ironclad 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8eedb70a393983cdc89c2ec443623a2882c9220bc50dc4ca8659412db81ab4b8
+  data.tar.gz: 3160931bea2ded23d11a63d636da6f4d7352b10dd250e4d01e4239c9030ce2ee
+SHA512:
+  metadata.gz: edeaccd5502bc01f07d4c5e4bafc84fc8ac881db1b7140a9e3522bfb6ee6c15aeaf1bff9cb4dde1545b2143b65bf3a3d60e4e019a847bc8d92cc45c961b90ed3
+  data.tar.gz: 2364dfa70d9f7ab821898415e0ecbf08c815a4976fac1810d10c9f687aa8297de91df93cdb3ef4c7d6f175015d72b32abed8c1f2f0d0d2915ed831bde80f5ead

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Jarrett Lusso
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,117 @@
+# Ironclad
+
+[![Gem Version](https://badge.fury.io/rb/ironclad.svg)](https://rubygems.org/gems/ironclad)
+[![CI](https://github.com/jclusso/ironclad/actions/workflows/ci.yml/badge.svg)](https://github.com/jclusso/ironclad/actions/workflows/ci.yml)
+
+Source your Rails credential keys from 1Password instead of committing them to
+the repo or leaving them as plaintext files on disk.
+
+Ironclad reads each environment's key (`master.key`, `production.key`) from
+1Password and caches it in the local OS keystore — the macOS Keychain or the
+Linux kernel keyring — so repeated use doesn't round-trip to 1Password. It
+ships:
+
+- a CLI for printing a key or editing credentials,
+- a Railtie that loads the current environment's key into `ENV` at boot,
+- Capistrano helpers so deploys need no key file, and
+- an install generator that wires it all into a Rails app.
+
+## How it works
+
+`bin/ironclad <env>` is a read-through cache:
+
+1. Look up the key in the OS keystore (`<app>-credentials-<env>`).
+2. On a miss, read it from 1Password (`op read`) and seed the cache.
+
+The cache never expires. After rotating a key, refresh it with
+`bin/ironclad <env> --refresh`. Platforms with no supported keystore simply
+fetch from 1Password every call.
+
+## Requirements
+
+- The [1Password CLI](https://developer.1password.com/docs/cli/) (`op`), signed
+  in to the relevant account.
+- macOS (`security`) or Linux (`keyctl`) for caching. Other platforms work but
+  don't cache.
+
+## Installation
+
+Add it to your Gemfile:
+
+```ruby
+gem 'ironclad'
+```
+
+Then install and run the generator:
+
+```sh
+bundle install
+bin/rails generate ironclad:install
+```
+
+The generator asks which environments you manage (so the config and the VS Code
+dropdown match) and which optional integrations to set up (the VS Code "Edit
+Credentials" task, Capistrano wiring). It writes `config/ironclad.yml` with a
+`VAULT` placeholder reference per environment for you to fill in, plus a
+`bin/ironclad` binstub.
+
+## Configuration
+
+`config/ironclad.yml` maps each environment to a 1Password secret reference. The
+environment names are entirely up to you — `default` is the development/master
+key, and you can define as many others as you like (`staging`, `production`,
+`qa`, `review`, …):
+
+```yaml
+account: application-name
+keys:
+  default:    op://VAULT/application-name/master.key
+  production: op://VAULT/application-name/production.key
+```
+
+- `account` — 1Password account shorthand passed to `op --account` (optional).
+- `app` — OS keystore cache namespace (`<app>-credentials-<env>`). Optional;
+  defaults to your Rails app name, so you normally omit it.
+- `keys` — environment to 1Password reference. `default` is the development key;
+  add an entry for any other environment you need.
+
+## Usage
+
+### CLI
+
+```sh
+bin/ironclad                      # print the development key
+bin/ironclad production           # print the production key
+bin/ironclad production --refresh # bypass the cache after a rotation
+bin/ironclad edit staging         # edit staging credentials in your editor
+```
+
+### Capistrano
+
+Require the helpers in your `Capfile`:
+
+```ruby
+require 'ironclad/capistrano'
+```
+
+This sets `RAILS_MASTER_KEY` for the current stage from 1Password and adds a
+`credential(*keys)` helper for reading the stage's encrypted credentials during
+a deploy — no `config/credentials/<env>.key` file required.
+
+### CI
+
+Set `RAILS_MASTER_KEY` from a secret in your CI environment rather than shipping
+a key file. Ironclad's boot step is a no-op when the key is already present.
+
+## Development
+
+```sh
+bin/setup              # install dependencies
+bundle exec rake test  # run the tests
+bundle exec rubocop    # lint
+bin/console            # interactive prompt
+```
+
+## License
+
+Available as open source under the [MIT License](https://opensource.org/licenses/MIT).

