secvault 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 67a57fa1ebe481bab8c9f5f4d9f6d0af27250e4d2c145641c125cd61f88018d0
+  data.tar.gz: 8613ed6d87bf067ad69bde7d80d8623a30b6dfb36280ddfe431b236198e63e2c
+SHA512:
+  metadata.gz: 3013b492cec7b62296815ea239dc398de08806532ca995de383324a62fd9689e44ae62c744365dbcd29e1158b94b204f2b1522986c5e2d9b1e0d024cab3c871d
+  data.tar.gz: 2c74fa262a228253393a7b5818cb6d59554b67fb6ecbfac37d018c271fea9d6ca38d6c8b2cd84d253e16c42d4b28144c6059a1ee5e297d950db2954de6a5285b

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.standard.yml

@@ -0,0 +1,3 @@
+# For available configuration options, see:
+#   https://github.com/standardrb/standard
+ruby_version: 3.0

data/CHANGELOG.md

@@ -0,0 +1,23 @@
+## [Unreleased]
+
+## [1.0.0] - 2025-09-22
+
+### Added
+
+- Initial release of Secvault gem
+- Rails secrets.yml functionality for Rails 7.2+
+- Encrypted secrets.yml support using Rails' built-in encryption
+- Environment-specific secrets management
+- ERB template support in secrets files
+- Rake tasks for secrets management:
+  - `rake secvault:setup` - Create encrypted secrets file
+  - `rake secvault:edit` - Edit encrypted secrets
+  - `rake secvault:show` - Display decrypted secrets
+- Rails generator for creating secrets files
+- Automatic integration with Rails.application.secrets
+- Support for both encrypted and plain YAML secrets files
+- Key management with config/secrets.yml.key
+- Environment variable fallback for encryption key
+- Comprehensive error handling for missing/invalid keys
+- Full test coverage with RSpec
+- Detailed documentation and usage examples

