secvault 2.7.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 51dbcfd2c3b3073fb06223b681fb358cf8c74aae00c90663470edc19b3a40cd0
-  data.tar.gz: f78b9e5a1bdcb9148d58e31791738179b38a401ae0416920b4a6ee557e024ffd
+  metadata.gz: 7e9d55bf6f12233064ea7ced4e9b40c84f8f3a6ce38d6b5b79d5f0e8f4a7214a
+  data.tar.gz: 7ade516b0c550c0b3c98f04fc39ff1079d5c46436da6a7fd6153bdc1d9eac4fb
 SHA512:
-  metadata.gz: 99d55935f3754ed807d306e94c530259ae34c82d43e1b2827ace62a2e33fd8bed291d8af358597aa68b71d78737af402273644e2b5d9475c5540be234b2d5985
-  data.tar.gz: d24dfa1e4613602a15ee7d40aeabedb089edf9e88ea136960ca039d6298252d8e7cd4e8a50d6f815cedcbde9d6192320814ccf6694797633225a29e98b993842
+  metadata.gz: b2939f3acd3e9525d000b7195fd9967a4e8f80c04800e4cbac9da774625bc1cae7b26e1f0320d4d57d53abbf1bdb53a3899977deb9625880fd84458c7c302277
+  data.tar.gz: 84de3b9f8ecd84e820668d3ac2bd7fedeb7946e2707f88e00cd7219f258d597417b025a72b889dc93bf6e408c2686b2c444b90e1d2eaee856f1040d9f5b8d63a

data/README.md

@@ -1,12 +1,17 @@
 # Secvault
 
-Restores Rails `secrets.yml` functionality for environment-specific secrets management using YAML files with ERB templating.
+Secvault restores the classic Rails `secrets.yml` functionality using simple, plain YAML files for environment-specific secrets management. Compatible with all modern Rails versions (7.1+, 7.2+, 8.0+).
 
-## Rails Version Support
+[![Gem Version](https://img.shields.io/gem/v/secvault.svg)](https://rubygems.org/gems/secvault)
 
-- **Rails 7.2+**: Automatic setup (drop-in replacement for removed functionality)
-- **Rails 7.1**: Manual setup required
-- **Rails 8.0+**: Full compatibility
+## Why Secvault?
+
+- **Drop-in replacement** for Rails 7.2+'s removed `secrets.yml` functionality
+- **Universal compatibility** across Rails 7.1+, 7.2+, and 8.0+
+- **ERB templating** support for environment variables
+- **Multi-file support** with deep merging capabilities
+- **Shared sections** for common configuration across environments
+- **Simple YAML** - no complex credential management required
 
 ## Installation
 
@@ -15,87 +20,437 @@ Restores Rails `secrets.yml` functionality for environment-specific secrets mana
 gem 'secvault'
 ```
 
+```bash
+bundle install
+```
+
 ## Quick Start
 
+### 1. Simple Setup
+
+Create `config/initializers/secvault.rb`:
+
+```ruby
+# The simplest setup - works across all Rails versions
+Secvault.start!
+```
+
 Create `config/secrets.yml`:
 
 ```yaml
+shared:
+  app_name: "My Rails App"
+  timeout: 30
+
 development:
+  secret_key_base: "dev_secret_key_here"
   api_key: "dev_key_123"
   database_url: "postgresql://localhost/myapp_dev"
+  debug: true
+
+test:
+  secret_key_base: "test_secret_key_here"
+  api_key: "test_key_123"
 
 production:
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
   api_key: <%= ENV['API_KEY'] %>
   database_url: <%= ENV['DATABASE_URL'] %>
+  debug: false
 ```
 
-Access secrets in your app:
+### 2. Access Your Secrets
 
