secvault 2.5.0 → 2.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7aa65a706270754c5654d4ddac89114d5c6f59f80c2bd1480d11dc0b350a57d9
-  data.tar.gz: 9ce9a4d9661505ba37a8c827d8f5811c8b9ff0b2fab8f8a8b89bb9f53fb62618
+  metadata.gz: 51dbcfd2c3b3073fb06223b681fb358cf8c74aae00c90663470edc19b3a40cd0
+  data.tar.gz: f78b9e5a1bdcb9148d58e31791738179b38a401ae0416920b4a6ee557e024ffd
 SHA512:
-  metadata.gz: ebd99a7e5c479c1bf98f7180414bcf7b77b45f70a19d56b3b20d734da069ed5f4d18b6855356a89d47475c6955f8ce5a4edc161e2ee13c5d4ab1494a4be38855
-  data.tar.gz: 888b561a34ff6be3798accb339d812d0456e3e10df0f4725c2c522e080ccef70c6dc23e54cae76878b5e4a67a44b4b63527b5bd0386133907b3df9a6bbec3df5
+  metadata.gz: 99d55935f3754ed807d306e94c530259ae34c82d43e1b2827ace62a2e33fd8bed291d8af358597aa68b71d78737af402273644e2b5d9475c5540be234b2d5985
+  data.tar.gz: d24dfa1e4613602a15ee7d40aeabedb089edf9e88ea136960ca039d6298252d8e7cd4e8a50d6f815cedcbde9d6192320814ccf6694797633225a29e98b993842

data/.rspec

@@ -1,3 +1,3 @@
 --format documentation
 --color
---require spec_helper
+--require spec_helper

data/README.md

@@ -1,21 +1,12 @@
 # Secvault
 
-Restores the classic Rails `secrets.yml` functionality that was removed in Rails 7.2. Uses simple, plain YAML files for environment-specific secrets management with powerful features like YAML defaults, ERB interpolation, and multi-file configurations.
+Restores Rails `secrets.yml` functionality for environment-specific secrets management using YAML files with ERB templating.
 
-**Rails Version Support:**
-- **Rails 7.1 and older**: Manual setup (see Older Rails Integration below)
-- **Rails 7.2+**: Automatic setup
-- **Rails 8.0+**: Full compatibility
-
-## ✨ Key Features
+## Rails Version Support
 
-- 🔗 **YAML Anchor/Alias Support**: Use `default: &default` for shared configuration
-- 🌍 **ERB Interpolation**: Environment variables with type conversion (`ENV['VAR'].to_i`, boolean logic)
-- 📁 **Multi-File Loading**: Merge multiple YAML files (e.g., base + OAuth + local overrides)
-- 🔄 **Environment Switching**: Load different environments dynamically
-- 🛠️ **Development Tools**: Hot-reload secrets without server restart
-- 🔍 **Utility Methods**: `Secvault.active?` to check integration status
-- 🏗️ **Flexible Organization**: Feature-based, environment-based, or namespace-based file structures
+- **Rails 7.2+**: Automatic setup (drop-in replacement for removed functionality)
+- **Rails 7.1**: Manual setup required
+- **Rails 8.0+**: Full compatibility
 
 ## Installation
 
@@ -24,261 +15,87 @@ Restores the classic Rails `secrets.yml` functionality that was removed in Rails
 gem 'secvault'
 ```
 
-```bash
-bundle install
-```
-
-## Quick Start (Rails 7.2+)
+## Quick Start
 
-```bash
-# 1. Create secrets.yml
-touch config/secrets.yml
+Create `config/secrets.yml`:
 
-# 2. Edit with your favorite editor
-$EDITOR config/secrets.yml
-```
-
-**Usage in your app:**
-```ruby
-Rails.application.secrets.api_key
-Rails.application.secrets.database_password
-```
-
-**Example secrets.yml with YAML defaults and ERB:**
 ```yaml
-# YAML defaults - inherited by all environments
-default: &default
-  app_name: "My Application"
-  database:
-    adapter: "postgresql"
-    pool: 5
-    timeout: 5000
-  api:
-    timeout: 30
-    retries: 3
-
 development:
-  <<: *default  # Inherit defaults
-  api_key: "dev_api_key_123"
-  database:
-    host: "localhost"
-    name: "myapp_development"
-  api:
-    base_url: "http://localhost:3000"  # Override default
+  api_key: "dev_key_123"
+  database_url: "postgresql://localhost/myapp_dev"
 
 production:
-  <<: *default  # Inherit defaults
   api_key: <%= ENV['API_KEY'] %>
-  database:
-    host: <%= ENV['DATABASE_HOST'] %>
-    name: <%= ENV['DATABASE_NAME'] %>
-    pool: <%= ENV.fetch('DATABASE_POOL', '10').to_i %>  # Type conversion
-  api:
-    base_url: <%= ENV['API_BASE_URL'] %>
-  
-  # Boolean conversion
-  features:
-    new_ui: <%= ENV.fetch('FEATURE_NEW_UI', 'true') == 'true' %>
-  
-  # Array conversion
-  oauth_scopes: <%= ENV.fetch('OAUTH_SCOPES', 'email,profile').split(',') %>
+  database_url: <%= ENV['DATABASE_URL'] %>
 ```
 
-## Multi-File Configuration
-
-Organize secrets across multiple files with a **super clean API**:
+Access secrets in your app:
 
