secvault 1.0.4 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4516ca420928dd1fba6fbdd3a5b1a7def3068872f6b8a1f8ac82aac987405af0
-  data.tar.gz: 1a252a86fc1552b3c989a3d9a3ecee78fa11b14ef4989040e6d2c28f7c16819c
+  metadata.gz: 2c2c9db7124c8ac60bf772bcb42c1367f9e5a25a72c977aecc717da47ec401e8
+  data.tar.gz: a8a46d584bf49e2ec7ca1bbfc9609c64b25642406a55efaf79f7f8e5eeeccbba
 SHA512:
-  metadata.gz: fa4565bff45f90436ae9255df05282e577dead6bfbcd7c6bda821e687d91d47b07ad7bb99ea113b63c23b1b2e79f1307cdafb46be515d04f632d656e24b0c803
-  data.tar.gz: c241e60c7334f8f9c589f3151c78a75f9c9a053e849e5c5820de71d5db053fbced5b507aec5411b703c7c01dff5688393068223947719e09593a974f229862a9
+  metadata.gz: 52ffd8869e91255f41bbf5bcba424efa8ccfd2a7ec3227c97a8430cd2a21ecbf816558a966ad68afeff611889085b91af765012a9c1529c27917b56cab9aceab
+  data.tar.gz: 191341590209b60085ad54047813788e3bd809ad84791c7aacca546bbc9870a653ae6c6811bce083b8e187aae9d14f9d3bdb5b6c533b549dda356e917816828d

data/CHANGELOG.md

@@ -1,5 +1,65 @@
 ## [Unreleased]
 
+## [2.1.0] - 2025-09-22
+
+### Removed
+
+- **Removed all rake tasks** - Ultimate simplicity! No more `rake secvault:setup`, `rake secvault:edit`, or `rake secvault:show`
+- Removed `lib/secvault/tasks.rake` file entirely
+- Removed rake task loading from railtie
+
+### Changed
+
+- **Ultra-simple setup**: Just create `config/secrets.yml` with any text editor
+- Updated README to reflect manual file creation instead of rake tasks
+- Updated module documentation to show simple 3-step process
+- Cleaner railtie without task loading complexity
+
+### Benefits
+
+- **Zero dependencies on rake tasks** - works with just plain YAML files
+- **Even simpler** - no commands to remember, just edit YAML files
+- **More intuitive** - developers already know how to create and edit YAML files
+- **Less code** - removed unnecessary complexity
+
+### Tested
+
+- ✅ Rails 7.1 integration works perfectly
+- ✅ Rails 8.0 automatic setup works perfectly
+- ✅ No rake task conflicts or errors
+
+## [2.0.0] - 2025-09-22
+
+### BREAKING CHANGES
+
+- **Removed all encryption functionality** - Secvault now focuses purely on plain YAML secrets management
+- Removed ActiveSupport::EncryptedFile dependencies
+- Removed MissingKeyError and InvalidKeyError exceptions
+- Removed `encrypted?`, `decrypt`, `decrypt_secrets` methods
+- Simplified rake tasks to work with plain YAML only
+
+### Added
+
+- Simplified `rake secvault:setup` that creates plain YAML files with helpful comments
+- Better error messages and user guidance in rake tasks
+- Cleaner, more focused codebase without encryption complexity
+
+### Changed
+
+- **Major simplification**: All secrets are now stored in plain YAML files
+- Updated README to reflect plain YAML approach
+- Updated module documentation and gemspec descriptions
+- Rake tasks now use emojis and better user experience
+- Production secrets should use ERB syntax with environment variables
+
+### Benefits
+
+- Much simpler gem with single focus: plain YAML secrets management
+- No encryption keys to manage or lose
+- Easy to understand, edit, and debug secrets files
+- Perfect for development and test environments
+- Production secrets via environment variables (recommended best practice)
+
 ## [1.0.4] - 2025-09-22
 
 ### Added

data/README.md

@@ -1,278 +1,80 @@
 # Secvault
 
-**Secvault** restores the classic Rails `secrets.yml` functionality that was removed in Rails 7.2, allowing you to manage encrypted secrets using the familiar YAML-based approach.
+Restores the classic Rails `secrets.yml` functionality that was removed in Rails 7.2. Uses simple, plain YAML files for environment-specific secrets management.
 
