rails_outofband_keys 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +24 -9
  3. data/lib/rails_outofband_keys/version.rb +1 -1
  4. metadata +14 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c028a4ebdbf7196c3cdaa3279dfda0dd8d5d75d25a9b662c847847d650087b1d
4
- data.tar.gz: 6d393b4056c6e6bfd9b63f7bdbb7dbba10a29544ca833a7e09109d71498f59c1
3
+ metadata.gz: ba17a3f37978f5480cbfe4eaf2c9b630fb977d87d38adadc800f096c28d17463
4
+ data.tar.gz: 3bb26e6d5e3167a057ddfc290c5f1dc58ee32fa706ed98b47036ee6cb2076354
5
5
  SHA512:
6
- metadata.gz: 8d0f2b467ced1b33e8e139843413f4e1f0c21e524a73eb41985dba3c75091a9d8818bd87976b21cab592ca4f5d325e426991720ef7d3cd62b36347ab96597202
7
- data.tar.gz: 642e1b15c124d6dc4fee45991c69fee2b36ef486f6428a61b7844b371350c1b9de55b07f70d8b70e4dfd11a56ae0e5ef4ca30ebee770f65688cdaa7cab10f485
6
+ metadata.gz: fc1f6e8e74b6a7a4db2de13548afc0a1457ce7efd83af383dbadf94b9b82bb4d18463a4ca51299811b7e6b3730c8b4bb84d2b39b4fad07e12c56e4bee231c7a8
7
+ data.tar.gz: dcd71239e65d5fc21d89ffa94d409610b7ab3cb599ce1a139746cd4247ea60cb2560da0c15e0db67be6ed901e4355e779ee23a9b45c01340a6632430fa63dfc5
data/README.md CHANGED
@@ -1,21 +1,36 @@
1
1
  # rails_outofband_keys
2
2
 
3
- `rails_outofband_keys` is a Rails plugin that changes **how Rails finds your credentials key files** (e.g., `production.key` or `master.key`). It allows you to keep these sensitive keys **outside of your project directory and git tree** (e.g., in `~/.config/`).
3
+ `rails_outofband_keys` is a Rails plugin that changes **how Rails finds your credentials key files** (e.g., `production.key` or `master.key`). It allows you to keep these sensitive keys **outside of your project directory and git tree** (for example, under `~/.config/`).
4
4
 
5
- It does **not** replace Rails credentials, change where `credentials.yml.enc` lives, or alter how encryption works. It only dynamically configures `config.credentials.key_path` during the boot process.
5
+ It does **not** replace Rails credentials, change where `credentials.yml.enc` lives, or alter how encryption works. It only configures `config.credentials.key_path` during the boot process.
6
+
7
+ ## Why did I make this?
8
+
9
+ Encrypted credentials are a solid default. They simplify onboarding, move teams away from risky `.env` files, and give Rails a single, consistent way to manage secrets.
10
+
11
+ But the system is only as strong as how the encryption keys are handled.
12
+
13
+ In Rails, it’s standard practice to store credentials keys next to the encrypted files and rely on `.gitignore` to keep them out of version control. That works — until it doesn’t. It assumes perfect developer hygiene and assumes your tooling will always respect ignore rules.
14
+
15
+ Modern AI assistants and agentic tools break that assumption. These tools upload project files to the cloud and often execute commands directly inside your repo. Even ignored files are now a single `grep` or accidental read away from exposure.
16
+
17
+ Moving encryption keys out of the project directory is a simple, effective risk reduction. It’s one of the baseline requirements I set before allowing agentic tooling on my team, alongside credential redaction in logs and exceptions.
18
+
19
+ This gem exists to make that safer pattern easy and boring.
6
20
 
7
21
  ## Resolution Order
8
22
 
9
23
  1. If `RAILS_MASTER_KEY` is set in the environment, Rails uses it (this gem does nothing).
10
24
  2. If `RAILS_CREDENTIALS_KEY_DIR` is set, it is used as the base directory for the app.
11
25
  3. If `RAILS_OUTOFBAND_BASE_DIR` is set, it is used as the global base directory.
12
- 4. Otherwise, the gem fallbacks to OS defaults:
13
- - **Linux/macOS**: XDG config directory (`~/.config` fallback)
14
- - **Windows**: `%AppData%`
26
+ 4. Otherwise, the gem falls back to OS defaults:
27
+ - **Linux/macOS**: XDG config directory (`~/.config` fallback)
28
+ - **Windows**: `%AppData%`
15
29
 
16
30
  The final path is constructed as:
17
- `base_directory / root_subdir / credentials_subdir / <environment>.key`
18
- `base_directory / root_subdir / credentials_subdir / master.key`
31
+
32
+ - `base_directory / root_subdir / credentials_subdir / <environment>.key`
33
+ - `base_directory / root_subdir / credentials_subdir / master.key`
19
34
 
20
35
  ## Configuration
21
36
 
@@ -41,9 +56,9 @@ On Unix-like systems, key files **must** have secure permissions. They must be o
41
56
  Add the gem to your Gemfile:
42
57
 
43
58
  ```ruby
44
- gem "rails_outofband_keys", git: "git@github.com:lholden/rails_outofband_keys.git", tag: "v0.1.1"
59
+ gem "rails_outofband_keys", "~> 0.1.1"
45
60
  ```
46
61
 
47
62
  ## License
48
63
 
49
- MIT
64
+ MIT
data/lib/rails_outofband_keys/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module RailsOutofbandKeys
4
- VERSION = "0.1.1"
4
+ VERSION = "0.1.2"
5
5
  end
metadata CHANGED
@@ -1,13 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails_outofband_keys
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.1
4
+ version: 0.1.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Lori Holden
8
+ autorequire:
8
9
  bindir: bin
9
10
  cert_chain: []
10
- date: 1980-01-02 00:00:00.000000000 Z
11
+ date: 2025-12-24 00:00:00.000000000 Z
11
12
  dependencies:
12
13
  - !ruby/object:Gem::Dependency
13
14
  name: railties
@@ -38,8 +39,11 @@ dependencies:
38
39
  - !ruby/object:Gem::Version
39
40
  version: '2.2'
40
41
  description: |
41
- Configures Rails credentials key_path to load environment/master key files
42
- from an out-of-band directory (XDG on Unix/MacOS, AppData on Windows).
42
+ Configures Rails to load credentials master and environment key files from an out-of-band location
43
+ (XDG on Linux/macOS, AppData on Windows) instead of the project directory.
44
+
45
+ This reduces the risk of key exposure from tooling that reads or executes within your repo,
46
+ including modern AI assistants and agentic tools.
43
47
  email:
44
48
  - git@loriholden.com
45
49
  executables: []
@@ -58,6 +62,9 @@ licenses:
58
62
  - MIT
59
63
  metadata:
60
64
  rubygems_mfa_required: 'true'
65
+ homepage_uri: https://github.com/lholden/rails_outofband_keys
66
+ source_code_uri: https://github.com/lholden/rails_outofband_keys
67
+ post_install_message:
61
68
  rdoc_options: []
62
69
  require_paths:
63
70
  - lib
@@ -72,8 +79,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
72
79
  - !ruby/object:Gem::Version
73
80
  version: '0'
74
81
  requirements: []
75
- rubygems_version: 4.0.2
82
+ rubygems_version: 3.5.23
83
+ signing_key:
76
84
  specification_version: 4
77
- summary: Resolve Rails credentials key files outside the project tree (XDG/AppData
78
- + overrides).
85
+ summary: Load Rails credentials keys from outside your repo.
79
86
  test_files: []