 ```ruby
-# config/initializers/secvault.rb
-require "secvault"
-
-# That's it! Just pass your files array
-Secvault.setup_multi_file!([
-  'config/secrets.yml',         # Base secrets
-  'config/secrets.oauth.yml',   # OAuth & APIs
-  'config/secrets.local.yml'    # Local overrides
-])
+Rails.application.secrets.api_key
+Rails.application.secrets.database_url
 ```
 
-**What this does automatically:**
-- ✅ Sets up Rails 7.1 compatibility (calls `setup_backward_compatibility_with_older_rails!`)
-- ✅ Loads and merges all files in order (later files override earlier ones)
-- ✅ Handles missing files gracefully
-- ✅ Adds `reload_secrets!` method in development
-- ✅ Provides logging (except in production)
-- ✅ Creates Rails.application.secrets with merged configuration
+## Multi-File Configuration
 
-**File organization example:**
-```
-config/
-├── secrets.yml           # Base application secrets
-├── secrets.oauth.yml     # OAuth providers & external APIs
-├── secrets.local.yml     # Local development overrides (gitignored)
-```
+Load and merge multiple secrets files:
 
-**Advanced options:**
 ```ruby
-# Disable reload helper or logging
-Secvault.setup_multi_file!(files, reload_method: false, logger: false)
-
-# Use Pathname objects if needed
+# config/initializers/secvault.rb
 Secvault.setup_multi_file!([
-  Rails.root.join('config', 'secrets.yml'),
-  Rails.root.join('config', 'secrets.oauth.yml')
-])
-```
-
-## Advanced Usage
-
-**Manual multi-file parsing:**
-```ruby
-# Parse multiple files - later files override earlier ones
-secrets = Rails::Secrets.parse([
   'config/secrets.yml',
   'config/secrets.oauth.yml',
   'config/secrets.local.yml'
-], env: Rails.env)
-```
-
-**Load specific environment:**
-```ruby
-# Load production secrets in any environment
-production_secrets = Rails::Secrets.load(env: 'production')
-
-# Load development secrets
-dev_secrets = Rails::Secrets.load(env: 'development')
-```
-
-**Environment-specific loading:**
-```ruby
-# Load production secrets in any environment
-production_secrets = Rails::Secrets.load(env: 'production')
-
-# Load development secrets
-dev_secrets = Rails::Secrets.load(env: 'development')
+])
 ```
 
-## ERB Features & Type Conversion
-
-Secvault supports powerful ERB templating with automatic type conversion:
+Files are merged in order with deep merge support for nested hashes.
 
-```yaml
-production:
-  # String interpolation
-  api_key: <%= ENV['API_KEY'] %>
-  
-  # Integer conversion
-  database_pool: <%= ENV.fetch('DB_POOL', '10').to_i %>
-  
-  # Boolean conversion  
-  debug_enabled: <%= ENV.fetch('DEBUG', 'false') == 'true' %>
-  
-  # Array conversion
-  allowed_hosts: <%= ENV.fetch('HOSTS', 'localhost,127.0.0.1').split(',') %>
-  
-  # Fallback values
-  timeout: <%= ENV.fetch('TIMEOUT', '30').to_i %>
-  adapter: <%= ENV.fetch('DB_ADAPTER', 'postgresql') %>
-```
-
-## Development Tools
+## Manual API
 
-**Hot-reload secrets (automatically available in development):**
 ```ruby
-# In Rails console - automatically added by setup_multi_file!
-reload_secrets!  # Reloads all configured files without server restart
-# 🔄 Reloaded secrets from 3 files
+# Parse specific files
+secrets = Rails::Secrets.parse(['config/secrets.yml'], env: Rails.env)
 
-# Also available as:
-Rails.application.reload_secrets!
-```
+# Load default config/secrets.yml
+secrets = Rails::Secrets.load(env: 'production')
 
-**Check integration status:**
-```ruby
-Secvault.active?  # Returns true if Secvault is managing secrets
+# Check if active
+Secvault.active? # => true/false
 ```
 
-## Older Rails Integration
+## Rails 7.1 Integration
 
-For Rails versions with existing secrets functionality (like Rails 7.1), use Secvault to test before upgrading:
+For Rails 7.1 with existing secrets functionality:
 
 ```ruby
 # config/initializers/secvault.rb
 Secvault.setup_backward_compatibility_with_older_rails!
 ```
 
-This replaces Rails.application.secrets with Secvault functionality. Your existing Rails 7.1 code works unchanged:
+## ERB Templating
 
-```ruby
-Rails.application.secrets.api_key          # ✅ Works
-Rails.application.secrets.oauth_settings   # ✅ Works
-Rails::Secrets.load                        # ✅ Load default config/secrets.yml
-Rails::Secrets.parse(['custom.yml'], env: Rails.env)  # ✅ Parse custom files
-```
+Supports full ERB templating for environment variables:
 
-**Check if Secvault is active:**
-```ruby
-if Secvault.active?
-  puts "Using Secvault for secrets management"
-else
-  puts "Using default Rails secrets functionality"
-end
+```yaml
+production:
+  api_key: <%= ENV['API_KEY'] %>
+  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
+  features:
+    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
+  hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
 ```
 
