secvault 2.6.0 → 2.7.1

data/lib/secvault.rb

@@ -12,34 +12,21 @@ loader = Zeitwerk::Loader.for_gem
 loader.setup
 
 # Secvault - Simple secrets management for Rails
-# 
-# Secvault restores the classic Rails secrets.yml functionality that was removed 
-# in Rails 7.2, using simple, plain YAML files for environment-specific secrets 
-# management.
+#
+# Secvault restores the classic Rails secrets.yml functionality using simple,
+# plain YAML files for environment-specific secrets management. Works consistently
+# across all Rails versions with automatic deprecation warning suppression.
 #
 # ## Rails Version Support:
-# - Rails 7.1: Requires manual setup (see Rails 7.1 integration guide)
-# - Rails 7.2+: Automatic setup, drop-in replacement for removed functionality
+# - Rails 7.1+: Full compatibility with automatic setup
+# - Rails 7.2+: Drop-in replacement for removed functionality
 # - Rails 8.0+: Full compatibility
 #
-# ## Rails 7.1 Integration:
-# For Rails 7.1 apps, add this initializer to override native Rails::Secrets:
+# ## Quick Start:
+# Add this to an initializer:
 #
 #   # config/initializers/secvault.rb
-#   module Rails
-#     remove_const(:Secrets) if defined?(Secrets)
-#     Secrets = Secvault::RailsSecrets
-#   end
-#
-#   Rails.application.config.after_initialize do
-#     secrets_path = Rails.root.join("config/secrets.yml")
-#     if secrets_path.exist?
-#       loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
-#       secrets_object = ActiveSupport::OrderedOptions.new
-#       secrets_object.merge!(loaded_secrets)
-#       Rails.application.define_singleton_method(:secrets) { secrets_object }
-#     end
-#   end
+#   Secvault.setup!
 #
 # ## Usage:
 #   Rails.application.secrets.api_key
@@ -57,7 +44,7 @@ module Secvault
   class Error < StandardError; end
 
   extend self
-  
+
   # Internal storage for loaded secrets
   @@loaded_secrets = nil
 
@@ -65,12 +52,12 @@ module Secvault
   def secrets
     @@loaded_secrets || ActiveSupport::OrderedOptions.new
   end
-  
+
   # Check if Secvault is currently active (started)
   def active?
     @@loaded_secrets != nil
   end
-  
+
   # Check if Secvault is integrated with Rails.application.secrets
   def rails_integrated?
     defined?(Rails) && Rails::Secrets == Secvault::RailsSecrets
@@ -82,59 +69,71 @@ module Secvault
     require "secvault/railtie"
     require "secvault/rails_secrets"
   end
-  
-  # Helper method to set up Secvault for older Rails versions
-  # This provides an easy way to integrate Secvault into older Rails apps
-  # that still have native Rails::Secrets functionality (like Rails 7.1).
+
+  # Set up Secvault for all Rails versions
+  # This provides a universal way to integrate Secvault into Rails apps
+  # with consistent behavior across all Rails versions.
   #
   # Usage in an initializer:
-  #   Secvault.setup_backward_compatibility_with_older_rails!
+  #   Secvault.setup!
+  #   Secvault.setup!(suppress_warnings: false)
   #
   # This will:
-  # 1. Override native Rails::Secrets with Secvault implementation
+  # 1. Set up Rails::Secrets with Secvault implementation
   # 2. Replace Rails.application.secrets with Secvault-powered functionality
   # 3. Load secrets from config/secrets.yml automatically
-  def setup_backward_compatibility_with_older_rails!
+  # 4. Suppress Rails deprecation warnings about secrets (default: true)
+  # 5. Set Rails.application.config.secret_key_base from secrets (default: true)
+  def setup!(suppress_warnings: true, set_secret_key_base: true)
     # Override native Rails::Secrets
-    if defined?(Rails::Secrets)
-      Rails.send(:remove_const, :Secrets)
-    end
+    Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
     Rails.const_set(:Secrets, Secvault::RailsSecrets)
-    
+
     # Set up Rails.application.secrets replacement
     Rails.application.config.after_initialize do
+      # Suppress Rails deprecation warnings about secrets if requested
+      suppress_secrets_deprecation_warning! if suppress_warnings
+
       secrets_path = Rails.root.join("config/secrets.yml")
-      
+
       if secrets_path.exist?
