my_credentials 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d0da402ad05ad9cae55fbe39b76aaeba0d8ce2585d7cb0eb4d19a000a86cdf3d
+  data.tar.gz: 78ba7667fbc7689fa6ce6febfa7f14d00310adc69f6e9ae3658b8cfae4ed6309
+SHA512:
+  metadata.gz: b5b41167c208da103216b2cc5a0db15d475fa659b804be3536fa169ec03b9bcdd0d0b94d39f63baa2da3d5c615f17a3bf9cc7d2fa2388c698ea438d4a4f45588
+  data.tar.gz: 809fb2b7687085accabae5b0cccd85cccaa95f35353ee9e0878416a17c96822c9ba226cf333d74f783eea62f00566ce6d8048d2dbdfcb384b1a6dde7083373d0

data/.rubocop.yml

@@ -0,0 +1,8 @@
+AllCops:
+  TargetRubyVersion: 3.1
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes

data/CHANGELOG.md

@@ -0,0 +1,28 @@
+# Changelog
+
+All notable changes to **my_credentials** will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),  
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+---
+
+## [0.1.0] - 2025-09-27
+
+### Added
+- Initial public release.
+- CLI support using Thor (`mycredentials edit --environment production`).
+- Encrypted file management using `ActiveSupport::EncryptedFile`.
+- Environment-based `.key` and `.yml.enc` files.
+- Interactive editor support (`$EDITOR` fallback to `vim`).
+- Configurable base path and environment.
+- Default example template for new credentials.
+
+---
+
+## [Unreleased]
+
+### Planned
+- Support for loading secrets from environment variables fallback.
+- Validation or schema checking for credentials structure.
+- Encrypted secrets introspection or listing.

data/Gemfile

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in my_credentials.gemspec
+gemspec
+
+gem "irb"
+gem "rake", "~> 13.0"
+
+gem "rspec", "~> 3.0"
+
+gem "rubocop", "~> 1.21"

data/Gemfile.lock

@@ -0,0 +1,114 @@
+PATH
+  remote: .
+  specs:
+    my_credentials (0.1.0)
+      activesupport (~> 8.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (8.0.3)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
+      minitest (>= 5.1)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.4.1)
+    bigdecimal (3.2.3)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
+    date (3.4.1)
+    diff-lcs (1.6.2)
+    drb (2.2.3)
+    erb (5.0.2)
+    i18n (1.14.7)
+      concurrent-ruby (~> 1.0)
+    io-console (0.8.1)
+    irb (1.15.2)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    json (2.15.0)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    minitest (5.25.5)
+    parallel (1.27.0)
+    parser (3.3.9.0)
+      ast (~> 2.4.1)
+      racc
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
+    prism (1.5.1)
+    psych (5.2.6)
+      date
+      stringio
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.3.0)
+    rdoc (6.14.2)
+      erb
+      psych (>= 4.0.0)
+    regexp_parser (2.11.3)
+    reline (0.6.2)
+      io-console (~> 0.5)
+    rspec (3.13.1)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.5)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+    rubocop (1.81.1)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.47.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-progressbar (1.13.0)
+    securerandom (0.4.1)
+    stringio (3.1.7)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    uri (1.0.3)
+
+PLATFORMS
+  arm64-darwin-21
+  ruby
+
+DEPENDENCIES
+  irb
+  my_credentials!
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rubocop (~> 1.21)
+
+BUNDLED WITH
+   2.6.9

