RubyGems - secvault - Versions diffs - 2.5.0 → 2.6.0 - Mend

secvault 2.5.0 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7aa65a706270754c5654d4ddac89114d5c6f59f80c2bd1480d11dc0b350a57d9
-  data.tar.gz: 9ce9a4d9661505ba37a8c827d8f5811c8b9ff0b2fab8f8a8b89bb9f53fb62618
+  metadata.gz: 804b4325743910209d494c3c81b4f5f0dc8cf89dd802b4b424544923e42cee34
+  data.tar.gz: 6c456cdd91bf12b27ab70922deb6736c42c8afdeb3e91c7173428c791441ff2c
 SHA512:
-  metadata.gz: ebd99a7e5c479c1bf98f7180414bcf7b77b45f70a19d56b3b20d734da069ed5f4d18b6855356a89d47475c6955f8ce5a4edc161e2ee13c5d4ab1494a4be38855
-  data.tar.gz: 888b561a34ff6be3798accb339d812d0456e3e10df0f4725c2c522e080ccef70c6dc23e54cae76878b5e4a67a44b4b63527b5bd0386133907b3df9a6bbec3df5
+  metadata.gz: 82efdd937655a3ba4eaefe8d732df4e2def7fd12a91302b182d1c300f1a17c10031339a53efe14af1f7c23bdfc40bdc44d43f578bc487a4e425551b75169f1c0
+  data.tar.gz: 0bf0eab87edf50ef01b0d5f0989d8403cd2b96795a393504de87875541ef458fbe3342ba2d8d0e8316b252259bbfee00abff8d1cb265bf0d73cdd951e979c27a

data/README.md CHANGED Viewed

@@ -7,16 +7,6 @@ Restores the classic Rails `secrets.yml` functionality that was removed in Rails
 - **Rails 7.2+**: Automatic setup
 - **Rails 8.0+**: Full compatibility
-## ✨ Key Features
-- 🔗 **YAML Anchor/Alias Support**: Use `default: &default` for shared configuration
-- 🌍 **ERB Interpolation**: Environment variables with type conversion (`ENV['VAR'].to_i`, boolean logic)
-- 📁 **Multi-File Loading**: Merge multiple YAML files (e.g., base + OAuth + local overrides)
-- 🔄 **Environment Switching**: Load different environments dynamically
-- 🛠️ **Development Tools**: Hot-reload secrets without server restart
-- 🔍 **Utility Methods**: `Secvault.active?` to check integration status
-- 🏗️ **Flexible Organization**: Feature-based, environment-based, or namespace-based file structures
 ## Installation
 ```ruby
@@ -100,22 +90,11 @@ Secvault.setup_multi_file!([
 ])
 ```
-**What this does automatically:**
-- ✅ Sets up Rails 7.1 compatibility (calls `setup_backward_compatibility_with_older_rails!`)
+**What this does:**
 - ✅ Loads and merges all files in order (later files override earlier ones)
 - ✅ Handles missing files gracefully
-- ✅ Adds `reload_secrets!` method in development
-- ✅ Provides logging (except in production)
 - ✅ Creates Rails.application.secrets with merged configuration
-**File organization example:**
-```
-config/
-├── secrets.yml           # Base application secrets
-├── secrets.oauth.yml     # OAuth providers & external APIs
-├── secrets.local.yml     # Local development overrides (gitignored)
-```
 **Advanced options:**
 ```ruby
 # Disable reload helper or logging
@@ -160,7 +139,7 @@ dev_secrets = Rails::Secrets.load(env: 'development')
 ## ERB Features & Type Conversion
-Secvault supports powerful ERB templating with automatic type conversion:
+Secvault supports ERB templating with automatic type conversion:
 ```yaml
 production:
@@ -225,60 +204,12 @@ else
 end
 ```
-## Usage Examples
-**Basic usage:**
-```ruby
-# Access secrets
-Rails.application.secrets.api_key
-Rails.application.secrets.database.host
-Rails.application.secrets.oauth.google.client_id
-# With YAML defaults, you get deep merging:
-Rails.application.secrets.database.adapter  # "postgresql" (from default)
-Rails.application.secrets.database.host     # "localhost" (from environment)
-```
-**Multi-file merging:**
-```ruby
-# Files loaded in order: base → oauth → local
-# Later files override earlier ones for the same keys
-# Hash values are deep merged, scalars are replaced
-Rails.application.secrets.api_key           # Could be from base or local file
-Rails.application.secrets.oauth.google      # From oauth file
-Rails.application.secrets.features.debug   # From local file override