         # Load secrets using Secvault
         loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
-        
+
         # Create ActiveSupport::OrderedOptions object for compatibility
         secrets_object = ActiveSupport::OrderedOptions.new
         secrets_object.merge!(loaded_secrets)
-        
+
         # Replace Rails.application.secrets
         Rails.application.define_singleton_method(:secrets) do
           secrets_object
         end
-        
+
+        # Set secret_key_base in Rails config to avoid accessing it from secrets
+        if set_secret_key_base && loaded_secrets.key?("secret_key_base")
+          Rails.application.config.secret_key_base = loaded_secrets["secret_key_base"]
+          unless Rails.env.production?
+            Rails.logger&.info "[Secvault] Set Rails.application.config.secret_key_base from secrets.yml"
+          end
+        end
+
         # Log integration success (except in production)
         unless Rails.env.production?
-          Rails.logger&.info "[Secvault] Rails 7.1 integration complete. Loaded #{loaded_secrets.keys.size} secret keys."
+          Rails.logger&.info "[Secvault] Integration complete. Loaded #{loaded_secrets.keys.size} secret keys."
         end
       else
         Rails.logger&.warn "[Secvault] No secrets.yml file found at #{secrets_path}"
       end
     end
   end
-  
+
   # Set up multi-file secrets loading with a clean API
   # Just pass an array of file paths and Secvault handles the rest
   #
   # Usage in an initializer:
   #   Secvault.setup_multi_file!([
   #     'config/secrets.yml',
-  #     'config/secrets.oauth.yml', 
+  #     'config/secrets.oauth.yml',
   #     'config/secrets.local.yml'
   #   ])
   #
@@ -142,50 +141,54 @@ module Secvault
   #   - files: Array of file paths (String or Pathname)
   #   - reload_method: Add a reload helper method (default: true in development)
   #   - logger: Enable/disable logging (default: true except in production)
-  def setup_multi_file!(files, reload_method: Rails.env.development?, logger: !Rails.env.production?)
+  #   - suppress_warnings: Suppress Rails deprecation warnings about secrets (default: true)
+  #   - set_secret_key_base: Set Rails.application.config.secret_key_base from secrets (default: true)
+  def setup_multi_file!(files, reload_method: Rails.env.development?, logger: !Rails.env.production?,
+    suppress_warnings: true, set_secret_key_base: true)
     # Ensure Secvault integration is active
-    setup_backward_compatibility_with_older_rails! unless active?
-    
+    setup!(suppress_warnings: suppress_warnings, set_secret_key_base: set_secret_key_base) unless active?
+
     # Convert strings to Pathname objects and resolve relative to Rails.root
     file_paths = Array(files).map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
-    
+
     # Set up the multi-file loading
     Rails.application.config.after_initialize do
-      load_multi_file_secrets!(file_paths, logger: logger)
+      load_multi_file_secrets!(file_paths, logger: logger, suppress_warnings: suppress_warnings,
+        set_secret_key_base: set_secret_key_base)
     end
-    
+
     # Add reload helper in development
-    if reload_method
-      add_reload_helper!(file_paths)
-    end
+    return unless reload_method
+
+    add_reload_helper!(file_paths)
   end
-  
+
   # Load secrets into Secvault.secrets only (no Rails integration)
   def load_secrets_only!(files, logger: !Rails.env.production?)
     # Convert strings to Pathname objects and resolve relative to Rails.root
     file_paths = Array(files).map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
-    
+
     existing_files = file_paths.select(&:exist?)
-    
+
     if existing_files.any?
       # Load and merge all secrets files using Secvault's parser directly
       merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
-      
+
       # Store in Secvault.secrets (ActiveSupport::OrderedOptions for compatibility)
       @@loaded_secrets = ActiveSupport::OrderedOptions.new
       @@loaded_secrets.merge!(merged_secrets)
-      
+
       # Log successful loading
       if logger
         file_names = existing_files.map(&:basename)
-        Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(', ')}"
+        Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
         Rails.logger&.info "[Secvault] Parsed #{merged_secrets.keys.size} secret keys for #{Rails.env}"
       end
-      
+
       true
     else
       Rails.logger&.warn "[Secvault] No secrets files found" if logger
@@ -193,36 +196,46 @@ module Secvault
       false
     end
   end
-  
+
   # Load secrets from multiple files and merge them (with Rails integration)
-  def load_multi_file_secrets!(file_paths, logger: !Rails.env.production?)
