rails-credentials-conflict 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 69ad41e2d662e231c9cc58895b567280a3f1c78943dd4dfd389f8b83db21ed73
+  data.tar.gz: 1ea33b52f592947663ad9c24c0cf8162c284e2caf91fcf2555c8e8d55c8b6874
+SHA512:
+  metadata.gz: 16863610cb7967fb70d71996dbc88f347ef442464be96462e6387df629c9fe5899de3fead02debc6180abc515250c214a968ff21bcfd2c383527a4ec2c37ef9a
+  data.tar.gz: '0936c701ef1b31c7d3724f9a3257ec4e41fc6736ccd7547a06d6a05228531ff5190a0123443462026f866ca3aa87172e5df3fb0c2e64dbcd6438d172e2be8e28'

data/CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2025-01-01
+
+### Added
+
+- Initial release
+- Rake tasks for resolving encrypted credentials conflicts: `resolve`, `yours`, `theirs`, `base`
+- Three-way merge with conflict markers and editor-based resolution
+- Support for environment-specific credentials
+- YAML validation of resolved content
+- Automatic staging of resolved files

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 jwo1f
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,138 @@
+# Rails Credentials Conflict
+
+A Rails gem that helps resolve git merge conflicts in encrypted credentials files by decrypting, merging, and re-encrypting them.
+
+## Problem
+
+When working with Rails encrypted credentials in a team environment, git merge conflicts in `.yml.enc` files are common. Since these files are encrypted, git cannot automatically merge them, and the conflict markers appear in the encrypted content, making manual resolution impossible.
+
+## Solution
+
+This gem provides rake tasks to:
+- Decrypt both versions of conflicted credentials
+- Present them in a standard git conflict format for easy resolution
+- Re-encrypt the resolved content
+- Or simply choose one version over the other
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'rails-credentials-conflict'
+```
+
+And then execute:
+
+```bash
+bundle install
+```
+
+## Usage
+
+When you encounter a merge conflict in your credentials file, you have four options:
+
+### 1. Resolve conflicts manually
+
+This command decrypts both versions, opens them in your editor with git conflict markers, and re-encrypts after you've resolved the conflicts:
+
+```bash
+# For main credentials
+rails credentials:conflict:resolve
+
+# For environment-specific credentials
+rails credentials:conflict:resolve[staging]
+rails credentials:conflict:resolve[production]
+```
+
+The command will:
+1. Detect the conflict in the encrypted file
+2. Decrypt both versions (yours and theirs)
+3. Compare them - if identical, auto-merge
+4. If different, create a temporary file with git conflict markers:
+   ```yaml
+   <<<<<<< HEAD (yours)
+   api_key: your-key
+   =======
+   api_key: their-key
+   >>>>>>> MERGE_HEAD (theirs)
+   ```
+5. Open the file in your `$EDITOR` (defaults to vim)
+6. After you save and close, validate YAML and re-encrypt the resolved content
+7. Stage the resolved file with git
+
+### 2. Keep your version
+
+To discard their changes and keep only your version:
+
+```bash
+# For main credentials
+rails credentials:conflict:yours
+
+# For environment-specific credentials
+rails credentials:conflict:yours[staging]
+```
+
+### 3. Keep their version
+
+To discard your changes and keep only their version:
+
+```bash
+# For main credentials
+rails credentials:conflict:theirs
+
+# For environment-specific credentials
+rails credentials:conflict:theirs[production]
+```
+
+### 4. Keep base version
+
+To keep the base version (shown in the middle section of 3-way diff):
+
+```bash
+# For main credentials
+rails credentials:conflict:base
+
+# For environment-specific credentials
+rails credentials:conflict:base[staging]
+```
+
+## How it works
+
+The gem uses git's staging area to access all versions of the conflicted file:
+- Stage 1 contains "base" (merge-base/common ancestor)
+- Stage 2 contains "ours" (your version)
+- Stage 3 contains "theirs" (their version)
+
+It then:
+1. Decrypts the versions using your local key
+2. Performs the requested operation (merge, yours, theirs, or base)
+3. Validates the resolved YAML
+4. Re-encrypts the result
+5. Stages the resolved file
+
+Works with merge, rebase, and cherry-pick conflicts.
+
+## Requirements
+
+- Ruby >= 3.1.0
+- Rails >= 6.0
+- Git repository with encrypted credentials
+- The appropriate encryption key must be available via one of:
+  - `RAILS_MASTER_KEY` environment variable
+  - `config/master.key` for main credentials
+  - `config/credentials/<environment>.key` for environment-specific credentials
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/jwo1f/rails-credentials-conflict.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](LICENSE.txt).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
+
+task default: :test