data/exe/ironclad

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'ironclad/cli'
+
+exit Ironclad::CLI.start(ARGV)

data/lib/generators/ironclad/install_generator.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'rails/generators/base'
+
+module Ironclad
+  module Generators
+    # Installs Ironclad: asks which environments you manage, writes a
+    # config/ironclad.yml to fill in and a bin/ironclad binstub, then asks about
+    # optional integrations.
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      def create_config
+        create_file 'config/ironclad.yml', config_contents
+      end
+
+      def create_binstub
+        copy_file 'binstub', 'bin/ironclad'
+        chmod 'bin/ironclad', 0o755
+      end
+
+      def create_vscode_task
+        return unless yes?("Add a VS Code 'Edit Credentials' task? (y/N)")
+
+        template 'tasks.json', '.vscode/tasks.json'
+      end
+
+      def setup_capistrano
+        return unless File.exist?(File.join(destination_root, 'Capfile'))
+        return unless yes?('Wire Ironclad into your Capfile for deploys? (y/N)')
+
+        inject_into_file 'Capfile', "require 'ironclad/capistrano'\n",
+                         after: %r{^require ['"]capistrano/setup['"].*\n}
+      end
+
+      def show_post_install
+        say <<~MESSAGE
+
+          Ironclad installed. Edit config/ironclad.yml and fill in your
+          1Password references. In CI / on servers, set RAILS_MASTER_KEY from a
+          secret instead.
+
+          Print a key:      bin/ironclad [env]
+          Edit credentials: bin/ironclad edit [env]
+        MESSAGE
+      end
+
+      private
+
+      def environments
+        @environments ||= ask(
+          'Environments to manage? (comma-separated)',
+          default: 'default'
+        ).split(',').map(&:strip).reject(&:empty?)
+      end
+
+      def config_contents
+        keys = environments.map do |env|
+          field = env == 'default' ? 'master' : env
+          "  #{env}: op://VAULT/#{app_name}/#{field}.key"
+        end.join("\n")
+
+        <<~YAML
+          # Maps each environment to a 1Password secret reference. Replace VAULT
+          # (and the item/field if needed) to match your vault. `default` is the
+          # development/master key.
+          account:
+          keys:
+          #{keys}
+        YAML
+      end
+
+      def app_name
+        Rails.application.class.module_parent_name.underscore
+      rescue StandardError
+        File.basename(destination_root)
+      end
+    end
+  end
+end

data/lib/generators/ironclad/templates/binstub

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler/setup'
+
+load Gem.bin_path('ironclad', 'ironclad')

data/lib/generators/ironclad/templates/tasks.json

@@ -0,0 +1,33 @@
+{
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "Edit Credentials",
+      "type": "shell",
+      "command": "\"${SHELL:-/bin/zsh}\" -lic \"EDITOR='code --wait' VISUAL='code --wait' bin/ironclad edit ${input:credentialsEnv}\"",
+      "options": {
+        "cwd": "${workspaceFolder}"
+      },
+      "problemMatcher": [],
+      "runOptions": {
+        "instanceLimit": 4
+      },
+      "presentation": {
+        "reveal": "never",
+        "revealProblems": "never",
+        "focus": false,
+        "panel": "new",
+        "showReuseMessage": false,
+        "close": true
+      }
+    }
+  ],
+  "inputs": [
+    {
+      "id": "credentialsEnv",
+      "type": "pickString",
+      "description": "Which environment's credentials do you want to edit?",
+      "options": [<%= environments.map(&:inspect).join(', ') %>]
+    }
+  ]
+}