+  def load_multi_file_secrets!(file_paths, logger: !Rails.env.production?, suppress_warnings: true,
+    set_secret_key_base: true)
     existing_files = file_paths.select(&:exist?)
-    
+
     if existing_files.any?
+      # Suppress Rails deprecation warnings about secrets if requested
+      suppress_secrets_deprecation_warning! if suppress_warnings
+
       # Load and merge all secrets files
       merged_secrets = Rails::Secrets.parse(existing_files, env: Rails.env)
-      
+
       # Create ActiveSupport::OrderedOptions object for Rails compatibility
       secrets_object = ActiveSupport::OrderedOptions.new
       secrets_object.merge!(merged_secrets)
-      
+
       # Replace Rails.application.secrets
       Rails.application.define_singleton_method(:secrets) { secrets_object }
-      
+
+      # Set secret_key_base in Rails config to avoid accessing it from secrets
+      if set_secret_key_base && merged_secrets.key?("secret_key_base")
+        Rails.application.config.secret_key_base = merged_secrets["secret_key_base"]
+        Rails.logger&.info "[Secvault Multi-File] Set Rails.application.config.secret_key_base from secrets" if logger
+      end
+
       # Log successful loading
       if logger
         file_names = existing_files.map(&:basename)
-        Rails.logger&.info "[Secvault Multi-File] Loaded #{existing_files.size} files: #{file_names.join(', ')}"
+        Rails.logger&.info "[Secvault Multi-File] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
         Rails.logger&.info "[Secvault Multi-File] Merged #{merged_secrets.keys.size} secret keys for #{Rails.env}"
       end
-      
+
       merged_secrets
     else
       Rails.logger&.warn "[Secvault Multi-File] No secrets files found" if logger
       {}
     end
   end
-  
+
   # Add reload helper method for development
   def add_reload_helper!(file_paths)
     # Define reload method on Rails.application
@@ -231,15 +244,15 @@ module Secvault
       puts "🔄 Reloaded secrets from #{file_paths.size} files"
       true
     end
-    
+
     # Also make it available as a top-level method
     Object.define_method(:reload_secrets!) do
       Rails.application.reload_secrets!
     end
   end
-  
+
   # Start Secvault and load secrets (without Rails integration)
-  # 
+  #
   # Usage:
   #   Secvault.start!                                    # Uses config/secrets.yml only
   #   Secvault.start!(files: [])                        # Same as above
@@ -253,38 +266,34 @@ module Secvault
   #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
   #   - logger: Enable logging (default: true except production)
   def start!(files: [], logger: !Rails.env.production?)
-    begin
-      # Default to host app's config/secrets.yml if no files specified
-      files_to_load = files.empty? ? ['config/secrets.yml'] : files
-      
-      # Load secrets into Secvault.secrets (completely independent of Rails)
-      load_secrets_only!(files_to_load, logger: logger)
-      
-      true
-    rescue => e
-      Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails)
-      false
-    end
+    # Default to host app's config/secrets.yml if no files specified
+    files_to_load = files.empty? ? ["config/secrets.yml"] : files
+
+    # Load secrets into Secvault.secrets (completely independent of Rails)
+    load_secrets_only!(files_to_load, logger: logger)
+
+    true
+  rescue => e
+    Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails)
+    false
   end
-  
+
   # Integrate loaded secrets with Rails.application.secrets
   def integrate_with_rails!
     return false unless @@loaded_secrets
-    
+
     begin
       # Set up Rails::Secrets to use Secvault's parser (only when integrating)
       unless rails_integrated?
-        if defined?(Rails::Secrets)
-          Rails.send(:remove_const, :Secrets)
-        end
+        Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
         Rails.const_set(:Secrets, Secvault::RailsSecrets)
       end
-      
+
       # Replace Rails.application.secrets with Secvault's loaded secrets
       Rails.application.define_singleton_method(:secrets) do
         Secvault.secrets
       end
-      
+
       Rails.logger&.info "[Secvault] Integrated with Rails.application.secrets" unless Rails.env.production?
       true
     rescue => e
@@ -292,10 +301,11 @@ module Secvault
       false
     end
   end
-  
+
   # Backward compatibility aliases
-  alias_method :setup_rails_71_integration!, :setup_backward_compatibility_with_older_rails!