data/lib/rails/credentials/conflict/encryption_service.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "active_support/message_encryptor"
+
+module Rails
+  module Credentials
+    module Conflict
+      # Encrypts and decrypts Rails credentials content using AES-128-GCM.
+      #
+      # The encryption key is read from either an environment variable
+      # (default +RAILS_MASTER_KEY+) or a key file on disk.
+      class EncryptionService
+        CIPHER = "aes-128-gcm"
+
+        def initialize(key_path, env_key: "RAILS_MASTER_KEY")
+          @key_path = key_path
+          @env_key = env_key
+        end
+
+        # Decrypts and verifies +encrypted_content+.
+        # Returns an empty string for nil or empty input.
+        def decrypt(encrypted_content)
+          return "" if encrypted_content.nil? || encrypted_content.empty?
+
+          encryptor.decrypt_and_verify(encrypted_content)
+        end
+
+        # Encrypts and signs +content+, returning the ciphertext.
+        def encrypt(content)
+          encryptor.encrypt_and_sign(content)
+        end
+
+        # Encrypts +content+ and writes it to +destination_path+ in binary mode.
+        def save_encrypted(content, destination_path)
+          File.binwrite(destination_path, encrypt(content))
+        end
+
+        private
+
+        def encryptor
+          @encryptor ||= ActiveSupport::MessageEncryptor.new(
+            [read_key].pack("H*"),
+            cipher: CIPHER
+          )
+        end
+
+        def read_key
+          key_from_env || key_from_file || raise(
+            Error, "Encryption key not found. Set #{@env_key} env variable or create #{@key_path}"
+          )
+        end
+
+        def key_from_env
+          value = ENV[@env_key]&.strip
+          value unless value.nil? || value.empty?
+        end
+
+        def key_from_file
+          return nil unless File.exist?(@key_path)
+
+          value = File.read(@key_path).strip
+          value.empty? ? nil : value
+        end
+      end
+    end
+  end
+end