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Pablo Salazar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,151 @@
+# MyCredentials
+
+🔐 **MyCredentials** is a Ruby gem for securely managing sensitive variables, similar to `Rails.credentials`, but completely independent from Rails.
+
+It uses AES-128-GCM encryption via `ActiveSupport::EncryptedFile` to protect API keys, tokens, passwords, and more.
+
+> ⚠️ **Experimental** – This gem was originally built for internal use. It's simple and may not cover every use case. Use at your own discretion.
+
+---
+
+## Features
+
+- 🔒 Secure encryption with per-environment keys
+- 📄 `.yml.enc` files per environment (`development`, `production`, etc.)
+- 🗝️ Automatically generates the `.key` file if missing
+- 🧪 Works in any Ruby app (no Rails required)
+- 🧰 Hash-style access: `MyCredentials[:api_key]`
+- 📝 Interactive editor to modify credentials (`MyCredentials.edit(:env)`)
+
+---
+
+## Installation
+
+Add the gem to your `Gemfile`:
+
+```ruby
+gem "my_credentials", path: "../path/to/gem"
+```
+
+Then run:
+
+```bash
+bundle install
+```
+
+---
+
+## Basic Usage
+
+### Create credentials
+
+From the terminal or a script:
+
+```bash
+EDITOR=vim mycredentials edit --environment staging
+```
+
+This command:
+
+- Creates `config/credentials/development.key` if it doesn't exist
+- Creates `config/credentials/development.yml.enc` if it doesn't exist
+- Opens the decrypted file in your configured editor (`$EDITOR` or `vim`)
+
+---
+
+### Read variables
+
+```ruby
+require "my_credentials"
+
+api_key = MyCredentials[:api_key]
+mailgun_domain = MyCredentials[:mailgun][:domain]
+```
+
+---
+
+## Configuration (optional)
+
+If you need to customize the path or environment:
+
+```ruby
+MyCredentials.configure do |config|
+  config.secrets_path = "config/credentials"  # Base path for files
+  config.env = "production"                   # Environment to use
+end
+```
+
+If not configured, the defaults are:
+
+- Path: `config/credentials/`
+- Environment: determined from `ENV["MYC_ENV"]`, `ENV["RACK_ENV"]`, `ENV["APP_ENV"]`, or `"development"`
+
+---
+
+## Expected File Structure
+
+```
+config/credentials/
+├── development.yml.enc
+├── development.key
+├── production.yml.enc
+├── production.key
+```
+
+The `.key` file should be kept **out of version control**.
+
+---
+
+## Security
+
+### Never commit your key files
+
+Add this to your `.gitignore`:
+
+```
+# MyCredentials key files
+/config/credentials/*.key
+```
+
+You can also use the `MYC_MASTER_KEY` environment variable instead of storing the key on disk.
+
+---
+
+## Example decrypted file
+
+```yaml
+api_key: abc123
+mailgun:
+  api_key: mg-abc987
+  domain: example.com
+```
+
+---
+
+## Requirements
+
+- Ruby >= 3.1
+- `activesupport` >= 8.0
+
+---
+
+## Generate key manually
+
+If you'd rather generate the key manually:
+
+```bash
+openssl rand -hex 16 > config/credentials/development.key
+```
+
+---
+
+## Inspiration
+
+- `Rails.application.credentials`
+- `ActiveSupport::EncryptedFile`
+
+---
+
+## License
+
+MIT License © 2025 Pablo Salazar

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "my_credentials"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/mycredentials

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+require "bundler/setup"
+require "my_credentials"
+require "my_credentials/cli"
+
+MyCredentials::CLI.start(ARGV)

data/lib/my_credentials/cli.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "thor"
+require_relative "editor"
+
+module MyCredentials
+  class CLI < Thor
+    desc "edit ENV", "Edit credentials for the given environment (e.g., development, staging, production)"
+    option :environment, aliases: "-e", desc: "Environment name (optional if provided as argument)"
+    def edit(env = nil)
+      env ||= options[:environment]
+      if env.nil?
+        puts "❌ Please specify an environment. Use `edit ENV` or `--environment ENV`."
+        exit(1)
+      end
+
+      MyCredentials::Editor.edit(env.to_s)
+    end
+  end
+end