-## Why Secvault?
-
-Rails 7.2 removed the `secrets.yml` functionality completely in favor of credentials. However, many teams prefer the simplicity and familiarity of `secrets.yml` for managing environment-specific secrets. Secvault brings this functionality back with modern encryption support.
-
-## Features
-
-- 🔐 **Encrypted secrets.yml** - Uses Rails' built-in encryption system
-- 🔑 **Key management** - Secure key generation and management
-- 🌍 **Environment-specific** - Different secrets for development, test, and production
-- 📝 **ERB support** - Use ERB templates in your secrets files
-- 🛠️ **Rake tasks** - Easy management with built-in rake tasks
-- 🚀 **Rails 7.2+ compatible** - Works seamlessly with modern Rails
+**Rails Version Support:**
+- **Rails 7.1**: Manual setup (see Rails 7.1 Integration below)
+- **Rails 7.2+**: Automatic setup
+- **Rails 8.0+**: Full compatibility
 
 ## Installation
 
-Add this line to your application's Gemfile:
-
 ```ruby
+# Gemfile
 gem 'secvault'
 ```
 
-And then execute:
-
-```bash
-$ bundle install
-```
-
-### Rails Version Compatibility
-
-- **Rails 7.2+**: Automatic setup, drop-in replacement for removed secrets functionality
-- **Rails 7.1**: Manual setup required (see Rails 7.1 Integration section below)
-- **Rails 8.0+**: Full compatibility
-
-## Setup
-
-### 1. Generate secrets file
-
-Run the setup task to create your encrypted `secrets.yml`:
-
-```bash
-$ rake secvault:setup
-```
-
-This will:
-- Generate `config/secrets.yml.key` (keep this secure!)
-- Create an encrypted `config/secrets.yml` with default content
-- Remind you to add the key file to `.gitignore`
-
-Alternatively, use the Rails generator:
-
-```bash
-$ rails generate secvault:secrets
-```
-
-### 2. Add key to .gitignore
-
-Ensure your encryption key is not committed to version control:
-
 ```bash
-echo "/config/secrets.yml.key" >> .gitignore
+bundle install
 ```
 
-## Usage
-
-### Editing secrets
-
-Edit your encrypted secrets file:
+## Quick Start (Rails 7.2+)
 
 ```bash
-$ rake secvault:edit
-```
-
-This opens the decrypted file in your `$EDITOR`.
-
-### Viewing secrets
+# 1. Create secrets.yml
+touch config/secrets.yml
 
-View the decrypted content:
-
-```bash
-$ rake secvault:show
+# 2. Edit with your favorite editor
+$EDITOR config/secrets.yml
 ```
 
-### Accessing secrets in your application
-
-Secrets are automatically loaded into `Rails.application.secrets`:
-
+**Usage in your app:**
 ```ruby
-# In your Rails application
-Rails.application.secrets.secret_key_base
 Rails.application.secrets.api_key
 Rails.application.secrets.database_password
 ```
 
-### Example secrets.yml structure
-
+**Example secrets.yml:**
 ```yaml
-# config/secrets.yml (encrypted)
 development:
-  secret_key_base: your_development_secret
-  api_key: dev_api_key
+  api_key: dev_key
   database_password: dev_password
 
-test:
-  secret_key_base: your_test_secret
-  api_key: test_api_key
-  database_password: test_password
-
 production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
   api_key: <%= ENV['API_KEY'] %>
   database_password: <%= ENV['DATABASE_PASSWORD'] %>
 ```
 