data/lib/rails/credentials/conflict/git_conflict_handler.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+require "open3"
+
+module Rails
+  module Credentials
+    module Conflict
+      # Interacts with git to read conflict stages, detect merge state,
+      # and stage resolved files.
+      #
+      # Uses git's staging area to access the three versions of a
+      # conflicted file (base, ours, theirs) and determines labels
+      # for the merge participants.
+      class GitConflictHandler
+        STAGE_BASE = 1
+        STAGE_OURS = 2
+        STAGE_THEIRS = 3
+
+        def initialize(credentials_path, relative_path)
+          @credentials_path = credentials_path.to_s
+          @relative_path = relative_path.to_s
+        end
+
+        # Verifies that the credentials file exists and is in a conflicted
+        # state (UU or AA in +git status --porcelain+).
+        # Raises +Error+ otherwise.
+        def validate_conflict!
+          raise Error, "Credentials file not found: #{@credentials_path}" unless File.exist?(@credentials_path)
+
+          git_status, status = Open3.capture2("git", "status", "--porcelain", @credentials_path)
+          git_status = git_status.strip
+
+          return if status.success? && (git_status.start_with?("UU") || git_status.start_with?("AA"))
+
+          raise Error, "No git conflict detected for #{@credentials_path}"
+        end
+
+        # Retrieves the encrypted content for the given +version+ (:base, :ours, or :theirs)
+        # from the git staging area. Returns an empty string on failure.
+        def get_version(version)
+          stage_number = stage_for_version(version)
+          content, status = Open3.capture2(
+            "git", "show", ":#{stage_number}:#{@relative_path}",
+            binmode: true
+          )
+          status.success? ? content.strip : ""
+        end
+
+        # Stages the resolved credentials file with +git add+.
+        # Raises +Error+ if the command fails.
+        def stage_resolved_file!
+          _, status = Open3.capture2("git", "add", @credentials_path)
+
+          return if status.success?
+
+          raise Error, "Failed to stage resolved file: #{@credentials_path}"
+        end
+
+        # Returns a Hash of labels for the three merge participants
+        # (+:ours+, +:base+, +:theirs+), each containing a branch name
+        # and short SHA.
+        def get_merge_labels
+          head_ref = detect_head_ref
+
+          {
+            ours: build_label(get_current_branch, get_short_sha("HEAD")),
+            base: build_label("ancestor", get_merge_base_sha(head_ref)),
+            theirs: build_label(get_incoming_branch(head_ref), get_short_sha(head_ref))
+          }
+        end
+
+        private
+
+        def stage_for_version(version)
+          case version
+          when :base then STAGE_BASE
+          when :ours then STAGE_OURS
+          when :theirs then STAGE_THEIRS
+          else raise Error, "Unknown version: #{version}"
+          end
+        end
+
+        def detect_head_ref
+          %w[MERGE_HEAD CHERRY_PICK_HEAD REBASE_HEAD].each do |ref|
+            _, status = Open3.capture2("git", "rev-parse", "--verify", ref)
+            return ref if status.success?
+          end
+
+          "MERGE_HEAD"
+        end
+
+        def build_label(branch_name, commit_sha)
+          "#{branch_name} (#{commit_sha})"
+        end
+
+        def get_current_branch
+          branch, status = Open3.capture2("git", "rev-parse", "--abbrev-ref", "HEAD")
+          branch = branch.strip
+          status.success? && !branch.empty? ? branch : "HEAD"
+        end
+
+        def get_incoming_branch(head_ref)
+          branch, status = Open3.capture2("git", "name-rev", "--name-only", head_ref)
+          branch = branch.strip
+          status.success? && !branch.empty? ? branch : head_ref
+        end
+
+        def get_short_sha(ref)
+          sha, status = Open3.capture2("git", "rev-parse", "--short=8", ref)
+          status.success? ? sha.strip : "unknown"
+        end
+
+        def get_merge_base_sha(head_ref)
+          ours_sha, s1 = Open3.capture2("git", "rev-parse", "HEAD")
+          theirs_sha, s2 = Open3.capture2("git", "rev-parse", head_ref)
+
+          return "unknown" unless s1.success? && s2.success?
+
+          base_sha, s3 = Open3.capture2("git", "merge-base", ours_sha.strip, theirs_sha.strip)
+          s3.success? ? base_sha.strip[0..7] : "unknown"
+        end
+      end
+    end
+  end
+end