-## Usage Examples
+## Development Tools
 
-**Basic usage:**
-```ruby
-# Access secrets
-Rails.application.secrets.api_key
-Rails.application.secrets.database.host
-Rails.application.secrets.oauth.google.client_id
+Reload secrets in development:
 
-# With YAML defaults, you get deep merging:
-Rails.application.secrets.database.adapter  # "postgresql" (from default)
-Rails.application.secrets.database.host     # "localhost" (from environment)
-```
-
-**Multi-file merging:**
 ```ruby
-# Files loaded in order: base → oauth → local
-# Later files override earlier ones for the same keys
-# Hash values are deep merged, scalars are replaced
-
-Rails.application.secrets.api_key           # Could be from base or local file
-Rails.application.secrets.oauth.google      # From oauth file
-Rails.application.secrets.features.debug   # From local file override
-```
-
-## Security Best Practices
-
-### ⚠️ Production Security
-- **Never commit production secrets** to version control
-- **Use environment variables** in production with ERB: `<%= ENV['SECRET'] %>`
-- **Use ENV.fetch()** with fallbacks: `<%= ENV.fetch('SECRET', 'default') %>`
-
-### 📝 File Management
-- **Add sensitive files** to `.gitignore`:
-  ```gitignore
-  config/secrets.yml         # If contains sensitive data
-  config/secrets.local.yml   # Local development overrides
-  config/secrets.production.yml  # If used
-  ```
-
-### 🔑 Recommended Structure
-```yaml
-# ✅ GOOD: Base file with safe defaults
-development:
-  api_key: "safe_dev_key_for_team"
-  
-production:
-  api_key: <%= ENV['API_KEY'] %>  # ✅ From environment
-
-# ❌ BAD: Secrets hardcoded in base file
-production:
-  api_key: "super_secret_production_key"  # ❌ Never do this
+# Available after setup_multi_file!
+reload_secrets!
+Rails.application.reload_secrets!
 ```
 
 ## License
 
-MIT License - see [LICENSE](https://opensource.org/licenses/MIT)
+MIT

data/lib/secvault/rails_secrets.rb

@@ -6,9 +6,9 @@ module Secvault
   # This replicates the Rails < 7.2 Rails::Secrets module functionality
   module RailsSecrets
     extend self
-    
+
     # Parse secrets from one or more YAML files
-    # 
+    #
     # Supports:
     # - ERB templating for environment variables
     # - Shared sections that apply to all environments
@@ -19,26 +19,26 @@ module Secvault
     # Examples:
     #   # Single file
     #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
-    #   
+    #
     #   # Multiple files (merged in order)
     #   Rails::Secrets.parse([
     #     'config/secrets.yml',
     #     'config/secrets.local.yml'
     #   ], env: 'development')
-    #   
+    #
     #   # Load default config/secrets.yml
     #   Rails::Secrets.load  # uses current Rails.env
     #   Rails::Secrets.load(env: 'production')
     def parse(paths, env:)
       Secvault::Secrets.parse(paths, env: env.to_s)
     end
-    
+
     # Load secrets from the default config/secrets.yml file
     def load(env: Rails.env)
       secrets_path = Rails.root.join("config/secrets.yml")
       parse([secrets_path], env: env)
     end
-    
+
     # Backward compatibility aliases (deprecated)
     alias_method :parse_default, :load
     alias_method :read, :load
@@ -49,8 +49,8 @@ end
 # Only for Rails 7.2+ where Rails::Secrets was removed
 if defined?(Rails) && Rails.respond_to?(:version)
   rails_version = Rails.version
-  major, minor = rails_version.split('.').map(&:to_i)
-  
+  major, minor = rails_version.split(".").map(&:to_i)
+
   # Only alias for Rails 7.2+ to avoid conflicts with native Rails::Secrets in 7.1
   if major > 7 || (major == 7 && minor >= 2)
     module Rails

data/lib/secvault/railtie.rb

@@ -9,16 +9,16 @@ module Secvault
     initializer "secvault.initialize", before: :load_environment_hook do |app|
       Secvault::Secrets.setup(app)
     end
-    
+
     # Ensure initialization happens early in all environments
     config.before_configuration do |app|
       secrets_path = app.root.join("config/secrets.yml")
-      
+
       if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
         # Early initialization for test environment compatibility
-        current_env = ENV['RAILS_ENV'] || 'development'
+        current_env = ENV["RAILS_ENV"] || "development"
         secrets = Secvault::Secrets.read_secrets(secrets_path, current_env)
-        
+
         if secrets
           Rails.application.define_singleton_method(:secrets) do
             @secrets ||= begin
@@ -31,6 +31,5 @@ module Secvault
         end
       end
     end
-
   end
 end

