legion-crypt 0.3.0 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 265bfefa35f6346031ae28749fa479e511e9f98f5a3c8b5cd3b756e86f6920b4
-  data.tar.gz: 2fedcd11ffcb04683cdf8c122b721bd30e37b7a73b48f2660237895725045999
+  metadata.gz: a7018b9c084879712ba6a2fdf0b64f19b1c78de8cb8b9377063f824a0f43314c
+  data.tar.gz: 0d449cbe402ffbe5a45256801ea442ac03d7663f234f4678f52147e55214c0c0
 SHA512:
-  metadata.gz: 430546afd08fdddbc359be8dd09a530552a596917943ca7e5c0a9bd7a3064e4c95cbb3ea468faaa62cfe6572577eea3eb60765ebbb68f3a8756a0a491de8c44d
-  data.tar.gz: 856f677b6201f8052cf6d0a617f56ce893029afc02df2f9490e506bc55034090814f35cf0c98438c66db6c0a728be84f060f72c7319bb20bfd29f0cc1debdc24
+  metadata.gz: 64e62d71d928dbd378aa7ce371af98b79c0a70cd6724461db87c7753f073014e8d0973975b947c31cdcda34f138f473afcf11d5026ec5332e7b5d619b91e72f8
+  data.tar.gz: 42b44f3d2b203db36197dc399732790fe3e6cc6f9f00b9e3c3660fc1283cf6bbd519fbaab718ddaa44a404f5332e3d8f0eb24120d17ac41f2071df637fc61634

data/.github/workflows/ci.yml

@@ -0,0 +1,16 @@
+name: CI
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  ci:
+    uses: LegionIO/.github/.github/workflows/ci.yml@main
+
+  release:
+    needs: ci
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    uses: LegionIO/.github/.github/workflows/release.yml@main
+    secrets:
+      rubygems-api-key: ${{ secrets.RUBYGEMS_API_KEY }}

data/.gitignore

@@ -1,11 +1,15 @@
 /.bundle/
 /.yardoc
+/Gemfile.lock
 /_yardoc/
 /coverage/
 /doc/
 /pkg/
 /spec/reports/
 /tmp/
-
+/legion/.idea/
+/.idea/
+*.key
 # rspec failure tracking
 .rspec_status
+legionio.key

data/.rubocop.yml

@@ -1,24 +1,53 @@
+AllCops:
+  TargetRubyVersion: 3.4
+  NewCops: enable
+  SuggestExtensions: false
+
 Layout/LineLength:
-  Max: 140
+  Max: 160
+
+Layout/SpaceAroundEqualsInParameterDefault:
+  EnforcedStyle: space
+
+Layout/HashAlignment:
+  EnforcedHashRocketStyle: table
+  EnforcedColonStyle: table
+
 Metrics/MethodLength:
   Max: 50
+
 Metrics/ClassLength:
   Max: 1500
+
+Metrics/ModuleLength:
+  Max: 1500
+
 Metrics/BlockLength:
-  Max: 50
-Metrics/CyclomaticComplexity:
-  Max: 14
+  Max: 40
+  Exclude:
+    - 'spec/**/*'
+
 Metrics/AbcSize:
-  Max: 17
+  Max: 60
+
+Metrics/CyclomaticComplexity:
+  Max: 15
+
 Metrics/PerceivedComplexity:
-  Max: 16
-Naming/MethodParameterName:
-  Enabled: false
+  Max: 17
+
 Style/Documentation:
   Enabled: false
-AllCops:
-  TargetRubyVersion: 2.5
-  NewCops: enable
-  SuggestExtensions: false
+
+Style/SymbolArray:
+  Enabled: true
+
 Style/FrozenStringLiteralComment:
+  Enabled: true
+  EnforcedStyle: always
+
+Naming/FileName:
+  Enabled: false
+
+Naming/PredicateMethod:
   Enabled: false

data/CHANGELOG.md

@@ -0,0 +1,31 @@
+# Legion::Crypt
+
+## [Unreleased]
+
+## [1.3.0] - 2026-03-16
+
+### Added
+- `LeaseManager` singleton for dynamic Vault secret lease management
+- Named lease definitions in `crypt.vault.leases` settings
+- Boot-time lease fetch with data caching
+- Background renewal thread with rotation detection
+- Settings push-back on credential rotation via reverse index
+- `lease://name#key` URI references resolved by Settings resolver
+
+## v1.2.1
+
+### Fixed
+- `validate_hex` and `set_cluster_secret` now handle leading zeros correctly by padding the
+  base-32 round-trip result back to the original string length. Previously, secrets whose
+  hex representation started with one or more zero bytes would fail validation and cause
+  `find_cluster_secret` to return nil non-deterministically.
+
+### Added
+- Comprehensive spec coverage for `Legion::Crypt::VaultJwtAuth` (`.login`, `.login!`,
+  `.worker_login`, `AuthError`, constants).
+- `after` hook in `cluster_secret_spec` to restore `Legion::Settings[:crypt][:cluster_secret]`
+  between examples, eliminating ordering-dependent state pollution.
+- TODO comments in `vault_spec` for tests that require live Vault connectivity.
+
+## v1.2.0
+Moving from BitBucket to GitHub. All git history is reset from this point on