data/lib/rails/credentials/conflict/merge_strategy.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require "open3"
+require "tempfile"
+require "yaml"
+
+module Rails
+  module Credentials
+    module Conflict
+      # Performs three-way merge of decrypted credentials using git merge-file.
+      #
+      # Handles creating conflict markers for manual resolution,
+      # detecting unresolved markers, validating YAML, and opening
+      # an editor for interactive conflict resolution.
+      class MergeStrategy
+        CONFLICT_MARKER_START = "<<<<<<<"
+        CONFLICT_MARKER_END = ">>>>>>>"
+
+        def initialize(encryption_service)
+          @encryption_service = encryption_service
+        end
+
+        # Runs a three-way merge via +git merge-file+ and returns the result.
+        #
+        # Returns a Hash with +:content+ (merged text) and +:has_conflicts+
+        # (true when conflict markers are present).
+        #
+        # Raises +Error+ when +git merge-file+ exits with a status greater
+        # than 1, which indicates an actual error rather than conflicts.
+        def create_conflict_markers(ours_content, base_content, theirs_content, labels:)
+          with_temp_files(ours_content, base_content, theirs_content) do |ours_path, base_path, theirs_path|
+            merged_content, status = Open3.capture2(
+              "git", "merge-file", "-p", "--diff3",
+              "-L", labels[:ours],
+              "-L", labels[:base],
+              "-L", labels[:theirs],
+              ours_path, base_path, theirs_path,
+              err: File::NULL
+            )
+
+            exit_code = status.exitstatus
+
+            raise Error, "git merge-file failed (exit #{exit_code || "unknown"})" if exit_code.nil? || exit_code > 1
+
+            { content: merged_content, has_conflicts: exit_code == 1 }
+          end
+        end
+
+        # Returns true if the content contains unresolved git conflict markers.
+        def has_conflict_markers?(content)
+          content.include?(CONFLICT_MARKER_START) || content.include?(CONFLICT_MARKER_END)
+        end
+
+        # Parses content as YAML and raises +Error+ if it is invalid.
+        def validate_yaml!(content)
+          YAML.safe_load(content)
+        rescue Psych::SyntaxError => e
+          raise Error, "Resolved content is not valid YAML: #{e.message}"
+        end
+
+        # Writes +merged_content+ to a temp file, opens it in +$EDITOR+,
+        # and returns the edited content after the editor exits.
+        def open_editor_for_resolution(merged_content)
+          Tempfile.create(["credentials_conflict", ".yml"]) do |tempfile|
+            tempfile.write(merged_content)
+            tempfile.flush
+
+            editor = ENV.fetch("EDITOR", "vim")
+            system(editor, tempfile.path)
+
+            File.read(tempfile.path)
+          end
+        end
+
+        private
+
+        def with_temp_files(*contents)
+          temp_files = contents.map.with_index do |content, index|
+            file = Tempfile.new(["temp_#{index}", ".yml"])
+            file.write(content)
+            file.flush
+            file
+          end
+
+          yield(*temp_files.map(&:path))
+        ensure
+          temp_files&.each do |file|
+            file.close
+            file.unlink
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rails/credentials/conflict/path_resolver.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Rails
+  module Credentials
+    module Conflict
+      # Resolves file system paths for Rails encrypted credentials
+      # and their corresponding key files.
+      #
+      # Supports both the default credentials (+config/credentials.yml.enc+)
+      # and environment-specific ones (+config/credentials/<env>.yml.enc+).
+      class PathResolver
+        VALID_ENVIRONMENT = /\A[a-z0-9_]+\z/
+
+        attr_reader :environment
+
+        def initialize(environment = nil)
+          if environment && !VALID_ENVIRONMENT.match?(environment.to_s)
+            raise Error,
+                  "Invalid environment name: #{environment.inspect}. " \
+                  "Must contain only lowercase letters, digits, and underscores."
+          end
+
+          @environment = environment
+        end
+
+        # Returns the absolute Pathname to the encrypted credentials file.
+        def credentials_path
+          if environment
+            ::Rails.root.join("config", "credentials", "#{environment}.yml.enc")
+          else
+            ::Rails.root.join("config", "credentials.yml.enc")
+          end
+        end
+
+        # Returns the absolute Pathname to the encryption key file.
+        def key_path
+          if environment
+            ::Rails.root.join("config", "credentials", "#{environment}.key")
+          else
+            ::Rails.root.join("config", "master.key")
+          end
+        end
+
+        # Returns the credentials path relative to +Rails.root+.
+        def relative_credentials_path
+          credentials_path.relative_path_from(::Rails.root)
+        end
+      end
+    end
+  end
+end

data/lib/rails/credentials/conflict/railtie.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Rails
+  module Credentials
+    module Conflict
+      # Integrates the gem with Rails by loading the rake tasks
+      # when the application boots.
+      class Railtie < Rails::Railtie
+        rake_tasks do
+          load "tasks/credentials_conflict.rake"
+        end
+      end
+    end
+  end
+end