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,132 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official email address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Unnikrishnan KP
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,209 @@
+# Secvault
+
+**Secvault** restores the classic Rails `secrets.yml` functionality that was removed in Rails 7.2, allowing you to manage encrypted secrets using the familiar YAML-based approach.
+
+## Why Secvault?
+
+Rails 7.2 removed the `secrets.yml` functionality completely in favor of credentials. However, many teams prefer the simplicity and familiarity of `secrets.yml` for managing environment-specific secrets. Secvault brings this functionality back with modern encryption support.
+
+## Features
+
+- 🔐 **Encrypted secrets.yml** - Uses Rails' built-in encryption system
+- 🔑 **Key management** - Secure key generation and management
+- 🌍 **Environment-specific** - Different secrets for development, test, and production
+- 📝 **ERB support** - Use ERB templates in your secrets files
+- 🛠️ **Rake tasks** - Easy management with built-in rake tasks
+- 🚀 **Rails 7.2+ compatible** - Works seamlessly with modern Rails
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'secvault'
+```
+
+And then execute:
+
+```bash
+$ bundle install
+```
+
+## Setup
+
+### 1. Generate secrets file
+
+Run the setup task to create your encrypted `secrets.yml`:
+
+```bash
+$ rake secvault:setup
+```
+
+This will:
+- Generate `config/secrets.yml.key` (keep this secure!)
+- Create an encrypted `config/secrets.yml` with default content
+- Remind you to add the key file to `.gitignore`
+
+Alternatively, use the Rails generator:
+
+```bash
+$ rails generate secvault:secrets
+```
+
+### 2. Add key to .gitignore
+
+Ensure your encryption key is not committed to version control:
+
+```bash
+echo "/config/secrets.yml.key" >> .gitignore
+```
+
+## Usage
+
+### Editing secrets
+
+Edit your encrypted secrets file:
+
+```bash
+$ rake secvault:edit
+```
+
+This opens the decrypted file in your `$EDITOR`.
+
+### Viewing secrets
+
+View the decrypted content:
+
+```bash
+$ rake secvault:show
+```
+
+### Accessing secrets in your application
+
+Secrets are automatically loaded into `Rails.application.secrets`:
+
+```ruby
+# In your Rails application
+Rails.application.secrets.secret_key_base
+Rails.application.secrets.api_key
+Rails.application.secrets.database_password
+```
+
+### Example secrets.yml structure
+
+```yaml
+# config/secrets.yml (encrypted)
+development:
+  secret_key_base: your_development_secret
+  api_key: dev_api_key
+  database_password: dev_password
+
+test:
+  secret_key_base: your_test_secret
+  api_key: test_api_key
+  database_password: test_password
+
+production:
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
+  api_key: <%= ENV['API_KEY'] %>
+  database_password: <%= ENV['DATABASE_PASSWORD'] %>
+```
+
+### Environment variable fallback
+
+You can set the encryption key via environment variable:
+
+```bash
+export RAILS_SECRETS_KEY=your_encryption_key
+```
+
+## Production Deployment
+
+### Option 1: Environment Variable
+
+Set the encryption key as an environment variable:
+
+```bash
+export RAILS_SECRETS_KEY=your_encryption_key
+```
+
+### Option 2: Key File
+
+Securely copy `config/secrets.yml.key` to your production server.
+
+### Docker
+
+For Docker deployments, you can pass the key as an environment variable:
+
+```dockerfile
+ENV RAILS_SECRETS_KEY=your_encryption_key
+```
+
+## Rake Tasks
+
+| Task | Description |
+|------|-------------|
+| `rake secvault:setup` | Create encrypted secrets.yml and key |
+| `rake secvault:edit` | Edit the encrypted secrets file |
+| `rake secvault:show` | Display decrypted secrets content |
+
+## Migration from Rails < 7.2
+
+If you're upgrading from an older Rails version that had `secrets.yml`:
+
+1. Install secvault: `bundle add secvault`
+2. Encrypt existing secrets: `rake secvault:setup`
+3. Copy your existing secrets content using `rake secvault:edit`
+4. Remove the old plain-text `config/secrets.yml`
+
+## Security Best Practices
+
+- ✅ **Never commit** `config/secrets.yml.key` to version control
+- ✅ **Use environment variables** for production secrets when possible  
+- ✅ **Rotate keys** periodically
+- ✅ **Use strong, unique keys** for each environment
+- ✅ **Limit access** to key files in production
+
+## Troubleshooting
+
+### Missing Key Error
+
+```
+Missing encryption key to decrypt secrets.yml
+```
+
+**Solution**: Ensure `config/secrets.yml.key` exists or set `RAILS_SECRETS_KEY` environment variable.
+
+### Invalid Key Error
+
+```
+Invalid encryption key for secrets.yml
+```
+
+**Solution**: The key doesn't match the encrypted file. Verify you're using the correct key.
+
+### File Not Found
+
+```
+Secrets file doesn't exist
+```
+
+**Solution**: Run `rake secvault:setup` to create the secrets file.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/unnitallman/secvault.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Secvault project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/secvault/blob/main/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "standard/rake"
+
+task default: %i[spec standard]