 ```ruby
+# In your Rails application
 Rails.application.secrets.api_key
+Rails.application.secrets.app_name
 Rails.application.secrets.database_url
+
+# Nested secrets work too
+Rails.application.secrets.database.host
+Rails.application.secrets.features.analytics
 ```
 
-## Multi-File Configuration
+## Setup Methods
+
+### Unified start! Method
 
-Load and merge multiple secrets files:
+Secvault now uses a single, simplified `start!` method for all use cases:
+
+```ruby
+# Simplest setup - loads config/secrets.yml with Rails integration
+Secvault.start!
+
+# Custom single file
+Secvault.start!(files: ['custom.yml'])
+
+# Multiple files with hot reload
+Secvault.start!(
+  files: ['config/secrets.yml', 'config/secrets.local.yml'],
+  hot_reload: true
+)
+
+# All available options
+Secvault.start!(
+  files: ['config/secrets.yml'],           # Default: ['config/secrets.yml']
+  integrate_with_rails: true,              # Default: true
+  set_secret_key_base: true,              # Default: true
+  hot_reload: true,                       # Default: true in development
+  logger: true                            # Default: true except production
+)
+```
+
+### Advanced Usage
+
+```ruby
+# Load without Rails integration (standalone mode)
+Secvault.start!(integrate_with_rails: false)
+# Access via: Secvault.secrets.your_key
+
+# Multi-file with hot reload for development
+Secvault.start!(
+  files: [
+    'config/secrets.yml',
+    'config/secrets.oauth.yml', 
+    'config/secrets.local.yml'   # Git-ignored local overrides
+  ],
+  hot_reload: true,
+  logger: true
+)
+```
+
+
+## Advanced Features
+
+### ERB Templating
+
+Secvault supports full ERB templating for dynamic configuration:
+
+```yaml
+production:
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
+  api_key: <%= ENV['API_KEY'] %>
+  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
+  
+  # Complex expressions
+  features:
+    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
+    analytics: <%= Rails.env.production? && ENV['ANALYTICS'] != 'false' %>
+  
+  # Arrays and complex data structures
+  allowed_hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
+  
+  # Conditional values
+  redis_url: <%=
+    if ENV['REDIS_URL']
+      ENV['REDIS_URL']
+    else
+      "redis://localhost:6379/#{Rails.env}"
+    end
+  %>
+```
+
+### Shared Sections
+
+Define common secrets that apply to all environments:
+
+```yaml
+shared:
+  app_name: "MyApp"
+  version: "2.1.0"
+  timeout: 30
+  features:
+    analytics: true
+    
+development:
+  secret_key_base: "dev_secret"
+  features:
+    debug: true    # Merges with shared.features
+    
+production:
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
+  features:
+    analytics: false  # Overrides shared.features.analytics
+```
+
+### Multi-File Configuration
+
+Organize your secrets across multiple files for better maintainability:
 
 ```ruby
-# config/initializers/secvault.rb
 Secvault.setup_multi_file!([
-  'config/secrets.yml',
-  'config/secrets.oauth.yml',
-  'config/secrets.local.yml'
+  'config/secrets.yml',           # Base secrets
+  'config/secrets.oauth.yml',     # OAuth provider settings
+  'config/secrets.database.yml',  # Database configurations
+  'config/secrets.local.yml'      # Local overrides (git-ignored)
 ])
 ```
 
-Files are merged in order with deep merge support for nested hashes.
+**File merging behavior:**
+- Files are processed in order
+- Later files override earlier ones
+- Deep merging for nested hashes
+- Shared sections are merged first, then environment-specific
+
+### Hot Reload (Development)
+
+Secvault provides hot reload functionality for development:
+
+```ruby
+# Enable hot reload when starting Secvault
+Secvault.start!(hot_reload: true)  # Default: true in development
+
+# Then reload secrets without restarting Rails
+reload_secrets!
+
+# Or via Rails.application
+Rails.application.reload_secrets!
+```
+
+Hot reload is automatically enabled in development mode and provides instant feedback when you change your secrets files.
 
 ## Manual API
 
+For advanced use cases, you can use the lower-level API:
+
 ```ruby
 # Parse specific files
-secrets = Rails::Secrets.parse(['config/secrets.yml'], env: Rails.env)
+secrets = Rails::Secrets.parse(['config/secrets.yml'], env: 'production')
+
+# Load from default location
+secrets = Rails::Secrets.load(env: 'development')
+
+# Check if Secvault is active
+Secvault.active?  # => true/false
+
+# Check if integrated with Rails
+Secvault.rails_integrated?  # => true/false
+
+# Access loaded secrets directly
+Secvault.secrets.api_key  # Available after Secvault.start!
+```
 