data/lib/rails/credentials/conflict/resolver.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+module Rails
+  module Credentials
+    module Conflict
+      # Top-level orchestrator for resolving git merge conflicts in
+      # encrypted Rails credentials files.
+      #
+      # Coordinates between PathResolver, EncryptionService,
+      # GitConflictHandler, and MergeStrategy to decrypt conflicting
+      # versions, merge them, and re-encrypt the result.
+      class Resolver
+        attr_reader :environment
+
+        def initialize(environment = nil, output: $stdout)
+          @environment = environment
+          @output = output
+          @path_resolver = PathResolver.new(environment)
+          @encryption_service = EncryptionService.new(@path_resolver.key_path)
+          @git_handler = GitConflictHandler.new(
+            @path_resolver.credentials_path,
+            @path_resolver.relative_credentials_path
+          )
+          @merge_strategy = MergeStrategy.new(@encryption_service)
+        end
+
+        # Decrypts both sides of a conflict, performs a three-way merge,
+        # and re-encrypts the resolved content. Opens an editor when
+        # automatic merge is not possible.
+        def resolve
+          @git_handler.validate_conflict!
+
+          ours_content = decrypt_version(:ours)
+          theirs_content = decrypt_version(:theirs)
+
+          if ours_content == theirs_content
+            log "No conflicts detected. Both versions are identical."
+            save_and_stage(ours_content)
+            return
+          end
+
+          base_content = get_base_version
+          labels = @git_handler.get_merge_labels
+          merge_result = @merge_strategy.create_conflict_markers(
+            ours_content,
+            base_content,
+            theirs_content,
+            labels: labels
+          )
+
+          if merge_result[:has_conflicts]
+            log "Conflicts detected. Opening editor for manual resolution..."
+            resolved_content = @merge_strategy.open_editor_for_resolution(merge_result[:content])
+
+            if @merge_strategy.has_conflict_markers?(resolved_content)
+              raise Error, "Conflict markers still present. Please resolve all conflicts."
+            end
+          else
+            log "Changes in different sections detected. Auto-merged successfully."
+            resolved_content = merge_result[:content]
+          end
+
+          @merge_strategy.validate_yaml!(resolved_content)
+          save_and_stage(resolved_content)
+          log "Credentials successfully resolved and encrypted."
+        end
+
+        # Resolves the conflict by keeping the current branch's version.
+        def yours
+          resolve_with_version(:ours, "your")
+        end
+
+        # Resolves the conflict by keeping the incoming branch's version.
+        def theirs
+          resolve_with_version(:theirs, "their")
+        end
+
+        # Resolves the conflict by keeping the common ancestor's version.
+        def base
+          resolve_with_version(:base, "base")
+        end
+
+        private
+
+        def log(message)
+          @output.puts(message)
+        end
+
+        def resolve_with_version(version, label)
+          @git_handler.validate_conflict!
+
+          encrypted_content = @git_handler.get_version(version)
+          raise Error, "No #{label} version found." if encrypted_content.empty?
+
+          content = @encryption_service.decrypt(encrypted_content)
+          save_and_stage(content)
+          log "Kept #{label} version of credentials."
+        end
+
+        def decrypt_version(version)
+          encrypted_content = @git_handler.get_version(version)
+          @encryption_service.decrypt(encrypted_content)
+        end
+
+        def get_base_version
+          base_encrypted = @git_handler.get_version(:base)
+          return "" if base_encrypted.empty?
+
+          @encryption_service.decrypt(base_encrypted)
+        rescue StandardError => e
+          log "Warning: Could not decrypt base version (#{e.message}). Using empty base."
+          ""
+        end
+
+        def save_and_stage(content)
+          @encryption_service.save_encrypted(content, @path_resolver.credentials_path)
+          @git_handler.stage_resolved_file!
+        end
+      end
+    end
+  end
+end

data/lib/rails/credentials/conflict/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Rails
+  module Credentials
+    module Conflict
+      VERSION = "0.1.0"
+    end
+  end
+end