-  alias_method :setup_multi_files!, :setup_multi_file!  # Alternative name
+  alias_method :setup_backward_compatibility_with_older_rails!, :setup! # Legacy name
+  alias_method :setup_rails_71_integration!, :setup! # Legacy name
+  alias_method :setup_multi_files!, :setup_multi_file! # Alternative name
 end
 
 Secvault.install! if defined?(Rails)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 2.6.0
+  version: 2.7.1
 platform: ruby
 authors:
 - Unnikrishnan KP
@@ -49,21 +49,14 @@ extra_rdoc_files: []
 files:
 - ".rspec"
 - ".standard.yml"
-- CHANGELOG.md
-- CODE_OF_CONDUCT.md
 - LICENSE.txt
 - README.md
 - Rakefile
-- USAGE_EXAMPLES.md
 - lib/secvault.rb
-- lib/secvault/generators/secrets_generator.rb
 - lib/secvault/rails_secrets.rb
 - lib/secvault/railtie.rb
 - lib/secvault/secrets.rb
-- lib/secvault/secrets_helper.rb
 - lib/secvault/version.rb
-- secvault-2.0.0.gem
-- sig/secvault.rbs
 homepage: https://github.com/unnitallman/secvault
 licenses:
 - MIT

data/CHANGELOG.md

@@ -1,185 +0,0 @@
-## [Unreleased]
-
-## [2.3.0] - 2025-09-22
-
-### Changed
-
-- **Better method naming**: Renamed `setup_rails_71_integration!` to `setup_backward_compatibility_with_older_rails!`
-- **More generic approach**: New method name works for any older Rails version, not just 7.1
-- **Updated documentation**: README now uses "Older Rails Integration" instead of "Rails 7.1 Integration"
-- **Clearer version support**: Documentation now shows "Rails 7.1 and older" for better clarity
-
-### Backward Compatibility
-
-- ✅ **Old method name still works**: `setup_rails_71_integration!` is aliased to the new method
-- ✅ **No breaking changes**: All existing code continues to work
-- ✅ **Updated test apps**: Rails 7.1 test app uses the new, cleaner method name
-
-### Benefits
-
-- **Future-proof naming**: Works for Rails 7.1, 7.0, 6.x, or any version with native secrets
-- **Clearer intent**: Method name clearly indicates it's for backward compatibility
-- **Better documentation**: More generic approach in README and code comments
-- **Maintained compatibility**: Existing users don't need to change anything
-
-## [2.2.0] - 2025-09-22
-
-### Added
-
-- **New simplified API**: `Rails::Secrets.load()` - cleaner method to load default config/secrets.yml
-- **Enhanced README** with comprehensive examples for multiple files usage
-- **Better documentation** showing how to parse custom files and multiple file merging
-- **Backward compatibility aliases** - `parse_default` and `read` still work
-
-### Changed
-
-- **Improved method naming**: `Rails::Secrets.load()` is now the preferred method over `parse_default()`
-- **Enhanced documentation** in code with clear examples for single file, multiple files, and custom paths
-- **Better README examples** showing advanced usage patterns
-
-### Examples Added
-
-- Multiple secrets files merging: `Rails::Secrets.parse(['secrets.yml', 'secrets.local.yml'], env: Rails.env)`
-- Environment-specific loading: `Rails::Secrets.load(env: 'production')`
-- Custom file parsing: `Rails::Secrets.parse(['config/custom.yml'], env: Rails.env)`
-- Multiple path support: `Rails::Secrets.parse([Rails.root.join('config', 'secrets.yml')], env: Rails.env)`
-
-### Backward Compatibility
-
-- ✅ All existing methods still work
-- ✅ `parse_default` → `load` (alias maintained)
-- ✅ `read` → `load` (alias maintained)
-- ✅ No breaking changes
-
-## [2.1.0] - 2025-09-22
-
-### Removed
-
-- **Removed all rake tasks** - Ultimate simplicity! No more `rake secvault:setup`, `rake secvault:edit`, or `rake secvault:show`
-- Removed `lib/secvault/tasks.rake` file entirely
-- Removed rake task loading from railtie
-
-### Changed
-
-- **Ultra-simple setup**: Just create `config/secrets.yml` with any text editor
-- Updated README to reflect manual file creation instead of rake tasks
-- Updated module documentation to show simple 3-step process
-- Cleaner railtie without task loading complexity
-
-### Benefits
-
-- **Zero dependencies on rake tasks** - works with just plain YAML files