data/CLAUDE.md

@@ -0,0 +1,149 @@
+# legion-crypt: Encryption and Vault Integration for LegionIO
+
+**Repository Level 3 Documentation**
+- **Parent**: `/Users/miverso2/rubymine/legion/CLAUDE.md`
+
+## Purpose
+
+Handles encryption, decryption, secrets management, JWT token management, and HashiCorp Vault connectivity for the LegionIO framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
+
+**GitHub**: https://github.com/LegionIO/legion-crypt
+**License**: Apache-2.0
+
+## Architecture
+
+```
+Legion::Crypt (singleton module)
+├── .start             # Initialize: generate keys, connect to Vault
+├── .encrypt(string)   # AES-256-CBC encryption
+├── .decrypt(message)  # AES-256-CBC decryption
+├── .shutdown          # Stop Vault renewer, close sessions
+│
+├── Cipher             # OpenSSL cipher operations (AES-256-CBC)
+│   ├── .encrypt       # Encrypt with cluster secret
+│   ├── .decrypt       # Decrypt with cluster secret
+│   ├── .private_key   # RSA private key (generated or loaded)
+│   └── .public_key    # RSA public key
+│
+├── Vault              # HashiCorp Vault integration
+│   ├── .connect_vault # Establish Vault session
+│   ├── .read(path)    # Read secret from Vault
+│   ├── .write(path)   # Write secret to Vault
+│   └── .renew_token   # Token renewal
+│
+├── JWT                # JSON Web Token operations
+│   ├── .issue         # Create signed JWT (HS256 or RS256)
+│   ├── .verify        # Verify and decode JWT
+│   └── .decode        # Decode without verification (inspection)
+│
+├── ClusterSecret      # Cluster-wide shared secret management
+│   └── .cs            # Generate/distribute cluster secret
+│
+├── VaultJwtAuth       # Vault JWT auth backend integration
+│   ├── .login         # Authenticate to Vault using a JWT token, returns Vault token hash
+│   ├── .login!        # Authenticate and set ::Vault.token for subsequent operations
+│   └── .worker_login  # Issue a Legion JWT and authenticate to Vault in one step
+│
+├── VaultRenewer       # Background Vault token renewal thread
+├── LeaseManager       # Dynamic Vault lease lifecycle: fetch, cache, renew, rotate, push-back
+├── Settings           # Default crypt config
+└── Version
+```
+
+### Key Design Patterns
+
+- **Dynamic Keys**: By default, generates new RSA key pair per process start (no persistent keys)
+- **Cluster Secret**: Shared AES key distributed across Legion nodes for inter-node encrypted communication
+- **Vault Conditional**: Vault module is only included if the `vault` gem is available
+- **Token Lifecycle**: VaultRenewer runs background thread for automatic token renewal
+- **JWT Dual Algorithm**: HS256 (symmetric, cluster secret) for intra-cluster tokens; RS256 (asymmetric, RSA keypair) for tokens verifiable without sharing the signing key
+
+## Default Settings
+
+```json
+{
+  "vault": { "..." : "see vault settings" },
+  "jwt": {
+    "enabled": true,
+    "default_algorithm": "HS256",
+    "default_ttl": 3600,
+    "issuer": "legion",
+    "verify_expiration": true,
+    "verify_issuer": true
+  },