-### Environment variable fallback
-
-You can set the encryption key via environment variable:
-
-```bash
-export RAILS_SECRETS_KEY=your_encryption_key
-```
-
-## Production Deployment
-
-### Option 1: Environment Variable
-
-Set the encryption key as an environment variable:
-
-```bash
-export RAILS_SECRETS_KEY=your_encryption_key
-```
-
-### Option 2: Key File
-
-Securely copy `config/secrets.yml.key` to your production server.
-
-### Docker
-
-For Docker deployments, you can pass the key as an environment variable:
-
-```dockerfile
-ENV RAILS_SECRETS_KEY=your_encryption_key
+**Production:** Use environment variables in your YAML:
+```yaml
+production:
+  api_key: <%= ENV['API_KEY'] %>
 ```
 
-## Rake Tasks
-
-| Task | Description |
-|------|-------------|
-| `rake secvault:setup` | Create encrypted secrets.yml and key |
-| `rake secvault:edit` | Edit the encrypted secrets file |
-| `rake secvault:show` | Display decrypted secrets content |
-
 ## Rails 7.1 Integration
 
-For Rails 7.1 applications, Secvault provides a simple integration method to replace the native Rails::Secrets functionality and test Secvault before upgrading to Rails 7.2+.
-
-### Quick Setup (Recommended)
-
-Add this to `config/initializers/secvault.rb`:
+Test Secvault in Rails 7.1 before upgrading to 7.2+:
 
 ```ruby
 # config/initializers/secvault.rb
 Secvault.setup_rails_71_integration!
 ```
 
-That's it! This single line will:
-- Override native Rails::Secrets with Secvault implementation
-- Replace Rails.application.secrets with Secvault functionality
-- Load secrets from config/secrets.yml automatically
-
-### Manual Setup (Advanced)
-
-If you prefer more control, you can set it up manually:
-
-```ruby
-# config/initializers/secvault.rb
-module Rails
-  remove_const(:Secrets) if defined?(Secrets)
-  Secrets = Secvault::RailsSecrets
-end
-
-Rails.application.config.after_initialize do
-  secrets_path = Rails.root.join("config/secrets.yml")
-  
-  if secrets_path.exist?
-    loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
-    secrets_object = ActiveSupport::OrderedOptions.new
-    secrets_object.merge!(loaded_secrets)
-    
-    Rails.application.define_singleton_method(:secrets) do
-      secrets_object
-    end
-  end
-end
-```
-
-### Rails 7.1 Benefits
-
-✅ **Test before upgrading**: Validate Secvault works with your secrets  
-✅ **Zero code changes**: Existing Rails 7.1 code continues to work  
-✅ **Smooth migration**: Gradual transition to Rails 7.2+  
-✅ **Full compatibility**: All Rails.application.secrets functionality preserved  
-
-### Example Rails 7.1 Usage
+This replaces Rails.application.secrets with Secvault functionality. Your existing Rails 7.1 code works unchanged:
 