data/lib/secvault/generators/secrets_generator.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+require "active_support/encrypted_file"
+require "securerandom"
+
+module Secvault
+  module Generators
+    class SecretsGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Creates a secrets.yml file for encrypted secrets management"
+
+      class_option :force, type: :boolean, default: false, desc: "Overwrite existing secrets.yml"
+
+      def create_secrets_file
+        secrets_path = Rails.root.join("config/secrets.yml")
+        key_path = Rails.root.join("config/secrets.yml.key")
+
+        if secrets_path.exist? && !options[:force]
+          say "Secrets file already exists at config/secrets.yml", :yellow
+          return
+        end
+
+        # Generate encryption key
+        unless key_path.exist?
+          key = ActiveSupport::EncryptedFile.generate_key
+          File.write(key_path, key)
+          say "Generated encryption key in config/secrets.yml.key", :green
+        end
+
+        # Create encrypted secrets file with template
+        encrypted_file = ActiveSupport::EncryptedFile.new(
+          content_path: secrets_path,
+          key_path: key_path,
+          env_key: "RAILS_SECRETS_KEY",
+          raise_if_missing_key: true
+        )
+
+        # Write default content
+        default_content = generate_default_secrets
+        encrypted_file.write(default_content)
+
+        say "Created encrypted secrets.yml file", :green
+        say "Add config/secrets.yml.key to your .gitignore file", :yellow
+      end
+
+      def add_to_gitignore
+        gitignore_path = Rails.root.join(".gitignore")
+        key_entry = "/config/secrets.yml.key"
+
+        if gitignore_path.exist?
+          gitignore_content = File.read(gitignore_path)
+          unless gitignore_content.include?(key_entry)
+            File.open(gitignore_path, "a") do |f|
+              f.puts "\n# Ignore encrypted secrets key"
+              f.puts key_entry
+            end
+            say "Added secrets key to .gitignore", :green
+          end
+        end
+      end
+
+      private
+
+      def generate_default_secrets
+        <<~YAML
+          # Be sure to restart your server when you modify this file.
+          
+          # Your secret key is used for verifying the integrity of signed cookies.
+          # If you change this key, all old signed cookies will become invalid!
+          
+          # Make sure the secret is at least 30 characters and all random,
+          # no regular words or you'll be exposed to dictionary attacks.
+          # You can use `rails secret` to generate a secure secret key.
+          
+          # Make sure the secrets in this file are kept private
+          # if you're sharing your code publicly.
+          
+          development:
+            secret_key_base: #{SecureRandom.hex(64)}
+          
+          test:
+            secret_key_base: #{SecureRandom.hex(64)}
+          
+          # Do not keep production secrets in the repository,
+          # instead read values from the environment.
+          production:
+            secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
+        YAML
+      end
+    end
+  end
+end

data/lib/secvault/railtie.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require "rails/railtie"
+
+module Secvault
+  class Railtie < Rails::Railtie
+    railtie_name :secvault
+
+    initializer "secvault.initialize" do |app|
+      Secvault::Secrets.setup(app)
+    end
+
+    generators do
+      require "secvault/generators/secrets_generator"
+    end
+
+    rake_tasks do
+      load "secvault/tasks.rake"
+    end
+  end
+end

data/lib/secvault/secrets.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require "active_support/encrypted_file"
+require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/object/blank"
+require "pathname"
+require "erb"
+require "yaml"
+
+module Secvault
+  class Secrets
+    class << self
+      def setup(app)
+        secrets_path = app.root.join("config/secrets.yml")
+        key_path = app.root.join("config/secrets.yml.key")
+
+        if secrets_path.exist?
+          app.config.before_configuration do
+            # Set up secrets if they exist
+            secrets = read_secrets(secrets_path, key_path, Rails.env)
+            Rails.application.secrets.merge!(secrets) if secrets
+          end
+        end
+      end
+
+      def parse(paths, env:)
+        configs = paths.collect do |path|
+          if path.exist?
+            content = encrypted?(path) ? decrypt(path) : path.read
+            YAML.safe_load(ERB.new(content).result, aliases: true) || {}
+          else
+            {}
+          end
+        end
+
+        configs.reverse.reduce do |config, overrides|
+          config.deep_merge(overrides)
+        end[env] || {}
+      end
+
+      def read_secrets(secrets_path, key_path, env)
+        if secrets_path.exist?
+          all_secrets = if key_path.exist? || encrypted?(secrets_path)
+            # Handle encrypted secrets.yml
+            decrypt_secrets(secrets_path, key_path)
+          else
+            # Handle plain YAML secrets.yml
+            YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
+          end
+
+          env_secrets = all_secrets[env.to_s]
+          return env_secrets.deep_symbolize_keys if env_secrets
+        end
+
+        {}
+      end
+
+      def encrypted?(path)
+        # Simple heuristic to detect if file is encrypted
+        content = path.read
+        # Encrypted files typically contain non-printable characters
+        !content.valid_encoding? || content.bytes.any? { |b| b < 32 && b != 10 && b != 13 }
+      rescue
+        false
+      end
+
+      private
+
+      def decrypt_secrets(secrets_path, key_path)
+        encrypted_file = ActiveSupport::EncryptedFile.new(
+          content_path: secrets_path,
+          key_path: key_path,
+          env_key: "RAILS_SECRETS_KEY",
+          raise_if_missing_key: true
+        )
+
+        content = encrypted_file.read
+        YAML.safe_load(ERB.new(content).result, aliases: true) if content.present?
+      rescue ActiveSupport::EncryptedFile::MissingKeyError
+        raise MissingKeyError,
+          "Missing encryption key to decrypt secrets.yml. " \
+          "Ask your team for your secrets key and put it in config/secrets.yml.key"
+      rescue ActiveSupport::EncryptedFile::InvalidMessage
+        raise InvalidKeyError,
+          "Invalid encryption key for secrets.yml."
+      end
+
+      def decrypt(path)
+        key_path = Pathname.new("#{path}.key")
+        encrypted_file = ActiveSupport::EncryptedFile.new(
+          content_path: path,
+          key_path: key_path,
+          env_key: "RAILS_SECRETS_KEY",
+          raise_if_missing_key: true
+        )
+        encrypted_file.read
+      end
+    end
+  end
+end