data/lib/ironclad/cache/keychain.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'open3'
+
+module Ironclad
+  module Cache
+    # macOS Keychain via the `security` tool. The cache never expires; a key
+    # rotation is handled by writing (-U updates) the new value.
+    class Keychain
+      def initialize(account)
+        @account = account
+      end
+
+      def read(name)
+        out, status = Open3.capture2(
+          'security', 'find-generic-password',
+          '-a', @account, '-s', name, '-w'
+        )
+        status.success? ? out.chomp : nil
+      end
+
+      def write(name, key)
+        # The key passes via argv (briefly visible to the same user's `ps`); the
+        # security tool has no stdin input mode. Acceptable for a local cache.
+        system(
+          'security', 'add-generic-password', '-U',
+          '-a', @account, '-s', name, '-w', key,
+          out: File::NULL, err: File::NULL
+        )
+      end
+    end
+  end
+end

data/lib/ironclad/cache/keyctl.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'open3'
+
+module Ironclad
+  module Cache
+    # Linux kernel keyring via `keyctl`, stored in the user keyring (@u): it
+    # persists across this user's sessions and clears on reboot, at which point
+    # a miss simply re-seeds from the source.
+    class Keyctl
+      def read(name)
+        id, status = Open3.capture2('keyctl', 'search', '@u', 'user', name)
+        return unless status.success?
+
+        out, status = Open3.capture2('keyctl', 'pipe', id.chomp)
+        status.success? ? out : nil
+      end
+
+      def write(name, key)
+        Open3.capture2('keyctl', 'padd', 'user', name, '@u', stdin_data: key)
+      end
+    end
+  end
+end

data/lib/ironclad/cache/null.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Ironclad
+  module Cache
+    # No-op cache for platforms without a supported OS keystore. Every lookup
+    # misses, so the key is fetched from the source each call.
+    class Null
+      def read(_name) = nil
+
+      def write(_name, _key) = nil
+    end
+  end
+end

data/lib/ironclad/cache.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'rbconfig'
+require_relative 'cache/keychain'
+require_relative 'cache/keyctl'
+require_relative 'cache/null'
+
+module Ironclad
+  # Selects the OS keystore backend for the current platform.
+  module Cache
+    module_function
+
+    def for_platform(account, host_os = RbConfig::CONFIG['host_os'])
+      case host_os
+      when /darwin/
+        Keychain.new(account)
+      when /linux/
+        keyctl_available? ? Keyctl.new : Null.new
+      else
+        Null.new
+      end
+    end
+
+    def keyctl_available?
+      system('command -v keyctl', out: File::NULL, err: File::NULL)
+    end
+  end
+end

data/lib/ironclad/capistrano.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'active_support/encrypted_configuration'
+require_relative '../ironclad'
+
+module Ironclad
+  # Capistrano DSL helpers. Require this from your Capfile:
+  #
+  #   require "ironclad/capistrano"
+  #
+  # so deploys source RAILS_MASTER_KEY from the configured secrets manager and
+  # can read credentials without a key file on disk.
+  module Capistrano
+    # Set RAILS_MASTER_KEY for the current stage (respecting one already set).
+    def rails_master_key
+      env = fetch(:rails_env, fetch(:stage)).to_s
+      ENV['RAILS_MASTER_KEY'] = Ironclad.key(env)
+    end
+
+    # Read a value from the stage's encrypted credentials during a deploy.
+    def credential(*keys)
+      rails_master_key
+      env = fetch(:rails_env, fetch(:stage)).to_s
+      @ironclad_credentials ||= ActiveSupport::EncryptedConfiguration.new(
+        config_path: "config/credentials/#{env}.yml.enc",
+        key_path: "config/credentials/#{env}.key",
+        env_key: 'RAILS_MASTER_KEY',
+        raise_if_missing_key: true
+      )
+      @ironclad_credentials.dig(*keys) ||
+        raise("Rails credential `#{keys.join('.')}` is missing")
+    end
+  end
+end
+
+Capistrano::DSL.include(Ironclad::Capistrano) if defined?(Capistrano::DSL)