data/lib/secvault/secrets.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/hash/deep_merge"
 require "active_support/ordered_options"
 require "pathname"
 require "erb"
@@ -12,16 +13,16 @@ module Secvault
       def setup(app)
         # Only auto-setup for Rails 7.2+ where secrets functionality was removed
         return unless rails_7_2_or_later?
-        
+
         secrets_path = app.root.join("config/secrets.yml")
 
         if secrets_path.exist?
           # Use a more reliable approach that works in all environments
           app.config.before_configuration do
-            current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
+            current_env = ENV["RAILS_ENV"] || Rails.env || "development"
             setup_secrets_immediately(app, secrets_path, current_env)
           end
-          
+
           # Also try during to_prepare as a fallback
           app.config.to_prepare do
             current_env = Rails.env
@@ -31,14 +32,14 @@ module Secvault
           end
         end
       end
-      
+
       # Manual setup method for Rails 7.1 (opt-in)
       def setup_for_rails_71!(app)
         secrets_path = app.root.join("config/secrets.yml")
 
         if secrets_path.exist?
           app.config.before_configuration do
-            current_env = ENV['RAILS_ENV'] || Rails.env || 'development'
+            current_env = ENV["RAILS_ENV"] || Rails.env || "development"
             setup_secrets_immediately(app, secrets_path, current_env)
           end
         end
@@ -60,7 +61,7 @@ module Secvault
               end
             end
           end
-          
+
           # If secrets accessor already exists, merge the secrets
           if Rails.application.respond_to?(:secrets) && Rails.application.secrets.respond_to?(:merge!)
             Rails.application.secrets.merge!(secrets)
@@ -71,27 +72,23 @@ module Secvault
       # Classic Rails::Secrets.parse implementation
       # Parses plain YAML secrets files and merges shared + environment-specific sections
       def parse(paths, env:)
-        paths.each_with_object(Hash.new) do |path, all_secrets|
+        paths.each_with_object({}) do |path, all_secrets|
           # Handle string paths by converting to Pathname
           path = Pathname.new(path) unless path.respond_to?(:exist?)
           next unless path.exist?
-          
+
           # Read and process the plain YAML file content
           source = path.read
-          
+
           # Process ERB and parse YAML
           erb_result = ERB.new(source).result
-          secrets = if YAML.respond_to?(:unsafe_load)
-            YAML.unsafe_load(erb_result)
-          else
-            YAML.load(erb_result)
-          end
-          
+          secrets = YAML.safe_load(erb_result, aliases: true, permitted_classes: [])
+
           secrets ||= {}
-          
-          # Merge shared secrets first, then environment-specific
-          all_secrets.merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
-          all_secrets.merge!(secrets[env].deep_symbolize_keys) if secrets[env]
+
+          # Merge shared secrets first, then environment-specific (using deep merge)
+          all_secrets.deep_merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+          all_secrets.deep_merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
       end
 
@@ -99,7 +96,7 @@ module Secvault
         if secrets_path.exist?
           # Handle plain YAML secrets.yml only
           all_secrets = YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
-          
+
           env_secrets = all_secrets[env.to_s]
           return env_secrets.deep_symbolize_keys if env_secrets
         end
@@ -108,10 +105,10 @@ module Secvault
       end
 
       private
-      
+
       def rails_7_2_or_later?
         rails_version = Rails.version
-        major, minor = rails_version.split('.').map(&:to_i)
+        major, minor = rails_version.split(".").map(&:to_i)
         major > 7 || (major == 7 && minor >= 2)
       end
     end

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "2.5.0"
+  VERSION = "2.7.0"
 end

data/lib/secvault.rb

@@ -12,9 +12,9 @@ loader = Zeitwerk::Loader.for_gem
 loader.setup
 
 # Secvault - Simple secrets management for Rails
-# 
-# Secvault restores the classic Rails secrets.yml functionality that was removed 
-# in Rails 7.2, using simple, plain YAML files for environment-specific secrets 
+#
+# Secvault restores the classic Rails secrets.yml functionality that was removed
+# in Rails 7.2, using simple, plain YAML files for environment-specific secrets
 # management.
 #
 # ## Rails Version Support:
@@ -58,8 +58,21 @@ module Secvault
 
   extend self
 
-  # Check if Secvault is currently active in the Rails application
+  # Internal storage for loaded secrets
+  @@loaded_secrets = nil
+
+  # Access to loaded secrets without Rails integration
+  def secrets
+    @@loaded_secrets || ActiveSupport::OrderedOptions.new
+  end
+
+  # Check if Secvault is currently active (started)
   def active?
+    @@loaded_secrets != nil
+  end
+
+  # Check if Secvault is integrated with Rails.application.secrets
+  def rails_integrated?
     defined?(Rails) && Rails::Secrets == Secvault::RailsSecrets
   end
 