data/lib/rails/credentials/conflict.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require_relative "conflict/version"
+require_relative "conflict/path_resolver"
+require_relative "conflict/encryption_service"
+require_relative "conflict/git_conflict_handler"
+require_relative "conflict/merge_strategy"
+require_relative "conflict/resolver"
+require_relative "conflict/railtie" if defined?(Rails::Railtie)
+
+module Rails
+  module Credentials
+    # Provides tooling to resolve git merge conflicts in Rails
+    # encrypted credentials files by decrypting, merging, and
+    # re-encrypting them.
+    module Conflict
+      class Error < StandardError; end
+    end
+  end
+end

data/lib/tasks/credentials_conflict.rake

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require "rails/credentials/conflict/resolver"
+
+namespace :credentials do
+  namespace :conflict do
+    desc "Resolve credentials conflict by decrypting and merging"
+    task :resolve, [:environment] => :environment do |_t, args|
+      Rails::Credentials::Conflict::Resolver.new(args[:environment]).resolve
+    rescue Rails::Credentials::Conflict::Error => e
+      abort e.message
+    end
+
+    desc "Resolve credentials conflict by keeping yours (usage: rails credentials:conflict:yours[environment])"
+    task :yours, [:environment] => :environment do |_t, args|
+      Rails::Credentials::Conflict::Resolver.new(args[:environment]).yours
+    rescue Rails::Credentials::Conflict::Error => e
+      abort e.message
+    end
+
+    desc "Resolve credentials conflict by keeping theirs (usage: rails credentials:conflict:theirs[environment])"
+    task :theirs, [:environment] => :environment do |_t, args|
+      Rails::Credentials::Conflict::Resolver.new(args[:environment]).theirs
+    rescue Rails::Credentials::Conflict::Error => e
+      abort e.message
+    end
+
+    desc "Resolve credentials conflict by keeping base version (usage: rails credentials:conflict:base[environment])"
+    task :base, [:environment] => :environment do |_t, args|
+      Rails::Credentials::Conflict::Resolver.new(args[:environment]).base
+    rescue Rails::Credentials::Conflict::Error => e
+      abort e.message
+    end
+  end
+end

data/rbs_collection.lock.yaml

@@ -0,0 +1,224 @@
+---
+path: ".gem_rbs_collection"
+gems:
+- name: actionpack
+  version: '7.2'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: actionview
+  version: '6.0'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: activesupport
+  version: '7.0'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: base64
+  version: 0.3.0
+  source:
+    type: rubygems
+- name: bigdecimal
+  version: '3.1'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: cgi
+  version: '0'
+  source:
+    type: stdlib
+- name: concurrent-ruby
+  version: '1.1'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: connection_pool
+  version: '2.4'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: date
+  version: '0'
+  source:
+    type: stdlib
+- name: digest
+  version: '0'
+  source:
+    type: stdlib
+- name: erb
+  version: '0'
+  source:
+    type: stdlib
+- name: fileutils
+  version: '0'
+  source:
+    type: stdlib
+- name: i18n
+  version: '1.10'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: io-console
+  version: '0'
+  source:
+    type: stdlib
+- name: json
+  version: '0'
+  source:
+    type: stdlib
+- name: logger
+  version: '0'
+  source:
+    type: stdlib
+- name: minitest
+  version: '5.25'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: monitor
+  version: '0'
+  source:
+    type: stdlib
+- name: nokogiri
+  version: '1.11'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: openssl
+  version: '0'
+  source:
+    type: stdlib
+- name: pp
+  version: '0'
+  source:
+    type: stdlib
+- name: prettyprint
+  version: '0'
+  source:
+    type: stdlib
+- name: rack
+  version: '2.2'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: rails-dom-testing
+  version: '2.0'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: rails-html-sanitizer
+  version: '1.6'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: railties
+  version: '6.0'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: rake
+  version: '13.0'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: rdoc
+  version: '0'
+  source:
+    type: stdlib
+- name: securerandom
+  version: '0'
+  source:
+    type: stdlib
+- name: singleton
+  version: '0'
+  source:
+    type: stdlib
+- name: socket
+  version: '0'
+  source:
+    type: stdlib
+- name: stringio
+  version: '0'
+  source:
+    type: stdlib
+- name: tempfile
+  version: '0'
+  source:
+    type: stdlib
+- name: thor
+  version: '1.2'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: time
+  version: '0'
+  source:
+    type: stdlib
+- name: timeout
+  version: '0'
+  source:
+    type: stdlib
+- name: tsort
+  version: '0'
+  source:
+    type: stdlib
+- name: tzinfo
+  version: '2.0'
+  source:
+    type: git
+    name: ruby/gem_rbs_collection
+    revision: 5aeae33367fa324abf3a4ef912f4e27aaf17f6b9
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    repo_dir: gems
+- name: uri
+  version: '0'
+  source:
+    type: stdlib
+gemfile_lock_path: Gemfile.lock