 ```ruby
-# Works exactly like native Rails 7.1
-Rails.application.secrets.api_key
-Rails.application.secrets.oauth_settings[:google_client_id]
-
-# Plus enhanced Secvault functionality
-Rails::Secrets.parse_default(env: 'development')
-Rails::Secrets.parse([custom_path], env: Rails.env)
+Rails.application.secrets.api_key          # ✅ Works
+Rails.application.secrets.oauth_settings   # ✅ Works
+Rails::Secrets.parse_default               # ✅ Enhanced functionality
 ```
 
-## Migration from Rails < 7.2
-
-If you're upgrading from an older Rails version that had `secrets.yml`:
-
-1. Install secvault: `bundle add secvault`
-2. Encrypt existing secrets: `rake secvault:setup`
-3. Copy your existing secrets content using `rake secvault:edit`
-4. Remove the old plain-text `config/secrets.yml`
 
-## Security Best Practices
+## Security
 
-- ✅ **Never commit** `config/secrets.yml.key` to version control
-- ✅ **Use environment variables** for production secrets when possible  
-- ✅ **Rotate keys** periodically
-- ✅ **Use strong, unique keys** for each environment
-- ✅ **Limit access** to key files in production
-
-## Troubleshooting
-
-### Missing Key Error
-
-```
-Missing encryption key to decrypt secrets.yml
-```
-
-**Solution**: Ensure `config/secrets.yml.key` exists or set `RAILS_SECRETS_KEY` environment variable.
-
-### Invalid Key Error
-
-```
-Invalid encryption key for secrets.yml
-```
-
-**Solution**: The key doesn't match the encrypted file. Verify you're using the correct key.
-
-### File Not Found
-
-```
-Secrets file doesn't exist
-```
-
-**Solution**: Run `rake secvault:setup` to create the secrets file.
-
-## Development
-
-After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests.
-
-To install this gem onto your local machine, run `bundle exec rake install`.
-
-## Contributing
-
-Bug reports and pull requests are welcome on GitHub at https://github.com/unnitallman/secvault.
+⚠️ Never commit production secrets to version control  
+✅ Use environment variables for production secrets with ERB syntax: `<%= ENV['SECRET'] %>`  
+✅ Add `config/secrets.yml` to `.gitignore` if it contains sensitive data
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
-
-## Code of Conduct
-
-Everyone interacting in the Secvault project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/secvault/blob/main/CODE_OF_CONDUCT.md).
+MIT License - see [LICENSE](https://opensource.org/licenses/MIT)

data/lib/secvault/railtie.rb

@@ -13,18 +13,17 @@ module Secvault
     # Ensure initialization happens early in all environments
     config.before_configuration do |app|
       secrets_path = app.root.join("config/secrets.yml")
-      key_path = app.root.join("config/secrets.yml.key")
       
       if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
         # Early initialization for test environment compatibility
         current_env = ENV['RAILS_ENV'] || 'development'
-        secrets = Secvault::Secrets.read_secrets(secrets_path, key_path, current_env)
+        secrets = Secvault::Secrets.read_secrets(secrets_path, current_env)
         
         if secrets
           Rails.application.define_singleton_method(:secrets) do
             @secrets ||= begin
               current_secrets = ActiveSupport::OrderedOptions.new
-              env_secrets = Secvault::Secrets.read_secrets(secrets_path, key_path, Rails.env)
+              env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
               current_secrets.merge!(env_secrets) if env_secrets
               current_secrets
             end
@@ -33,12 +32,5 @@ module Secvault
       end
     end
 
-    generators do
-      require "secvault/generators/secrets_generator"
-    end
-
-    rake_tasks do
-      load "secvault/tasks.rake"
-    end
   end
 end

data/lib/secvault/secrets.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require "active_support/encrypted_file"
 require "active_support/core_ext/hash/keys"
-require "active_support/core_ext/object/blank"
 require "active_support/ordered_options"
 require "pathname"
 require "erb"
@@ -16,20 +14,19 @@ module Secvault
         return unless rails_7_2_or_later?
         
         secrets_path = app.root.join("config/secrets.yml")
-        key_path = app.root.join("config/secrets.yml.key")
 
         if secrets_path.exist?
           # Use a more reliable approach that works in all environments