@@ -69,7 +82,7 @@ module Secvault
     require "secvault/railtie"
     require "secvault/rails_secrets"
   end
-  
+
   # Helper method to set up Secvault for older Rails versions
   # This provides an easy way to integrate Secvault into older Rails apps
   # that still have native Rails::Secrets functionality (like Rails 7.1).
@@ -87,24 +100,24 @@ module Secvault
       Rails.send(:remove_const, :Secrets)
     end
     Rails.const_set(:Secrets, Secvault::RailsSecrets)
-    
+
     # Set up Rails.application.secrets replacement
     Rails.application.config.after_initialize do
       secrets_path = Rails.root.join("config/secrets.yml")
-      
+
       if secrets_path.exist?
         # Load secrets using Secvault
         loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
-        
+
         # Create ActiveSupport::OrderedOptions object for compatibility
         secrets_object = ActiveSupport::OrderedOptions.new
         secrets_object.merge!(loaded_secrets)
-        
+
         # Replace Rails.application.secrets
         Rails.application.define_singleton_method(:secrets) do
           secrets_object
         end
-        
+
         # Log integration success (except in production)
         unless Rails.env.production?
           Rails.logger&.info "[Secvault] Rails 7.1 integration complete. Loaded #{loaded_secrets.keys.size} secret keys."
@@ -114,14 +127,14 @@ module Secvault
       end
     end
   end
-  
+
   # Set up multi-file secrets loading with a clean API
   # Just pass an array of file paths and Secvault handles the rest
   #
   # Usage in an initializer:
   #   Secvault.setup_multi_file!([
   #     'config/secrets.yml',
-  #     'config/secrets.oauth.yml', 
+  #     'config/secrets.oauth.yml',
   #     'config/secrets.local.yml'
   #   ])
   #
@@ -132,52 +145,84 @@ module Secvault
   def setup_multi_file!(files, reload_method: Rails.env.development?, logger: !Rails.env.production?)
     # Ensure Secvault integration is active
     setup_backward_compatibility_with_older_rails! unless active?
-    
+
     # Convert strings to Pathname objects and resolve relative to Rails.root
     file_paths = Array(files).map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
-    
+
     # Set up the multi-file loading
     Rails.application.config.after_initialize do
       load_multi_file_secrets!(file_paths, logger: logger)
     end
-    
+
     # Add reload helper in development
     if reload_method
       add_reload_helper!(file_paths)
     end
   end
-  
-  # Load secrets from multiple files and merge them
+
+  # Load secrets into Secvault.secrets only (no Rails integration)
+  def load_secrets_only!(files, logger: !Rails.env.production?)
+    # Convert strings to Pathname objects and resolve relative to Rails.root
+    file_paths = Array(files).map do |file|
+      file.is_a?(Pathname) ? file : Rails.root.join(file)
+    end
+
+    existing_files = file_paths.select(&:exist?)
+
+    if existing_files.any?
+      # Load and merge all secrets files using Secvault's parser directly
+      merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
+
+      # Store in Secvault.secrets (ActiveSupport::OrderedOptions for compatibility)
+      @@loaded_secrets = ActiveSupport::OrderedOptions.new
+      @@loaded_secrets.merge!(merged_secrets)
+
+      # Log successful loading
+      if logger
+        file_names = existing_files.map(&:basename)
+        Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
+        Rails.logger&.info "[Secvault] Parsed #{merged_secrets.keys.size} secret keys for #{Rails.env}"
+      end
+
+      true
+    else
+      Rails.logger&.warn "[Secvault] No secrets files found" if logger
+      @@loaded_secrets = ActiveSupport::OrderedOptions.new
+      false
+    end
+  end
+
+  # Load secrets from multiple files and merge them (with Rails integration)
   def load_multi_file_secrets!(file_paths, logger: !Rails.env.production?)
     existing_files = file_paths.select(&:exist?)
-    
+
     if existing_files.any?
       # Load and merge all secrets files
       merged_secrets = Rails::Secrets.parse(existing_files, env: Rails.env)
-      
+
       # Create ActiveSupport::OrderedOptions object for Rails compatibility
       secrets_object = ActiveSupport::OrderedOptions.new
       secrets_object.merge!(merged_secrets)
-      
+
       # Replace Rails.application.secrets
       Rails.application.define_singleton_method(:secrets) { secrets_object }
-      
+
       # Log successful loading
       if logger
         file_names = existing_files.map(&:basename)
-        Rails.logger&.info "[Secvault Multi-File] Loaded #{existing_files.size} files: #{file_names.join(', ')}"
+        Rails.logger&.info "[Secvault Multi-File] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
         Rails.logger&.info "[Secvault Multi-File] Merged #{merged_secrets.keys.size} secret keys for #{Rails.env}"
       end
-      
+
       merged_secrets
     else
       Rails.logger&.warn "[Secvault Multi-File] No secrets files found" if logger
       {}
     end
   end
-  
+
   # Add reload helper method for development
   def add_reload_helper!(file_paths)
     # Define reload method on Rails.application
@@ -186,13 +231,66 @@ module Secvault
       puts "🔄 Reloaded secrets from #{file_paths.size} files"
       true
     end
-    
+
     # Also make it available as a top-level method
     Object.define_method(:reload_secrets!) do
       Rails.application.reload_secrets!
     end
   end
-  
+
+  # Start Secvault and load secrets (without Rails integration)
+  #
+  # Usage:
+  #   Secvault.start!                                    # Uses config/secrets.yml only
+  #   Secvault.start!(files: [])                        # Same as above
+  #   Secvault.start!(files: ['path/to/secrets.yml'])   # Custom single file
+  #   Secvault.start!(files: ['gem.yml', 'app.yml'])    # Multiple files
+  #
+  # Access loaded secrets via: Secvault.secrets.your_key
+  # To integrate with Rails.application.secrets, call: Secvault.integrate_with_rails!
+  #
+  # Options:
+  #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
+  #   - logger: Enable logging (default: true except production)
+  def start!(files: [], logger: !Rails.env.production?)
+    # Default to host app's config/secrets.yml if no files specified
+    files_to_load = files.empty? ? ["config/secrets.yml"] : files
+
+    # Load secrets into Secvault.secrets (completely independent of Rails)
+    load_secrets_only!(files_to_load, logger: logger)
+
+    true
+  rescue => e
+    Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails)
+    false
+  end
+
+  # Integrate loaded secrets with Rails.application.secrets
+  def integrate_with_rails!
+    return false unless @@loaded_secrets
+
+    begin
+      # Set up Rails::Secrets to use Secvault's parser (only when integrating)
+      unless rails_integrated?
+        if defined?(Rails::Secrets)
+          Rails.send(:remove_const, :Secrets)
+        end
+        Rails.const_set(:Secrets, Secvault::RailsSecrets)
+      end
+
+      # Replace Rails.application.secrets with Secvault's loaded secrets
+      Rails.application.define_singleton_method(:secrets) do
+        Secvault.secrets
+      end
+
+      Rails.logger&.info "[Secvault] Integrated with Rails.application.secrets" unless Rails.env.production?
+      true
+    rescue => e
+      Rails.logger&.error "[Secvault] Failed to integrate with Rails: #{e.message}" if defined?(Rails)
+      false
+    end
+  end
+
   # Backward compatibility aliases
   alias_method :setup_rails_71_integration!, :setup_backward_compatibility_with_older_rails!
   alias_method :setup_multi_files!, :setup_multi_file!  # Alternative name