+  "cs_encrypt_ready": false,
+  "dynamic_keys": true,
+  "cluster_secret": null,
+  "save_private_key": true,
+  "read_private_key": true
+}
+```
+
+## Dependencies
+
+| Gem | Purpose |
+|-----|---------|
+| `jwt` (>= 2.7) | JSON Web Token encoding/decoding |
+| `vault` (>= 0.17) | HashiCorp Vault Ruby client |
+
+Dev dependencies: `legion-logging`, `legion-settings`
+
+## File Map
+
+| Path | Purpose |
+|------|---------|
+| `lib/legion/crypt.rb` | Module entry, start/shutdown lifecycle |
+| `lib/legion/crypt/cipher.rb` | AES-256-CBC encrypt/decrypt, RSA key generation |
+| `lib/legion/crypt/jwt.rb` | JWT issue/verify/decode operations |
+| `lib/legion/crypt/vault.rb` | Vault read/write/connect/renew operations |
+| `lib/legion/crypt/cluster_secret.rb` | Cluster-wide shared secret management |
+| `lib/legion/crypt/vault_jwt_auth.rb` | Vault JWT auth backend: `.login`, `.login!`, `.worker_login`; raises `AuthError` on failure |
+| `lib/legion/crypt/vault_renewer.rb` | Background Vault token renewal |
+| `lib/legion/crypt/lease_manager.rb` | Dynamic Vault lease lifecycle management |
+| `lib/legion/crypt/settings.rb` | Default configuration |
+| `lib/legion/crypt/version.rb` | VERSION constant |
+
+## Role in LegionIO
+
+First service-level module initialized during `Legion::Service` startup (before transport). Provides:
+1. Vault token for `legion-transport` to fetch RabbitMQ credentials
+2. Message encryption for `legion-transport` (optional `transport.messages.encrypt`)
+3. Cluster secret for inter-node encrypted communication
+4. JWT tokens for node authentication and task authorization
+
+### Vault JWT Auth Usage
+
+```ruby
+# Authenticate to Vault using a JWT (Vault must have JWT auth method enabled)
+result = Legion::Crypt::VaultJwtAuth.login(jwt: token, role: 'legion-worker')
+# => { token: '...', lease_duration: 3600, renewable: true, policies: [...], metadata: {} }
+
+# Authenticate and set Vault client token in one step
+Legion::Crypt::VaultJwtAuth.login!(jwt: token)
+
+# Issue a Legion JWT and use it to authenticate to Vault (convenience for workers)
+result = Legion::Crypt::VaultJwtAuth.worker_login(worker_id: 'abc', owner_msid: 'user@example.com')
+```
+
+Vault prerequisites: `vault auth enable jwt` + configure `auth/jwt/config` with JWKS URL or bound issuer.
+
+### JWT Usage
+
+```ruby
+# Convenience methods (auto-selects keys from settings)
+token = Legion::Crypt.issue_token({ node_id: 'abc' }, ttl: 3600)
+claims = Legion::Crypt.verify_token(token)
+
+# Direct module usage (explicit keys)
+token = Legion::Crypt::JWT.issue(payload, signing_key: key, algorithm: 'RS256')
+claims = Legion::Crypt::JWT.verify(token, verification_key: pub_key, algorithm: 'RS256')
+decoded = Legion::Crypt::JWT.decode(token) # no verification, inspection only
+```
+
+**Algorithms:**
+- `HS256` (default): Uses cluster secret. All cluster nodes can issue and verify.
+- `RS256`: Uses RSA keypair. Only the issuing node can sign; anyone with the public key can verify.
+
+---
+
+**Maintained By**: Matthew Iverson (@Esity)