           app.config.before_configuration do
             current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
-            setup_secrets_immediately(app, secrets_path, key_path, current_env)
+            setup_secrets_immediately(app, secrets_path, current_env)
           end
           
           # Also try during to_prepare as a fallback
           app.config.to_prepare do
             current_env = Rails.env
             unless Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
-              setup_secrets_immediately(app, secrets_path, key_path, current_env)
+              setup_secrets_immediately(app, secrets_path, current_env)
             end
           end
         end
@@ -38,19 +35,18 @@ module Secvault
       # Manual setup method for Rails 7.1 (opt-in)
       def setup_for_rails_71!(app)
         secrets_path = app.root.join("config/secrets.yml")
-        key_path = app.root.join("config/secrets.yml.key")
 
         if secrets_path.exist?
           app.config.before_configuration do
             current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
-            setup_secrets_immediately(app, secrets_path, key_path, current_env)
+            setup_secrets_immediately(app, secrets_path, current_env)
           end
         end
       end
 
-      def setup_secrets_immediately(app, secrets_path, key_path, env)
+      def setup_secrets_immediately(app, secrets_path, env)
         # Set up secrets if they exist
-        secrets = read_secrets(secrets_path, key_path, env)
+        secrets = read_secrets(secrets_path, env)
         if secrets
           # Rails 8.0+ compatibility: Add secrets accessor that initializes on first access
           unless Rails.application.respond_to?(:secrets)
@@ -58,7 +54,7 @@ module Secvault
               @secrets ||= begin
                 current_secrets = ActiveSupport::OrderedOptions.new
                 # Re-read secrets to ensure we have the right environment
-                env_secrets = Secvault::Secrets.read_secrets(secrets_path, key_path, Rails.env)
+                env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
                 current_secrets.merge!(env_secrets) if env_secrets
                 current_secrets
               end
@@ -73,19 +69,15 @@ module Secvault
       end
 
       # Classic Rails::Secrets.parse implementation
-      # Parses secrets files and merges shared + environment-specific sections
+      # Parses plain YAML secrets files and merges shared + environment-specific sections
       def parse(paths, env:)
         paths.each_with_object(Hash.new) do |path, all_secrets|
           # Handle string paths by converting to Pathname
           path = Pathname.new(path) unless path.respond_to?(:exist?)
           next unless path.exist?
           
-          # Read and process the file content (handle both encrypted and plain)
-          source = if encrypted?(path)
-            decrypt(path)
-          else
-            preprocess(path)
-          end
+          # Read and process the plain YAML file content
+          source = path.read
           
           # Process ERB and parse YAML
           erb_result = ERB.new(source).result
@@ -102,22 +94,12 @@ module Secvault
           all_secrets.merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
       end
-      
-      # Helper method to preprocess plain YAML files (for ERB)
-      def preprocess(path)
-        path.read
-      end
 
-      def read_secrets(secrets_path, key_path, env)
+      def read_secrets(secrets_path, env)
         if secrets_path.exist?
-          all_secrets = if key_path.exist? || encrypted?(secrets_path)
-            # Handle encrypted secrets.yml
-            decrypt_secrets(secrets_path, key_path)
-          else
-            # Handle plain YAML secrets.yml
-            YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
-          end
-
+          # Handle plain YAML secrets.yml only
+          all_secrets = YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
+          
           env_secrets = all_secrets[env.to_s]
           return env_secrets.deep_symbolize_keys if env_secrets
         end
@@ -125,46 +107,7 @@ module Secvault
         {}
       end
 
-      def encrypted?(path)
-        # Simple heuristic to detect if file is encrypted
-        content = path.read