-```
 ## Security Best Practices
-### ⚠️ Production Security
 - **Never commit production secrets** to version control
 - **Use environment variables** in production with ERB: `<%= ENV['SECRET'] %>`
 - **Use ENV.fetch()** with fallbacks: `<%= ENV.fetch('SECRET', 'default') %>`
-### 📝 File Management
-- **Add sensitive files** to `.gitignore`:
-  ```gitignore
-  config/secrets.yml         # If contains sensitive data
-  config/secrets.local.yml   # Local development overrides
-  config/secrets.production.yml  # If used
-  ```
-### 🔑 Recommended Structure
-```yaml
-# ✅ GOOD: Base file with safe defaults
-development:
-  api_key: "safe_dev_key_for_team"
-production:
-  api_key: <%= ENV['API_KEY'] %>  # ✅ From environment
-# ❌ BAD: Secrets hardcoded in base file
-production:
-  api_key: "super_secret_production_key"  # ❌ Never do this
-```
 ## License
 MIT License - see [LICENSE](https://opensource.org/licenses/MIT)

data/USAGE_EXAMPLES.md ADDED Viewed

@@ -0,0 +1,65 @@
+# Secvault API
+Secvault provides separate control over secrets loading and Rails integration.
+## Core Methods
+### `Secvault.start!(files: [])`
+Loads secrets from YAML files. Returns `true`/`false`.
+- **Default**: Uses `config/secrets.yml` if `files` is empty
+- **Access**: Secrets available via `Secvault.secrets`
+- **Non-invasive**: Does not modify `Rails.application.secrets`
+### `Secvault.integrate_with_rails!`
+Replaces `Rails.application.secrets` with Secvault's loaded secrets. Returns `true`/`false`.
+### `Secvault.secrets`
+Access to loaded secrets as `ActiveSupport::OrderedOptions`.
+### Status Methods
+- `Secvault.active?` - Returns `true` if secrets have been loaded
+- `Secvault.rails_integrated?` - Returns `true` if Rails integration is active
+## Usage
+### Standalone
+```ruby
+# Load secrets independently
+Secvault.start!
+api_key = Secvault.secrets.api_key
+```
+### With Rails Integration
+```ruby
+# Load and integrate with Rails
+Secvault.start!
+Secvault.integrate_with_rails!
+api_key = Rails.application.secrets.api_key
+```
+### Multiple Files
+```ruby
+# Files are deep-merged in order
+Secvault.start!(files: [
+  'config/shared_secrets.yml',
+  'config/secrets.yml'
+])
+```
+### Error Handling
+```ruby
+if Secvault.start!(files: ['config/secrets.yml'])
+  if Secvault.integrate_with_rails!
+    # Both operations successful
+  end
+end
+```

data/lib/secvault/secrets.rb CHANGED Viewed

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/hash/deep_merge"
 require "active_support/ordered_options"
 require "pathname"
 require "erb"
@@ -89,9 +90,9 @@ module Secvault
           secrets ||= {}
-          # Merge shared secrets first, then environment-specific
-          all_secrets.merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
-          all_secrets.merge!(secrets[env].deep_symbolize_keys) if secrets[env]
+          # Merge shared secrets first, then environment-specific (using deep merge)
+          all_secrets.deep_merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+          all_secrets.deep_merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
       end

data/lib/secvault/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Secvault
-  VERSION = "2.5.0"
+  VERSION = "2.6.0"
 end

data/lib/secvault.rb CHANGED Viewed

@@ -57,9 +57,22 @@ module Secvault
   class Error < StandardError; end
   extend self
+  # Internal storage for loaded secrets
+  @@loaded_secrets = nil
-  # Check if Secvault is currently active in the Rails application
+  # Access to loaded secrets without Rails integration
+  def secrets
+    @@loaded_secrets || ActiveSupport::OrderedOptions.new
+  end
+  # Check if Secvault is currently active (started)
   def active?