data/lib/ironclad/cli.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require_relative '../ironclad'
+
+module Ironclad
+  # Command-line entry point. Dependency-free arg parsing keeps boot cheap and
+  # avoids loading Rails just to print a key.
+  #
+  #   ironclad [env] [--refresh]   print the credentials key (default env)
+  #   ironclad edit [env]          edit Rails credentials for env
+  class CLI
+    def self.start(argv)
+      new(argv).run
+    end
+
+    def initialize(argv)
+      @argv = argv.dup
+    end
+
+    def run
+      case @argv.first
+      when 'edit'
+        @argv.shift
+        edit(@argv.shift || 'default')
+      when '-h', '--help', 'help'
+        print_help
+      else
+        print_key
+      end
+      0
+    rescue Error => e
+      warn e.message
+      1
+    end
+
+    private
+
+    def print_key
+      refresh = @argv.delete('--refresh') ? true : false
+      env = @argv.shift || 'default'
+      validate_env!(env)
+      puts Ironclad.key(env, refresh: refresh)
+    end
+
+    def edit(env)
+      validate_env!(env)
+      ENV['RAILS_MASTER_KEY'] = Ironclad.key(env)
+
+      args = ['credentials:edit']
+      args.push('-e', env) unless env == 'default'
+      exec('bin/rails', *args)
+    end
+
+    def validate_env!(env)
+      return if Ironclad.config.environments.include?(env)
+
+      raise Error, "Unknown environment: #{env} " \
+                   "(expected #{Ironclad.config.environments.join(', ')})."
+    end
+
+    def print_help
+      puts <<~HELP
+        ironclad — Rails credential keys from 1Password, cached locally.
+
+        Usage:
+          ironclad [env] [--refresh]   print the credentials key (env: default)
+          ironclad edit [env]          edit Rails credentials for env
+          ironclad --help              show this help
+
+        --refresh re-reads from the source after a key rotation.
+        Environments are defined in config/ironclad.yml.
+      HELP
+    end
+  end
+end