-        # Encrypted files typically contain non-printable characters
-        !content.valid_encoding? || content.bytes.any? { |b| b < 32 && b != 10 && b != 13 }
-      rescue
-        false
-      end
-
       private
-
-      def decrypt_secrets(secrets_path, key_path)
-        encrypted_file = ActiveSupport::EncryptedFile.new(
-          content_path: secrets_path,
-          key_path: key_path,
-          env_key: "RAILS_SECRETS_KEY",
-          raise_if_missing_key: true
-        )
-
-        content = encrypted_file.read
-        YAML.safe_load(ERB.new(content).result, aliases: true) if content.present?
-      rescue ActiveSupport::EncryptedFile::MissingKeyError
-        raise MissingKeyError,
-          "Missing encryption key to decrypt secrets.yml. " \
-          "Ask your team for your secrets key and put it in config/secrets.yml.key"
-      rescue ActiveSupport::EncryptedFile::InvalidMessage
-        raise InvalidKeyError,
-          "Invalid encryption key for secrets.yml."
-      end
-
-      def decrypt(path)
-        key_path = Pathname.new("#{path}.key")
-        encrypted_file = ActiveSupport::EncryptedFile.new(
-          content_path: path,
-          key_path: key_path,
-          env_key: "RAILS_SECRETS_KEY",
-          raise_if_missing_key: true
-        )
-        encrypted_file.read
-      end
       
       def rails_7_2_or_later?
         rails_version = Rails.version

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "1.0.4"
+  VERSION = "2.1.0"
 end

data/lib/secvault.rb

@@ -3,7 +3,6 @@
 require "rails"
 require "yaml"
 require "erb"
-require "active_support/encrypted_file"
 require "active_support/core_ext/hash/keys"
 require "zeitwerk"
 
@@ -12,11 +11,11 @@ require_relative "secvault/version"
 loader = Zeitwerk::Loader.for_gem
 loader.setup
 
-# Secvault - Enhanced secrets management for Rails
+# Secvault - Simple secrets management for Rails
 # 
 # Secvault restores the classic Rails secrets.yml functionality that was removed 
-# in Rails 7.2, allowing you to manage encrypted secrets using the familiar 
-# YAML-based approach.
+# in Rails 7.2, using simple, plain YAML files for environment-specific secrets 
+# management.
 #
 # ## Rails Version Support:
 # - Rails 7.1: Requires manual setup (see Rails 7.1 integration guide)
@@ -47,11 +46,14 @@ loader.setup
 #   Rails.application.secrets.oauth_settings[:google_client_id]
 #   Rails::Secrets.parse_default(env: 'development')
 #
+# ## Getting Started:
+#   1. Create config/secrets.yml with your secrets
+#   2. Use Rails.application.secrets.your_secret in your app
+#   3. For production, use environment variables with ERB syntax
+#
 # @see https://github.com/unnitallman/secvault
 module Secvault
   class Error < StandardError; end
-  class MissingKeyError < Error; end
-  class InvalidKeyError < Error; end
 
   extend self
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 2.1.0
 platform: ruby
 authors:
 - Unnikrishnan KP
@@ -39,8 +39,8 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.6'
 description: Secvault restores the classic Rails secrets.yml functionality that was
-  removed in Rails 7.2, allowing you to manage encrypted secrets using the familiar
-  YAML-based approach. Compatible with Rails 7.1+, 7.2+ and 8.0+.
+  removed in Rails 7.2, using simple, plain YAML files for environment-specific secrets
+  management. Compatible with Rails 7.1+, 7.2+ and 8.0+.
 email:
 - unnikrishnan.kp@bigbinary.com
 executables: []
@@ -60,8 +60,8 @@ files:
 - lib/secvault/railtie.rb
 - lib/secvault/secrets.rb
 - lib/secvault/secrets_helper.rb
-- lib/secvault/tasks.rake
 - lib/secvault/version.rb
+- secvault-2.0.0.gem
 - sig/secvault.rbs
 homepage: https://github.com/unnitallman/secvault
 licenses:
@@ -89,5 +89,5 @@ requirements: []
 rubygems_version: 3.5.10
 signing_key:
 specification_version: 4
-summary: Rails secrets.yml functionality for Rails 7.1+, 7.2+ and Rails 8.0+
+summary: Simple Rails secrets.yml functionality for Rails 7.1+, 7.2+ and Rails 8.0+
 test_files: []

data/lib/secvault/tasks.rake

@@ -1,135 +0,0 @@
-# frozen_string_literal: true
-
-require "active_support/encrypted_file"
-require "securerandom"
-
-namespace :secvault do
-  desc "Setup secrets.yml file (plain YAML by default)"
-  task setup: :environment do
-    secrets_path = Rails.root.join("config/secrets.yml")
-    key_path = Rails.root.join("config/secrets.yml.key")