+    @@loaded_secrets != nil
+  end
+  # Check if Secvault is integrated with Rails.application.secrets
+  def rails_integrated?
     defined?(Rails) && Rails::Secrets == Secvault::RailsSecrets
   end
@@ -149,7 +162,39 @@ module Secvault
     end
   end
-  # Load secrets from multiple files and merge them
+  # Load secrets into Secvault.secrets only (no Rails integration)
+  def load_secrets_only!(files, logger: !Rails.env.production?)
+    # Convert strings to Pathname objects and resolve relative to Rails.root
+    file_paths = Array(files).map do |file|
+      file.is_a?(Pathname) ? file : Rails.root.join(file)
+    end
+    existing_files = file_paths.select(&:exist?)
+    if existing_files.any?
+      # Load and merge all secrets files using Secvault's parser directly
+      merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
+      # Store in Secvault.secrets (ActiveSupport::OrderedOptions for compatibility)
+      @@loaded_secrets = ActiveSupport::OrderedOptions.new
+      @@loaded_secrets.merge!(merged_secrets)
+      # Log successful loading
+      if logger
+        file_names = existing_files.map(&:basename)
+        Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(', ')}"
+        Rails.logger&.info "[Secvault] Parsed #{merged_secrets.keys.size} secret keys for #{Rails.env}"
+      end
+      true
+    else
+      Rails.logger&.warn "[Secvault] No secrets files found" if logger
+      @@loaded_secrets = ActiveSupport::OrderedOptions.new
+      false
+    end
+  end
+  # Load secrets from multiple files and merge them (with Rails integration)
   def load_multi_file_secrets!(file_paths, logger: !Rails.env.production?)
     existing_files = file_paths.select(&:exist?)
@@ -193,6 +238,61 @@ module Secvault
     end
   end
+  # Start Secvault and load secrets (without Rails integration)
+  #
+  # Usage:
+  #   Secvault.start!                                    # Uses config/secrets.yml only
+  #   Secvault.start!(files: [])                        # Same as above
+  #   Secvault.start!(files: ['path/to/secrets.yml'])   # Custom single file
+  #   Secvault.start!(files: ['gem.yml', 'app.yml'])    # Multiple files
+  #
+  # Access loaded secrets via: Secvault.secrets.your_key
+  # To integrate with Rails.application.secrets, call: Secvault.integrate_with_rails!
+  #
+  # Options:
+  #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
+  #   - logger: Enable logging (default: true except production)
+  def start!(files: [], logger: !Rails.env.production?)
+    begin
+      # Default to host app's config/secrets.yml if no files specified
+      files_to_load = files.empty? ? ['config/secrets.yml'] : files
+      # Load secrets into Secvault.secrets (completely independent of Rails)
+      load_secrets_only!(files_to_load, logger: logger)
+      true
+    rescue => e
+      Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails)
+      false
+    end
+  end
+  # Integrate loaded secrets with Rails.application.secrets
+  def integrate_with_rails!
+    return false unless @@loaded_secrets
+    begin
+      # Set up Rails::Secrets to use Secvault's parser (only when integrating)
+      unless rails_integrated?
+        if defined?(Rails::Secrets)
+          Rails.send(:remove_const, :Secrets)
+        end
+        Rails.const_set(:Secrets, Secvault::RailsSecrets)
+      end
+      # Replace Rails.application.secrets with Secvault's loaded secrets
+      Rails.application.define_singleton_method(:secrets) do
+        Secvault.secrets
+      end
+      Rails.logger&.info "[Secvault] Integrated with Rails.application.secrets" unless Rails.env.production?
+      true
+    rescue => e
+      Rails.logger&.error "[Secvault] Failed to integrate with Rails: #{e.message}" if defined?(Rails)
+      false
+    end
+  end
   # Backward compatibility aliases
   alias_method :setup_rails_71_integration!, :setup_backward_compatibility_with_older_rails!
   alias_method :setup_multi_files!, :setup_multi_file!  # Alternative name

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Unnikrishnan KP
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-22 00:00:00.000000000 Z
+date: 2025-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -54,6 +54,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- USAGE_EXAMPLES.md
 - lib/secvault.rb
 - lib/secvault/generators/secrets_generator.rb
 - lib/secvault/rails_secrets.rb