data/rbs_collection.yaml

@@ -0,0 +1,19 @@
+# Download sources
+sources:
+  - type: git
+    name: ruby/gem_rbs_collection
+    remote: https://github.com/ruby/gem_rbs_collection.git
+    revision: main
+    repo_dir: gems
+
+# You can specify local directories as sources also.
+# - type: local
+#   path: path/to/your/local/repository
+
+# A directory to install the downloaded RBSs
+path: .gem_rbs_collection
+
+# gems:
+#   # If you want to avoid installing rbs files for gems, you can specify them here.
+#   - name: GEM_NAME
+#     ignore: true

data/sig/rails/credentials/conflict/encryption_service.rbs

@@ -0,0 +1,31 @@
+module Rails
+  module Credentials
+    module Conflict
+      class EncryptionService
+        CIPHER: String
+
+        @key_path: (String | Pathname)
+        @env_key: String
+        @encryptor: ActiveSupport::MessageEncryptor?
+
+        def initialize: ((String | Pathname) key_path, ?env_key: String) -> void
+
+        def decrypt: (String? encrypted_content) -> String
+
+        def encrypt: (String content) -> String
+
+        def save_encrypted: (String content, (String | Pathname) destination_path) -> Integer
+
+        private
+
+        def encryptor: () -> ActiveSupport::MessageEncryptor
+
+        def read_key: () -> String
+
+        def key_from_env: () -> String?
+
+        def key_from_file: () -> String?
+      end
+    end
+  end
+end

data/sig/rails/credentials/conflict/git_conflict_handler.rbs

@@ -0,0 +1,44 @@
+module Rails
+  module Credentials
+    module Conflict
+      class GitConflictHandler
+        type version = :base | :ours | :theirs
+
+        type merge_labels = { ours: String, base: String, theirs: String }
+
+        STAGE_BASE: Integer
+        STAGE_OURS: Integer
+        STAGE_THEIRS: Integer
+
+        @credentials_path: String
+        @relative_path: String
+
+        def initialize: ((String | Pathname) credentials_path, (String | Pathname) relative_path) -> void
+
+        def validate_conflict!: () -> void
+
+        def get_version: (version version) -> String
+
+        def stage_resolved_file!: () -> void
+
+        def get_merge_labels: () -> merge_labels
+
+        private
+
+        def stage_for_version: (version version) -> Integer
+
+        def detect_head_ref: () -> String
+
+        def build_label: (String branch_name, String commit_sha) -> String
+
+        def get_current_branch: () -> String
+
+        def get_incoming_branch: (String head_ref) -> String
+
+        def get_short_sha: (String ref) -> String
+
+        def get_merge_base_sha: (String head_ref) -> String
+      end
+    end
+  end
+end

data/sig/rails/credentials/conflict/merge_strategy.rbs

@@ -0,0 +1,35 @@
+module Rails
+  module Credentials
+    module Conflict
+      class MergeStrategy
+        type merge_result = { content: String, has_conflicts: bool }
+
+        type merge_labels = { ours: String, base: String, theirs: String }
+
+        CONFLICT_MARKER_START: String
+        CONFLICT_MARKER_END: String
+
+        @encryption_service: EncryptionService
+
+        def initialize: (EncryptionService encryption_service) -> void
+
+        def create_conflict_markers: (
+          String ours_content,
+          String base_content,
+          String theirs_content,
+          labels: merge_labels
+        ) -> merge_result
+
+        def has_conflict_markers?: (String content) -> bool
+
+        def validate_yaml!: (String content) -> void
+
+        def open_editor_for_resolution: (String merged_content) -> String
+
+        private
+
+        def with_temp_files: (*String contents) { (*String paths) -> untyped } -> untyped
+      end
+    end
+  end
+end