data/lib/secvault/secrets_helper.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Secvault
+  class SecretsHelper
+    def initialize(app)
+      @app = app
+      @secrets_path = app.root.join("config/secrets.yml")
+      @key_path = app.root.join("config/secrets.yml.key")
+    end
+
+    def secrets
+      @secrets ||= load_secrets
+    end
+
+    def [](key)
+      secrets[key.to_sym]
+    end
+
+    def fetch(key, default = nil)
+      secrets.fetch(key.to_sym, default)
+    end
+
+    def key?(key)
+      secrets.key?(key.to_sym)
+    end
+
+    def empty?
+      secrets.empty?
+    end
+
+    def to_h
+      secrets.dup
+    end
+
+    private
+
+    def load_secrets
+      return {} unless @secrets_path.exist?
+
+      env_secrets = Secvault::Secrets.read_secrets(@secrets_path, @key_path, Rails.env)
+      env_secrets || {}
+    end
+  end
+end

data/lib/secvault/tasks.rake

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require "active_support/encrypted_file"
+require "securerandom"
+
+namespace :secvault do
+  desc "Setup encrypted secrets.yml file"
+  task setup: :environment do
+    secrets_path = Rails.root.join("config/secrets.yml")
+    key_path = Rails.root.join("config/secrets.yml.key")
+
+    if secrets_path.exist?
+      puts "Secrets file already exists at #{secrets_path}"
+    else
+      # Generate key if it doesn't exist
+      unless key_path.exist?
+        key = ActiveSupport::EncryptedFile.generate_key
+        File.write(key_path, key)
+        puts "Generated encryption key in #{key_path}"
+      end
+
+      # Create encrypted file with default content
+      encrypted_file = ActiveSupport::EncryptedFile.new(
+        content_path: secrets_path,
+        key_path: key_path,
+        env_key: "RAILS_SECRETS_KEY",
+        raise_if_missing_key: true
+      )
+
+      default_content = <<~YAML
+        # Be sure to restart your server when you modify this file.
+
+        development:
+          secret_key_base: #{SecureRandom.hex(64)}
+
+        test:
+          secret_key_base: #{SecureRandom.hex(64)}
+
+        production:
+          secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
+      YAML
+
+      encrypted_file.write(default_content)
+      puts "Created encrypted secrets.yml file"
+      puts "Add #{key_path} to your .gitignore file"
+    end
+  end
+
+  desc "Edit encrypted secrets.yml file"
+  task edit: :environment do
+    secrets_path = Rails.root.join("config/secrets.yml")
+    key_path = Rails.root.join("config/secrets.yml.key")
+
+    unless secrets_path.exist?
+      puts "Secrets file doesn't exist. Run 'rake secvault:setup' first."
+      exit 1
+    end
+
+    encrypted_file = ActiveSupport::EncryptedFile.new(
+      content_path: secrets_path,
+      key_path: key_path,
+      env_key: "RAILS_SECRETS_KEY",
+      raise_if_missing_key: true
+    )
+
+    encrypted_file.change do |tmp_path|
+      system("#{ENV["EDITOR"] || "vi"} #{tmp_path}")
+    end
+
+    puts "Updated #{secrets_path}"
+  rescue ActiveSupport::EncryptedFile::MissingKeyError
+    puts "Missing encryption key to decrypt secrets.yml."