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.7.0
 platform: ruby
 authors:
 - Unnikrishnan KP
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-22 00:00:00.000000000 Z
+date: 2025-09-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -49,20 +49,14 @@ extra_rdoc_files: []
 files:
 - ".rspec"
 - ".standard.yml"
-- CHANGELOG.md
-- CODE_OF_CONDUCT.md
 - LICENSE.txt
 - README.md
 - Rakefile
 - lib/secvault.rb
-- lib/secvault/generators/secrets_generator.rb
 - lib/secvault/rails_secrets.rb
 - lib/secvault/railtie.rb
 - lib/secvault/secrets.rb
-- lib/secvault/secrets_helper.rb
 - lib/secvault/version.rb
-- secvault-2.0.0.gem
-- sig/secvault.rbs
 homepage: https://github.com/unnitallman/secvault
 licenses:
 - MIT

data/CHANGELOG.md

@@ -1,185 +0,0 @@
-## [Unreleased]
-
-## [2.3.0] - 2025-09-22
-
-### Changed
-
-- **Better method naming**: Renamed `setup_rails_71_integration!` to `setup_backward_compatibility_with_older_rails!`
-- **More generic approach**: New method name works for any older Rails version, not just 7.1
-- **Updated documentation**: README now uses "Older Rails Integration" instead of "Rails 7.1 Integration"
-- **Clearer version support**: Documentation now shows "Rails 7.1 and older" for better clarity
-
-### Backward Compatibility
-
-- ✅ **Old method name still works**: `setup_rails_71_integration!` is aliased to the new method
-- ✅ **No breaking changes**: All existing code continues to work
-- ✅ **Updated test apps**: Rails 7.1 test app uses the new, cleaner method name
-
-### Benefits
-
-- **Future-proof naming**: Works for Rails 7.1, 7.0, 6.x, or any version with native secrets
-- **Clearer intent**: Method name clearly indicates it's for backward compatibility
-- **Better documentation**: More generic approach in README and code comments
-- **Maintained compatibility**: Existing users don't need to change anything
-
-## [2.2.0] - 2025-09-22
-
-### Added
-
-- **New simplified API**: `Rails::Secrets.load()` - cleaner method to load default config/secrets.yml
-- **Enhanced README** with comprehensive examples for multiple files usage
-- **Better documentation** showing how to parse custom files and multiple file merging
-- **Backward compatibility aliases** - `parse_default` and `read` still work
-
-### Changed
-
-- **Improved method naming**: `Rails::Secrets.load()` is now the preferred method over `parse_default()`
-- **Enhanced documentation** in code with clear examples for single file, multiple files, and custom paths
-- **Better README examples** showing advanced usage patterns
-
-### Examples Added
-
-- Multiple secrets files merging: `Rails::Secrets.parse(['secrets.yml', 'secrets.local.yml'], env: Rails.env)`
-- Environment-specific loading: `Rails::Secrets.load(env: 'production')`
-- Custom file parsing: `Rails::Secrets.parse(['config/custom.yml'], env: Rails.env)`
-- Multiple path support: `Rails::Secrets.parse([Rails.root.join('config', 'secrets.yml')], env: Rails.env)`
-
-### Backward Compatibility
-
-- ✅ All existing methods still work
-- ✅ `parse_default` → `load` (alias maintained)
-- ✅ `read` → `load` (alias maintained)
-- ✅ No breaking changes
-
-## [2.1.0] - 2025-09-22
-
-### Removed
-
-- **Removed all rake tasks** - Ultimate simplicity! No more `rake secvault:setup`, `rake secvault:edit`, or `rake secvault:show`
-- Removed `lib/secvault/tasks.rake` file entirely
-- Removed rake task loading from railtie
-
-### Changed
-
-- **Ultra-simple setup**: Just create `config/secrets.yml` with any text editor
-- Updated README to reflect manual file creation instead of rake tasks
-- Updated module documentation to show simple 3-step process
-- Cleaner railtie without task loading complexity
-
-### Benefits
-
-- **Zero dependencies on rake tasks** - works with just plain YAML files
-- **Even simpler** - no commands to remember, just edit YAML files
-- **More intuitive** - developers already know how to create and edit YAML files
