tampering fails authentication
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test with aad'
+aad = 'original-aad'
+encrypted = provider.encrypt(plaintext, key, aad)
+provider.decrypt(encrypted[:ciphertext], key, encrypted[:nonce], encrypted[:auth_tag], 'tampered-aad')
+#=!> Familia::EncryptionError
+#==> error.message.include?('Decryption failed')
+## AES-GCM nonce tampering fails authentication
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test nonce tampering'
+encrypted = provider.encrypt(plaintext, key)
+tampered_nonce = 'x' * 12  # Wrong nonce (12 bytes for AES-GCM)
+provider.decrypt(encrypted[:ciphertext], key, tampered_nonce, encrypted[:auth_tag])
+#=!> Familia::EncryptionError
+#==> error.message.include?('Decryption failed')
+## AES-GCM auth tag tampering fails authentication
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test auth tag tampering'
+encrypted = provider.encrypt(plaintext, key)
+tampered_auth_tag = 'y' * 16  # Wrong auth tag
+provider.decrypt(encrypted[:ciphertext], key, encrypted[:nonce], tampered_auth_tag)
+#=!> Familia::EncryptionError
+#==> error.message.include?('Decryption failed')
+## AES-GCM ciphertext tampering fails authentication
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+key = Base64.strict_decode64(test_keys[:v1])
+plaintext = 'test ciphertext tampering'
+encrypted = provider.encrypt(plaintext, key)
+tampered_ciphertext = encrypted[:ciphertext][0..-2] + 'X'  # Change last byte
+provider.decrypt(tampered_ciphertext, key, encrypted[:nonce], encrypted[:auth_tag])
+#=!> Familia::EncryptionError
+#==> error.message.include?('Decryption failed')
+## AES-GCM key validation rejects nil key
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+provider.encrypt('test', nil)
+#=!> Familia::EncryptionError
+#==> error.message.include?('Key cannot be nil')
+## AES-GCM key validation requires 32-byte minimum
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+short_key = 'x' * 16  # Only 16 bytes
+provider.encrypt('test', short_key)
+#=!> Familia::EncryptionError
+#==> error.message.include?('Key must be at least 32 bytes')
+## AES-GCM secure_wipe clears key (best effort)
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+test_key = 'secret-key-data-to-be-wiped'
+original_length = test_key.length
+provider.secure_wipe(test_key)
+test_key.length
+#=> 0
+## AES-GCM derive_key method signature (no personal parameter)
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+master_key = Base64.strict_decode64(test_keys[:v1])
+context = 'signature-test'
+# AES-GCM derive_key only takes master_key and context (no personal parameter)
+derived_key = provider.derive_key(master_key, context)
+derived_key.bytesize
+#=> 32
+## AES-GCM HKDF salt consistency
+test_keys = { v1: Base64.strict_encode64('a' * 32) }
+provider = Familia::Encryption::Providers::AESGCMProvider.new
+master_key = Base64.strict_decode64(test_keys[:v1])
+context = 'salt-test'
+# Multiple derivations with same inputs should produce same key
+derived_key1 = provider.derive_key(master_key, context)
+derived_key2 = provider.derive_key(master_key, context)
+derived_key1 == derived_key2
+#=> true
+# TEARDOWN
+Thread.current[:familia_key_cache]&.clear if Thread.current[:familia_key_cache]