data/sig/rails/credentials/conflict/path_resolver.rbs

@@ -0,0 +1,19 @@
+module Rails
+  module Credentials
+    module Conflict
+      class PathResolver
+        attr_reader environment: String?
+
+        @environment: String?
+
+        def initialize: (?String? environment) -> void
+
+        def credentials_path: () -> Pathname
+
+        def key_path: () -> Pathname
+
+        def relative_credentials_path: () -> Pathname
+      end
+    end
+  end
+end

data/sig/rails/credentials/conflict/railtie.rbs

@@ -0,0 +1,8 @@
+module Rails
+  module Credentials
+    module Conflict
+      class Railtie < Rails::Railtie
+      end
+    end
+  end
+end

data/sig/rails/credentials/conflict/resolver.rbs

@@ -0,0 +1,38 @@
+module Rails
+  module Credentials
+    module Conflict
+      class Resolver
+        attr_reader environment: String?
+
+        @environment: String?
+        @output: IO | StringIO
+        @path_resolver: PathResolver
+        @encryption_service: EncryptionService
+        @git_handler: GitConflictHandler
+        @merge_strategy: MergeStrategy
+
+        def initialize: (?String? environment, ?output: (IO | StringIO)) -> void
+
+        def resolve: () -> void
+
+        def yours: () -> void
+
+        def theirs: () -> void
+
+        def base: () -> void
+
+        private
+
+        def log: (String message) -> void
+
+        def resolve_with_version: (GitConflictHandler::version version, String label) -> void
+
+        def decrypt_version: (GitConflictHandler::version version) -> String
+
+        def get_base_version: () -> String
+
+        def save_and_stage: (String content) -> void
+      end
+    end
+  end
+end

data/sig/rails/credentials/conflict.rbs

@@ -0,0 +1,10 @@
+module Rails
+  module Credentials
+    module Conflict
+      VERSION: String
+
+      class Error < StandardError
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,95 @@
+--- !ruby/object:Gem::Specification
+name: rails-credentials-conflict
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- jwo1f
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '6.0'
+description: A gem that helps resolve git merge conflicts in Rails encrypted credentials
+  by decrypting, merging, and re-encrypting the files.
+email:
+- ''
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/rails/credentials/conflict.rb
+- lib/rails/credentials/conflict/encryption_service.rb
+- lib/rails/credentials/conflict/git_conflict_handler.rb
+- lib/rails/credentials/conflict/merge_strategy.rb
+- lib/rails/credentials/conflict/path_resolver.rb
+- lib/rails/credentials/conflict/railtie.rb
+- lib/rails/credentials/conflict/resolver.rb
+- lib/rails/credentials/conflict/version.rb
+- lib/tasks/credentials_conflict.rake
+- rbs_collection.lock.yaml
+- rbs_collection.yaml
+- sig/rails/credentials/conflict.rbs
+- sig/rails/credentials/conflict/encryption_service.rbs
+- sig/rails/credentials/conflict/git_conflict_handler.rbs
+- sig/rails/credentials/conflict/merge_strategy.rbs
+- sig/rails/credentials/conflict/path_resolver.rbs
+- sig/rails/credentials/conflict/railtie.rbs
+- sig/rails/credentials/conflict/resolver.rbs
+homepage: https://github.com/jwo1f/rails-credentials-conflict
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/jwo1f/rails-credentials-conflict
+  source_code_uri: https://github.com/jwo1f/rails-credentials-conflict
+  changelog_uri: https://github.com/jwo1f/rails-credentials-conflict/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.0
+specification_version: 4
+summary: Resolve Rails encrypted credentials conflicts during git merges
+test_files: []