-- **Less code** - removed unnecessary complexity
-
-### Tested
-
-- ✅ Rails 7.1 integration works perfectly
-- ✅ Rails 8.0 automatic setup works perfectly
-- ✅ No rake task conflicts or errors
-
-## [2.0.0] - 2025-09-22
-
-### BREAKING CHANGES
-
-- **Removed all encryption functionality** - Secvault now focuses purely on plain YAML secrets management
-- Removed ActiveSupport::EncryptedFile dependencies
-- Removed MissingKeyError and InvalidKeyError exceptions
-- Removed `encrypted?`, `decrypt`, `decrypt_secrets` methods
-- Simplified rake tasks to work with plain YAML only
-
-### Added
-
-- Simplified `rake secvault:setup` that creates plain YAML files with helpful comments
-- Better error messages and user guidance in rake tasks
-- Cleaner, more focused codebase without encryption complexity
-
-### Changed
-
-- **Major simplification**: All secrets are now stored in plain YAML files
-- Updated README to reflect plain YAML approach
-- Updated module documentation and gemspec descriptions
-- Rake tasks now use emojis and better user experience
-- Production secrets should use ERB syntax with environment variables
-
-### Benefits
-
-- Much simpler gem with single focus: plain YAML secrets management
-- No encryption keys to manage or lose
-- Easy to understand, edit, and debug secrets files
-- Perfect for development and test environments
-- Production secrets via environment variables (recommended best practice)
-
-## [1.0.4] - 2025-09-22
-
-### Added
-
-- Comprehensive Rails 7.1 integration support
-- New `Secvault.setup_rails_71_integration!` helper method for easy Rails 7.1 setup
-- Enhanced documentation with Rails 7.1 integration guide
-- Module-level documentation with usage examples and version compatibility
-
-### Improved
-
-- Better Rails 7.1 compatibility with automatic detection and setup
-- Enhanced README with Rails 7.1 integration section
-- Improved error handling and logging for Rails 7.1 integration
-- More comprehensive inline documentation
-
-### Changed
-
-- Refined automatic setup logic to avoid conflicts with Rails 7.1 native functionality
-- Updated gemspec description to include Rails 7.1+ support
-
-## [1.0.3] - 2025-09-22
-
-### Fixed
-
-- Rails 7.1 compatibility issues with native Rails::Secrets conflicts
-- String path handling in parse method
-- Zeitwerk constant name mismatch resolution
-
-### Added
-
-- Manual setup method for Rails 7.1 (opt-in)
-- Rails version detection for automatic setup decisions
-- Only create Rails::Secrets alias for Rails 7.2+ to avoid conflicts
-
-## [1.0.2] - 2025-09-22
-
-### Changed
-
-- Updated Rails dependency from >= 7.2.0 to >= 7.1.0 for broader compatibility
-- Updated gem description to include Rails 7.1+ support
-
-## [1.0.1] - 2025-09-22
-
-### Fixed
-
-- Zeitwerk constant name mismatch in rails_secrets.rb
-- Changed module definition from Rails::Secrets to Secvault::RailsSecrets
-- Added Rails::Secrets alias for backward compatibility
-- Resolved Zeitwerk::NameError when loading Rails applications
-
-## [1.0.0] - 2025-09-22
-
-### Added
-
-- Initial release of Secvault gem
-- Rails secrets.yml functionality for Rails 7.2+
-- Encrypted secrets.yml support using Rails' built-in encryption
-- Environment-specific secrets management
-- ERB template support in secrets files
-- Rake tasks for secrets management:
-  - `rake secvault:setup` - Create encrypted secrets file
-  - `rake secvault:edit` - Edit encrypted secrets
-  - `rake secvault:show` - Display decrypted secrets
-- Rails generator for creating secrets files
-- Automatic integration with Rails.application.secrets
-- Support for both encrypted and plain YAML secrets files
-- Key management with config/secrets.yml.key
-- Environment variable fallback for encryption key
-- Comprehensive error handling for missing/invalid keys
-- Full test coverage with RSpec
-- Detailed documentation and usage examples