data/lib/ironclad/config.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Ironclad
+  # Project configuration, read from config/ironclad.yml so both the CLI (no
+  # Rails boot) and the Railtie can load it. Any environment names work — they
+  # only have to match the keys you define here.
+  #
+  #   account: my_app   # optional
+  #   keys:
+  #     default:    op://VAULT/my_app/master.key
+  #     production: op://VAULT/my_app/production.key
+  #
+  # `app` (the OS-keystore cache namespace) is optional; it defaults to the
+  # Rails app name read from config/application.rb.
+  class Config
+    attr_reader :app, :account, :keys
+
+    def self.load(path)
+      unless File.exist?(path)
+        raise Error, "Ironclad config not found at #{path}. " \
+                     'Run `rails generate ironclad:install` to create it.'
+      end
+
+      root = File.dirname(path, 2)
+      data = YAML.safe_load_file(path)
+      unless data.is_a?(Hash)
+        raise Error, "#{path} is empty or not a YAML mapping"
+      end
+
+      new(data, root: root)
+    end
+
+    # Cache namespace, derived from the app's module name in
+    # config/application.rb (falling back to the directory name) so the railtie
+    # and the no-Rails CLI agree on one OS-keystore entry per app.
+    def self.app_namespace(root)
+      return 'ironclad' unless root
+
+      app_rb = File.join(root, 'config', 'application.rb')
+      name = File.file?(app_rb) ? File.read(app_rb)[/^\s*module\s+([A-Za-z]\w*)/, 1] : nil
+      name ||= File.basename(root)
+      name.gsub(/([a-z\d])([A-Z])/, '\1_\2').downcase
+    end
+
+    def initialize(data, root: nil)
+      @app = data['app'] || self.class.app_namespace(root)
+      @account = data['account']
+      @keys = data.fetch('keys') { raise Error, 'ironclad.yml is missing `keys`' }
+      unless @keys.is_a?(Hash)
+        raise Error, 'ironclad.yml `keys` must be a mapping of environment => secret reference'
+      end
+    end
+
+    def reference(environment)
+      keys.fetch(environment) do
+        raise Error, "No secret reference for `#{environment}`. " \
+                     "Known environments: #{keys.keys.join(', ')}."
+      end
+    end
+
+    def environments
+      keys.keys
+    end
+
+    def key?(environment)
+      keys.key?(environment)
+    end
+
+    # The config key to use for a Rails environment: its own if defined,
+    # otherwise `default` (the master key). Nil if neither exists.
+    def key_for(environment)
+      return environment if key?(environment)
+
+      'default' if key?('default')
+    end
+
+    # OS keystore service name for an environment's cached key.
+    def cache_key(environment)
+      "#{app}-credentials-#{environment}"
+    end
+  end
+end

data/lib/ironclad/key_store.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Ironclad
+  # Read-through cache: keys are read from the local OS keystore and pulled from
+  # the source only on a miss, so repeated calls don't round-trip to it.
+  class KeyStore
+    def initialize(config, cache: nil, source: nil)
+      @config = config
+      @cache = cache || Cache.for_platform(config.app)
+      # Defaults to 1Password; inject another source to use a different manager.
+      @source = source || Source::OnePassword.new(config.account)
+    end
+
+    # Return the key for an environment. With refresh: true, skip the cache and
+    # re-seed it from the source (use after a key rotation).
+    def key(environment, refresh: false)
+      name = @config.cache_key(environment)
+
+      unless refresh
+        cached = @cache.read(name)
+        return cached if cached && !cached.empty?
+      end
+
+      fetched = @source.read(@config.reference(environment))
+      @cache.write(name, fetched)
+      fetched
+    end
+  end
+end

data/lib/ironclad/railtie.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Ironclad
+  # Loads the credentials key for the current environment into ENV at boot, so a
+  # fresh checkout works with no key file on disk. Each Rails environment uses
+  # its own key if one is defined in config/ironclad.yml, otherwise the
+  # `default` (master) key.
+  #
+  # A no-op when RAILS_MASTER_KEY is already set (deployed servers and CI provide
+  # the key directly) or when Ironclad isn't configured yet.
+  class Railtie < Rails::Railtie
+    config.before_configuration do
+      Ironclad.config_path = Rails.root.join('config', 'ironclad.yml').to_s
+      next if ENV['RAILS_MASTER_KEY'] || !Ironclad.configured?
+
+      name = Ironclad.config.key_for(ENV.fetch('RAILS_ENV', 'development'))
+      ENV['RAILS_MASTER_KEY'] = Ironclad.key(name) if name
+    rescue Ironclad::Error => e
+      # Don't abort boot if the credential source is unavailable (e.g. `op` not
+      # signed in or installed). Rails surfaces its own missing-key error later
+      # only if credentials are actually accessed.
+      warn "Ironclad: could not load credentials key (#{e.message}). " \
+           'Try `op signin` or set RAILS_MASTER_KEY.'
+    end
+  end
+end