+    puts "Ask your team for your secrets key and put it in #{key_path}"
+  rescue ActiveSupport::EncryptedFile::InvalidMessage
+    puts "Invalid encryption key for secrets.yml."
+  end
+
+  desc "Show decrypted secrets.yml content"
+  task show: :environment do
+    secrets_path = Rails.root.join("config/secrets.yml")
+    key_path = Rails.root.join("config/secrets.yml.key")
+
+    unless secrets_path.exist?
+      puts "Secrets file doesn't exist. Run 'rake secvault:setup' first."
+      exit 1
+    end
+
+    encrypted_file = ActiveSupport::EncryptedFile.new(
+      content_path: secrets_path,
+      key_path: key_path,
+      env_key: "RAILS_SECRETS_KEY",
+      raise_if_missing_key: true
+    )
+
+    puts encrypted_file.read
+  rescue ActiveSupport::EncryptedFile::MissingKeyError
+    puts "Missing encryption key to decrypt secrets.yml."
+    puts "Ask your team for your secrets key and put it in #{key_path}"
+  rescue ActiveSupport::EncryptedFile::InvalidMessage
+    puts "Invalid encryption key for secrets.yml."
+  end
+end

data/lib/secvault/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Secvault
+  VERSION = "1.0.0"
+end

data/lib/secvault.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require "rails"
+require "yaml"
+require "erb"
+require "active_support/encrypted_file"
+require "active_support/core_ext/hash/keys"
+require "zeitwerk"
+
+require_relative "secvault/version"
+
+loader = Zeitwerk::Loader.for_gem
+loader.setup
+
+module Secvault
+  class Error < StandardError; end
+  class MissingKeyError < Error; end
+  class InvalidKeyError < Error; end
+
+  extend self
+
+  def install!
+    return if Rails.env.test? || defined?(Rails::Railtie).nil?
+
+    require "secvault/railtie"
+  end
+end
+
+Secvault.install! if defined?(Rails)

data/sig/secvault.rbs

@@ -0,0 +1,4 @@
+module Secvault
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,92 @@
+--- !ruby/object:Gem::Specification
+name: secvault
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Unnikrishnan KP
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2025-09-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.2.0
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+description: Secvault restores the classic Rails secrets.yml functionality that was
+  removed in Rails 7.2, allowing you to manage encrypted secrets using the familiar
+  YAML-based approach.
+email:
+- unnikrishnan.kp@bigbinary.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".standard.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/secvault.rb
+- lib/secvault/generators/secrets_generator.rb
+- lib/secvault/railtie.rb
+- lib/secvault/secrets.rb
+- lib/secvault/secrets_helper.rb
+- lib/secvault/tasks.rake
+- lib/secvault/version.rb
+- sig/secvault.rbs
+homepage: https://github.com/unnitallman/secvault
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/unnitallman/secvault
+  source_code_uri: https://github.com/unnitallman/secvault
+  changelog_uri: https://github.com/unnitallman/secvault/blob/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.10
+signing_key:
+specification_version: 4
+summary: Rails secrets.yml functionality for Rails 7.2+
+test_files: []