data/Gemfile

@@ -3,3 +3,12 @@
 source 'https://rubygems.org'
 
 gemspec
+group :test do
+  gem 'rake'
+  gem 'rspec'
+  gem 'rspec_junit_formatter'
+  gem 'rubocop'
+  gem 'simplecov'
+end
+gem 'legion-logging'
+gem 'legion-settings'

data/LICENSE

@@ -0,0 +1,191 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2021 Esity
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -1,3 +1,97 @@
-# Legion::Crypt
+# legion-crypt
 
-The Legion encryption module
+Encryption, secrets management, JWT token management, and HashiCorp Vault integration for the [LegionIO](https://github.com/LegionIO/LegionIO) framework. Provides AES-256-CBC message encryption, RSA key pair generation, cluster secret management, JWT issue/verify operations, and Vault token lifecycle management.
+
+## Installation
+
+```bash
+gem install legion-crypt
+```
+
+Or add to your Gemfile:
+
+```ruby
+gem 'legion-crypt'
+```
+
+## Usage
+
+```ruby
+require 'legion/crypt'
+
+Legion::Crypt.start
+Legion::Crypt.encrypt('this is my string')
+Legion::Crypt.decrypt(message)
+```
+
+### JWT Tokens
+
+```ruby
+# Issue a token (defaults to HS256 using cluster secret)
+token = Legion::Crypt.issue_token({ node_id: 'abc' }, ttl: 3600)
+
+# Verify and decode a token
+claims = Legion::Crypt.verify_token(token)
+
+# Use RS256 (RSA keypair) instead
+token = Legion::Crypt.issue_token({ node_id: 'abc' }, algorithm: 'RS256')
+claims = Legion::Crypt.verify_token(token, algorithm: 'RS256')
+
+# Inspect a token without verification
+decoded = Legion::Crypt::JWT.decode(token)
+```
+
+## Configuration
+
+```json
+{
+  "vault": {
+    "enabled": false,
+    "protocol": "http",
+    "address": "localhost",
+    "port": 8200,
+    "token": null,
+    "connected": false,
+    "renewer_time": 5,
+    "renewer": true,
+    "push_cluster_secret": true,
+    "read_cluster_secret": true,
+    "kv_path": "legion"
+  },
+  "jwt": {
+    "enabled": true,
+    "default_algorithm": "HS256",
+    "default_ttl": 3600,
+    "issuer": "legion",
+    "verify_expiration": true,
+    "verify_issuer": true
+  },
+  "cs_encrypt_ready": false,
+  "dynamic_keys": true,
+  "cluster_secret": null,
+  "save_private_key": true,
+  "read_private_key": true
+}
+```
+
+### JWT Algorithms
+
+| Algorithm | Key | Use Case |
+|-----------|-----|----------|
+| `HS256` (default) | Cluster secret (symmetric) | Intra-cluster tokens — all nodes can issue and verify |
+| `RS256` | RSA key pair (asymmetric) | Tokens verifiable by external services without sharing the signing key |
+
+### Vault Integration
+
+When `vault.token` is set (or via `VAULT_TOKEN_ID` env var), Crypt connects to Vault on `start`. The background `VaultRenewer` thread keeps the token alive. Vault is an optional runtime dependency — the Vault module is only included if the `vault` gem is available.
+
+## Requirements
+
+- Ruby >= 3.4
+- `jwt` gem (>= 2.7)
+- `vault` gem (>= 0.17, optional)
+- HashiCorp Vault (optional, for secrets management)
+
+## License
+
+Apache-2.0

data/legion-crypt.gemspec

@@ -3,37 +3,28 @@
 require_relative 'lib/legion/crypt/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = 'legion-crypt'
+  spec.name = 'legion-crypt'
   spec.version       = Legion::Crypt::VERSION
   spec.authors       = ['Esity']
   spec.email         = ['matthewdiverson@gmail.com']
-
-  spec.summary       = 'Legion::Vault is used to keep things safe'
-  spec.description   = 'Integrates with Hashicorps vault and other encryption type things'
-  spec.homepage      = 'https://bitbucket.org/legion-io/legion-vault/'
-  spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 2.5.0')
-
-  spec.metadata['homepage_uri'] = spec.homepage
-  spec.metadata['source_code_uri'] = 'https://bitbucket.org/legion-io/legion/'
-  spec.metadata['changelog_uri'] = 'https://bitbucket.org/legion-io/legion/src/master/CHANGELOG.md'
-  spec.metadata['wiki_uri'] = 'https://bitbucket.org/legion-io/legion-crypt/wiki'
-  spec.metadata['bug_tracker_uri'] = 'https://bitbucket.org/legion-io/legion-crypt/issues'
-
-  spec.files = Dir.chdir(File.expand_path(__dir__)) do
-    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  end
+  spec.summary       = 'Handles requests for encrypt, decrypting, connecting to Vault, among other things'
+  spec.description   = 'A gem used by the LegionIO framework for encryption'
+  spec.homepage      = 'https://github.com/LegionIO/legion-crypt'
+  spec.license       = 'Apache-2.0'
   spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 3.4'
+  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.extra_rdoc_files = %w[README.md LICENSE CHANGELOG.md]
+  spec.metadata = {
+    'bug_tracker_uri'       => 'https://github.com/LegionIO/legion-crypt/issues',
+    'changelog_uri'         => 'https://github.com/LegionIO/legion-crypt/blob/main/CHANGELOG.md',
+    'documentation_uri'     => 'https://github.com/LegionIO/legion-crypt',
+    'homepage_uri'          => 'https://github.com/LegionIO/LegionIO',
+    'source_code_uri'       => 'https://github.com/LegionIO/legion-crypt',
+    'wiki_uri'              => 'https://github.com/LegionIO/legion-crypt/wiki',
+    'rubygems_mfa_required' => 'true'
+  }
 
-  spec.add_dependency 'vault', '>= 0.15.0'
-
-  spec.add_development_dependency 'legionio'
-  spec.add_development_dependency 'legion-logging'
-  spec.add_development_dependency 'legion-settings'
-  spec.add_development_dependency 'legion-transport'
-  spec.add_development_dependency 'rspec'
-  spec.add_development_dependency 'rspec_junit_formatter'
-  spec.add_development_dependency 'rubocop'
-  spec.add_development_dependency 'simplecov', '< 0.18.0'
-  spec.add_development_dependency 'simplecov_json_formatter'
+  spec.add_dependency 'jwt', '>= 2.7'
+  spec.add_dependency 'vault', '>= 0.17'
 end