data/lib/ironclad/source/one_password.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require 'open3'
+
+module Ironclad
+  module Source
+    # Reads a secret from 1Password via the `op` CLI.
+    class OnePassword
+      def initialize(account = nil)
+        @account = account
+      end
+
+      def read(reference)
+        cmd = ['op', 'read', reference]
+        cmd.push('--account', @account) if @account
+
+        out, err, status = Open3.capture3(*cmd)
+        unless status.success?
+          message = 'Could not read the credentials key from 1Password. ' \
+                    'Authorize the prompt and retry, or run: op signin'
+          detail = err.strip
+          message += " (#{detail})" unless detail.empty?
+          raise Error, message
+        end
+
+        out.chomp
+      end
+    end
+  end
+end

data/lib/ironclad/source.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Ironclad
+  # Namespace for secret sources. A source responds to #read(reference) and
+  # returns the secret as a string, raising Ironclad::Error on failure.
+  # OnePassword is the only source today; add another manager as a sibling
+  # class here and have KeyStore select it.
+  module Source
+  end
+end

data/lib/ironclad/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Ironclad
+  VERSION = '0.1.0'
+end

data/lib/ironclad.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require_relative 'ironclad/version'
+require_relative 'ironclad/config'
+require_relative 'ironclad/source'
+require_relative 'ironclad/source/one_password'
+require_relative 'ironclad/cache'
+require_relative 'ironclad/key_store'
+
+# Sources Rails credential keys from a secrets manager, cached in the local OS
+# keystore.
+module Ironclad
+  class Error < StandardError; end
+
+  class << self
+    # Path to the project's ironclad.yml. Override before first use if needed.
+    attr_writer :config_path
+
+    def config_path
+      @config_path ||= File.join(Dir.pwd, 'config', 'ironclad.yml')
+    end
+
+    def configured?
+      File.exist?(config_path)
+    end
+
+    def config
+      @config ||= Config.load(config_path)
+    end
+
+    def store
+      @store ||= KeyStore.new(config)
+    end
+
+    # Return the credentials key for an environment, using the read-through
+    # cache. Pass refresh: true to bypass the cache after a key rotation.
+    def key(environment = 'default', refresh: false)
+      store.key(environment.to_s, refresh: refresh)
+    end
+
+    # Reset memoized state (mainly for tests).
+    def reset!
+      @config = nil
+      @store = nil
+    end
+  end
+end
+
+require_relative 'ironclad/railtie' if defined?(Rails::Railtie)

metadata

@@ -0,0 +1,141 @@
+--- !ruby/object:Gem::Specification
+name: ironclad
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Jarrett Lusso
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-cache-ventures
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-mock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest-reporters
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Ironclad sources Rails credential keys from 1Password and caches them
+  in the local OS keystore (macOS Keychain or the Linux kernel keyring), so no key
+  files live on disk. Ships a CLI, a Railtie that loads the development key at boot,
+  Capistrano helpers, and an install generator.
+email:
+- jclusso@gmail.com
+executables:
+- ironclad
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- exe/ironclad
+- lib/generators/ironclad/install_generator.rb
+- lib/generators/ironclad/templates/binstub
+- lib/generators/ironclad/templates/tasks.json
+- lib/ironclad.rb
+- lib/ironclad/cache.rb
+- lib/ironclad/cache/keychain.rb
+- lib/ironclad/cache/keyctl.rb
+- lib/ironclad/cache/null.rb
+- lib/ironclad/capistrano.rb
+- lib/ironclad/cli.rb
+- lib/ironclad/config.rb
+- lib/ironclad/key_store.rb
+- lib/ironclad/railtie.rb
+- lib/ironclad/source.rb
+- lib/ironclad/source/one_password.rb
+- lib/ironclad/version.rb
+homepage: https://github.com/jclusso/ironclad
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/jclusso/ironclad
+  source_code_uri: https://github.com/jclusso/ironclad
+  documentation_uri: https://github.com/jclusso/ironclad
+  changelog_uri: https://github.com/jclusso/ironclad/releases
+  bug_tracker_uri: https://github.com/jclusso/ironclad/issues
+  github_repo: ssh://github.com/jclusso/ironclad
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: 1Password-backed, OS-keystore-cached Rails credential keys.
+test_files: []