-- **Even simpler** - no commands to remember, just edit YAML files
-- **More intuitive** - developers already know how to create and edit YAML files
-- **Less code** - removed unnecessary complexity
-
-### Tested
-
-- ✅ Rails 7.1 integration works perfectly
-- ✅ Rails 8.0 automatic setup works perfectly
-- ✅ No rake task conflicts or errors
-
-## [2.0.0] - 2025-09-22
-
-### BREAKING CHANGES
-
-- **Removed all encryption functionality** - Secvault now focuses purely on plain YAML secrets management
-- Removed ActiveSupport::EncryptedFile dependencies
-- Removed MissingKeyError and InvalidKeyError exceptions
-- Removed `encrypted?`, `decrypt`, `decrypt_secrets` methods
-- Simplified rake tasks to work with plain YAML only
-
-### Added
-
-- Simplified `rake secvault:setup` that creates plain YAML files with helpful comments
-- Better error messages and user guidance in rake tasks
-- Cleaner, more focused codebase without encryption complexity
-
-### Changed
-
-- **Major simplification**: All secrets are now stored in plain YAML files
-- Updated README to reflect plain YAML approach
-- Updated module documentation and gemspec descriptions
-- Rake tasks now use emojis and better user experience
-- Production secrets should use ERB syntax with environment variables
-
-### Benefits
-
-- Much simpler gem with single focus: plain YAML secrets management
-- No encryption keys to manage or lose
-- Easy to understand, edit, and debug secrets files
-- Perfect for development and test environments
-- Production secrets via environment variables (recommended best practice)
-
-## [1.0.4] - 2025-09-22
-
-### Added
-
-- Comprehensive Rails 7.1 integration support
-- New `Secvault.setup_rails_71_integration!` helper method for easy Rails 7.1 setup
-- Enhanced documentation with Rails 7.1 integration guide
-- Module-level documentation with usage examples and version compatibility
-
-### Improved
-
-- Better Rails 7.1 compatibility with automatic detection and setup
-- Enhanced README with Rails 7.1 integration section
-- Improved error handling and logging for Rails 7.1 integration
-- More comprehensive inline documentation
-
-### Changed
-
-- Refined automatic setup logic to avoid conflicts with Rails 7.1 native functionality
-- Updated gemspec description to include Rails 7.1+ support
-
-## [1.0.3] - 2025-09-22
-
-### Fixed
-
-- Rails 7.1 compatibility issues with native Rails::Secrets conflicts
-- String path handling in parse method
-- Zeitwerk constant name mismatch resolution
-
-### Added
-
-- Manual setup method for Rails 7.1 (opt-in)
-- Rails version detection for automatic setup decisions
-- Only create Rails::Secrets alias for Rails 7.2+ to avoid conflicts
-
-## [1.0.2] - 2025-09-22
-
-### Changed
-
-- Updated Rails dependency from >= 7.2.0 to >= 7.1.0 for broader compatibility
-- Updated gem description to include Rails 7.1+ support
-
-## [1.0.1] - 2025-09-22
-
-### Fixed
-
-- Zeitwerk constant name mismatch in rails_secrets.rb
-- Changed module definition from Rails::Secrets to Secvault::RailsSecrets
-- Added Rails::Secrets alias for backward compatibility
-- Resolved Zeitwerk::NameError when loading Rails applications
-
-## [1.0.0] - 2025-09-22
-
-### Added
-
-- Initial release of Secvault gem
-- Rails secrets.yml functionality for Rails 7.2+
-- Encrypted secrets.yml support using Rails' built-in encryption
-- Environment-specific secrets management
-- ERB template support in secrets files
-- Rake tasks for secrets management:
-  - `rake secvault:setup` - Create encrypted secrets file
-  - `rake secvault:edit` - Edit encrypted secrets
-  - `rake secvault:show` - Display decrypted secrets
-- Rails generator for creating secrets files
-- Automatic integration with Rails.application.secrets
-- Support for both encrypted and plain YAML secrets files
-- Key management with config/secrets.yml.key
-- Environment variable fallback for encryption key
-- Comprehensive error handling for missing/invalid keys
-- Full test coverage with RSpec
-- Detailed documentation and usage examples