data/lib/my_credentials/editor.rb

@@ -0,0 +1,73 @@
+require "tempfile"
+require "securerandom"
+require "fileutils"
+
+module MyCredentials
+  module Editor
+    DEFAULT_EDITOR = "vim".freeze
+
+    def self.edit(env)
+      ensure_key_exists(env)
+      ensure_encrypted_file_exists(env)
+
+      encrypted_file = encrypted_file_for(env)
+
+      Tempfile.create(%w(credentials .yml)) do |tmp|
+        tmp.write(encrypted_file.read || "")
+        tmp.flush
+
+        editor = ENV["EDITOR"] || DEFAULT_EDITOR
+        puts "[my_credentials] 📝 No $EDITOR set. Using default: #{DEFAULT_EDITOR}" unless ENV["EDITOR"]
+        puts "Editing #{encrypted_file.content_path}..."
+        system("#{editor} #{tmp.path}")
+
+        new_content = File.read(tmp.path)
+        encrypted_file.write(new_content)
+        puts "File encrypted and saved."
+      end
+    end
+
+    private_class_method def self.ensure_key_exists(env)
+      path = MyCredentials.key_path(env)
+      return if File.exist?(path)
+
+      FileUtils.mkdir_p(File.dirname(path))
+      key = SecureRandom.hex(16)
+      File.write(path, key)
+      puts "[my_credentials] 🔑 Key generated in #{path}"
+      puts "[my_credentials] 📌 Added 128-bit key (AES-128-GCM)"
+      if env == "production"
+        puts "[my_credentials] ⚠️ For security, remember to add config/credentials/production.key to your .gitignore"
+      end
+    end
+
+    private_class_method def self.ensure_encrypted_file_exists(env)
+      path = MyCredentials.path(env)
+      return if File.exist?(path)
+
+      FileUtils.mkdir_p(File.dirname(path))
+      encrypted_file_for(env).write(default_template)
+      puts "[my_credentials] 📄 Encrypted file generated in #{path}"
+    end
+
+    private_class_method def self.encrypted_file_for(env)
+      ActiveSupport::EncryptedFile.new(
+        content_path: MyCredentials.path(env),
+        key_path: MyCredentials.key_path(env),
+        env_key: "MYC_MASTER_KEY",
+        raise_if_missing_key: true
+      )
+    end
+
+    private_class_method def self.default_template
+      <<~YAML
+      # Example credentials file
+      # Use this file to store sensitive settings like API keys, passwords, etc.
+      #
+      # api_key: your-api-key-here
+      # postgres:
+      #   db_password: your-database-password-here
+    YAML
+    end
+  end
+end

data/lib/my_credentials/loader.rb

@@ -0,0 +1,15 @@
+module MyCredentials
+  module Loader
+    def self.load(env)
+      encrypted_file = ActiveSupport::EncryptedFile.new(
+        content_path: MyCredentials.path(env),
+        key_path: MyCredentials.key_path(env),
+        env_key: "MYC_MASTER_KEY",
+        raise_if_missing_key: true
+      )
+
+      raw = encrypted_file.read
+      raw ? YAML.safe_load(raw, aliases: true, symbolize_names: true) : {}
+    end
+  end
+end

data/lib/my_credentials/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module MyCredentials
+  VERSION = "0.1.0"
+end

data/lib/my_credentials.rb

@@ -0,0 +1,59 @@
+# lib/my_credentials.rb
+require "active_support/encrypted_file"
+require "yaml"
+
+require_relative "my_credentials/version"
+require_relative "my_credentials/loader"
+require_relative "my_credentials/editor"
+
+module MyCredentials
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+
+    def env
+      configuration.env || ENV["MYC_ENV"] || ENV["RACK_ENV"] || ENV["APP_ENV"] || "development"
+    end
+
+    def for(target_env = env)
+      Loader.load(target_env)
+    end
+
+    def [](key)
+      credentials = self.for(env)
+      credentials[key.to_s] || credentials[key.to_sym]
+    end
+
+    def edit(target_env = env)
+      Editor.edit(target_env)
+    end
+
+    def available_envs
+      Dir.glob(File.join(configuration.secrets_path, "*.yml.enc")).map do |f|
+        File.basename(f, ".yml.enc").to_sym
+      end
+    end
+
+    def path(env)
+      File.join(configuration.secrets_path, "#{env}.yml.enc")
+    end
+
+    def key_path(env)
+      File.join(configuration.secrets_path, "#{env}.key")
+    end
+  end
+
+  class Configuration
+    attr_accessor :secrets_path, :env
+
+    def initialize
+      @secrets_path = "config/credentials"
+      @env = nil
+    end
+  end
+end

data/sig/my_credentials.rbs

@@ -0,0 +1,4 @@
+module MyCredentials
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: my_credentials
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Pablo Salazar
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2025-09-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '8.0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+description: Rails-like encrypted credentials, without Rails. Easily manage secrets
+  per environment in any Ruby project.
+email:
+- pabloalfredo.salazar@gmail.com
+executables:
+- mycredentials
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rubocop.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/mycredentials
+- lib/my_credentials.rb
+- lib/my_credentials/cli.rb
+- lib/my_credentials/editor.rb
+- lib/my_credentials/loader.rb
+- lib/my_credentials/version.rb
+- sig/my_credentials.rbs
+homepage: https://github.com/psalazar/my_credentials
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/psalazar/my_credentials
+  source_code_uri: https://github.com/psalazar/my_credentials
+  changelog_uri: https://github.com/psalazar/my_credentials/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Secure credential management for Ruby apps with encryption.
+test_files: []