data/CODE_OF_CONDUCT.md

@@ -1,132 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall
-  community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or advances of
-  any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email address,
-  without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official email address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-[INSERT CONTACT METHOD].
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series of
-actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or permanent
-ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior, harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within the
-community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.1, available at
-[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
-
-Community Impact Guidelines were inspired by
-[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
-
-For answers to common questions about this code of conduct, see the FAQ at
-[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
-[https://www.contributor-covenant.org/translations][translations].
-
-[homepage]: https://www.contributor-covenant.org
-[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
-[Mozilla CoC]: https://github.com/mozilla/diversity
-[FAQ]: https://www.contributor-covenant.org/faq
-[translations]: https://www.contributor-covenant.org/translations

data/lib/secvault/generators/secrets_generator.rb

@@ -1,100 +0,0 @@
-# frozen_string_literal: true
-
-require "rails/generators/base"
-require "active_support/encrypted_file"
-require "securerandom"
-
-module Secvault
-  module Generators
-    class SecretsGenerator < Rails::Generators::Base
-      source_root File.expand_path("templates", __dir__)
-
-      desc "Creates a secrets.yml file for secrets management"
-
-      class_option :force, type: :boolean, default: false, desc: "Overwrite existing secrets.yml"
-      class_option :encrypted, type: :boolean, default: false, desc: "Create encrypted secrets.yml (default: plain YAML)"
-
-      def create_secrets_file
-        secrets_path = Rails.root.join("config/secrets.yml")
-        key_path = Rails.root.join("config/secrets.yml.key")
-
-        if secrets_path.exist? && !options[:force]
-          say "Secrets file already exists at config/secrets.yml", :yellow
-          return
-        end
-
-        default_content = generate_default_secrets
-
-        if options[:encrypted]
-          # Create encrypted secrets file
-          unless key_path.exist?
-            key = ActiveSupport::EncryptedFile.generate_key
-            File.write(key_path, key)
-            say "Generated encryption key in config/secrets.yml.key", :green
-          end
-
-          encrypted_file = ActiveSupport::EncryptedFile.new(
-            content_path: secrets_path,
-            key_path: key_path,
-            env_key: "RAILS_SECRETS_KEY",
-            raise_if_missing_key: true
-          )
-
-          encrypted_file.write(default_content)
-          say "Created encrypted secrets.yml file", :green
-          say "Add config/secrets.yml.key to your .gitignore file", :yellow
-        else
-          # Create plain YAML secrets file
-          File.write(secrets_path, default_content)
-          say "Created plain secrets.yml file", :green
-          say "Remember to add config/secrets.yml to your .gitignore if it contains sensitive data", :yellow
-        end
-      end
-
-      def add_to_gitignore
-        gitignore_path = Rails.root.join(".gitignore")
-        key_entry = "/config/secrets.yml.key"
-
-        if gitignore_path.exist?
-          gitignore_content = File.read(gitignore_path)
-          unless gitignore_content.include?(key_entry)
-            File.open(gitignore_path, "a") do |f|
-              f.puts "\n# Ignore encrypted secrets key"
-              f.puts key_entry
-            end
-            say "Added secrets key to .gitignore", :green
-          end
-        end
-      end
-
-      private
-
-      def generate_default_secrets
-        <<~YAML
-          # Be sure to restart your server when you modify this file.
-          
-          # Your secret key is used for verifying the integrity of signed cookies.
-          # If you change this key, all old signed cookies will become invalid!
-          
-          # Make sure the secret is at least 30 characters and all random,
-          # no regular words or you'll be exposed to dictionary attacks.
-          # You can use `rails secret` to generate a secure secret key.
-          
-          # Make sure the secrets in this file are kept private
-          # if you're sharing your code publicly.
-          
-          development:
-            secret_key_base: #{SecureRandom.hex(64)}
-          
-          test:
-            secret_key_base: #{SecureRandom.hex(64)}
-          
-          # Do not keep production secrets in the repository,
-          # instead read values from the environment.
-          production:
-            secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
-        YAML
-      end
-    end
-  end
-end

data/lib/secvault/secrets_helper.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-module Secvault
-  class SecretsHelper
-    def initialize(app)
-      @app = app
-      @secrets_path = app.root.join("config/secrets.yml")
-      @key_path = app.root.join("config/secrets.yml.key")
-    end
-
-    def secrets
-      @secrets ||= load_secrets
-    end
-
-    def [](key)
-      secrets[key.to_sym]
-    end
-
-    def fetch(key, default = nil)
-      secrets.fetch(key.to_sym, default)
-    end
-
-    def key?(key)
-      secrets.key?(key.to_sym)
-    end
-
-    def empty?
-      secrets.empty?
-    end
-
-    def to_h
-      secrets.dup
-    end
-
-    private
-
-    def load_secrets
-      return {} unless @secrets_path.exist?
-
-      env_secrets = Secvault::Secrets.read_secrets(@secrets_path, @key_path, Rails.env)
-      env_secrets || {}
-    end
-  end
-end

data/sig/secvault.rbs

@@ -1,4 +0,0 @@
-module Secvault
-  VERSION: String
-  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
-end