-    encrypted = ENV["ENCRYPTED"] == "true"
-
-    if secrets_path.exist?
-      puts "Secrets file already exists at #{secrets_path}"
-    else
-      default_content = <<~YAML
-        # Be sure to restart your server when you modify this file.
-        #
-        # Your secret key is used for verifying the integrity of signed cookies.
-        # If you change this key, all old signed cookies will become invalid!
-        #
-        # Make sure the secret is at least 30 characters and all random,
-        # no regular words or you'll be exposed to dictionary attacks.
-        # You can use `rails secret` to generate a secure secret key.
-
-        development:
-          secret_key_base: #{SecureRandom.hex(64)}
-
-        test:
-          secret_key_base: #{SecureRandom.hex(64)}
-
-        # Do not keep production secrets in the repository,
-        # instead read values from the environment.
-        production:
-          secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
-      YAML
-
-      if encrypted
-        # Create encrypted file
-        unless key_path.exist?
-          key = ActiveSupport::EncryptedFile.generate_key
-          File.write(key_path, key)
-          puts "Generated encryption key in #{key_path}"
-        end
-
-        encrypted_file = ActiveSupport::EncryptedFile.new(
-          content_path: secrets_path,
-          key_path: key_path,
-          env_key: "RAILS_SECRETS_KEY",
-          raise_if_missing_key: true
-        )
-        encrypted_file.write(default_content)
-        puts "Created encrypted secrets.yml file"
-        puts "Add #{key_path} to your .gitignore file"
-      else
-        # Create plain YAML file
-        File.write(secrets_path, default_content)
-        puts "Created plain secrets.yml file"
-        puts "Remember to add #{secrets_path} to your .gitignore if it contains sensitive data"
-      end
-    end
-  end
-
-  desc "Edit secrets.yml file"
-  task edit: :environment do
-    secrets_path = Rails.root.join("config/secrets.yml")
-    key_path = Rails.root.join("config/secrets.yml.key")
-
-    unless secrets_path.exist?
-      puts "Secrets file doesn't exist. Run 'rake secvault:setup' first."
-      exit 1
-    end
-
-    # Check if file is encrypted
-    is_encrypted = Secvault::Secrets.encrypted?(secrets_path)
-
-    if is_encrypted && key_path.exist?
-      # Handle encrypted file
-      encrypted_file = ActiveSupport::EncryptedFile.new(
-        content_path: secrets_path,
-        key_path: key_path,
-        env_key: "RAILS_SECRETS_KEY",
-        raise_if_missing_key: true
-      )
-
-      encrypted_file.change do |tmp_path|
-        system("#{ENV["EDITOR"] || "vi"} #{tmp_path}")
-      end
-
-      puts "Updated encrypted #{secrets_path}"
-    else
-      # Handle plain YAML file
-      system("#{ENV["EDITOR"] || "vi"} #{secrets_path}")
-      puts "Updated plain #{secrets_path}"
-    end
-  rescue ActiveSupport::EncryptedFile::MissingKeyError
-    puts "Missing encryption key to decrypt secrets.yml."
-    puts "Ask your team for your secrets key and put it in #{key_path}"
-  rescue ActiveSupport::EncryptedFile::InvalidMessage
-    puts "Invalid encryption key for secrets.yml."
-  end
-
-  desc "Show secrets.yml content"
-  task show: :environment do
-    secrets_path = Rails.root.join("config/secrets.yml")
-    key_path = Rails.root.join("config/secrets.yml.key")
-
-    unless secrets_path.exist?
-      puts "Secrets file doesn't exist. Run 'rake secvault:setup' first."
-      exit 1
-    end
-
-    # Check if file is encrypted
-    is_encrypted = Secvault::Secrets.encrypted?(secrets_path)
-
-    if is_encrypted && key_path.exist?
-      # Handle encrypted file
-      encrypted_file = ActiveSupport::EncryptedFile.new(
-        content_path: secrets_path,
-        key_path: key_path,
-        env_key: "RAILS_SECRETS_KEY",
-        raise_if_missing_key: true
-      )
-      puts encrypted_file.read
-    else
-      # Handle plain YAML file
-      puts File.read(secrets_path)
-    end
-  rescue ActiveSupport::EncryptedFile::MissingKeyError
-    puts "Missing encryption key to decrypt secrets.yml."
-    puts "Ask your team for your secrets key and put it in #{key_path}"
-  rescue ActiveSupport::EncryptedFile::InvalidMessage
-    puts "Invalid encryption key for secrets.yml."
-  end
-end