-# Load default config/secrets.yml
-secrets = Rails::Secrets.load(env: 'production')
+## Rails Version Compatibility
 
-# Check if active
-Secvault.active? # => true/false
+| Rails Version | Support Level | Notes |
+|---------------|---------------|-------|
+| **Rails 7.1+** | ✅ Full compatibility | Manual setup required |
+| **Rails 7.2+** | ✅ Drop-in replacement | Automatic setup works |
+| **Rails 8.0+** | ✅ Full compatibility | Future-proof |
+
+### Rails 7.2+ Notes
+Rails 7.2 removed the built-in `secrets.yml` functionality. Secvault provides a complete replacement with the same API.
+
+### Rails 7.1 Notes
+Rails 7.1 still has `secrets.yml` support but shows deprecation warnings. Secvault provides a consistent experience across Rails versions.
+
+## Migration Guide
+
+### From Previous Secvault Versions
+
+**BREAKING CHANGE**: The API has been simplified. Update your initializers:
+
+```ruby
+# Old API (no longer supported):
+Secvault.setup!
+Secvault.setup_multi_file!(['file1.yml', 'file2.yml'])
+Secvault.integrate_with_rails!
+
+# New unified API:
+Secvault.start!                                     # Simple case
+Secvault.start!(files: ['file1.yml', 'file2.yml'])  # Multi-file case
+Secvault.start!(integrate_with_rails: false)        # Standalone mode
 ```
 
-## Rails 7.1 Integration
+### From Rails < 7.2 Built-in Secrets
+
+1. **Add Secvault to your Gemfile**:
+   ```ruby
+   gem 'secvault'
+   ```
+
+2. **Create initializer**:
+   ```ruby
+   # config/initializers/secvault.rb
+   Secvault.start!
+   ```
+
+3. **Your existing `config/secrets.yml` works as-is** - no changes needed!
+
+### From Rails Credentials
+
+1. **Extract your credentials to YAML**:
+   ```bash
+   # Export existing credentials
+   rails credentials:show > config/secrets.yml
+   ```
+
+2. **Format as environment-specific YAML**:
+   ```yaml
+   development:
+     secret_key_base: "your_dev_secret"
+     # ... other secrets
+   
+   production:
+     secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
+     # ... other secrets
+   ```
+
+3. **Set up Secvault**:
+   ```ruby
+   # config/initializers/secvault.rb
+   Secvault.start!
+   ```
+
+## Configuration Examples
 
-For Rails 7.1 with existing secrets functionality:
+### Basic Application
+
+```yaml
+# config/secrets.yml
+shared:
+  app_name: "MyApp"
+  
+development:
+  secret_key_base: "long_random_string_for_dev"
+  database_url: "postgresql://localhost/myapp_dev"
+  
+test:
+  secret_key_base: "long_random_string_for_test"
+  database_url: "postgresql://localhost/myapp_test"
+  
+production:
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
+  database_url: <%= ENV['DATABASE_URL'] %>
+```
+
+### Multi-Service Application
 
 ```ruby
 # config/initializers/secvault.rb
-Secvault.setup_backward_compatibility_with_older_rails!
+Secvault.start!(
+  files: [
+    'config/secrets.yml',
+    'config/secrets.oauth.yml',
+    'config/secrets.external_apis.yml',
+    'config/secrets.local.yml'  # Git-ignored
+  ],
+  hot_reload: true
+)
 ```
 
-## ERB Templating
+```yaml
+# config/secrets.yml (base)
+shared:
+  app_name: "MyApp"
+  timeout: 30
+
+development:
+  secret_key_base: "dev_secret"
+  debug: true
 
-Supports full ERB templating for environment variables:
+production:
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
+  debug: false
+```
 
 ```yaml
+# config/secrets.oauth.yml
+shared:
+  oauth:
+    google:
+      scope: "email profile"
+
+development:
+  oauth:
+    google:
+      client_id: "dev_google_client_id"
+      client_secret: "dev_google_client_secret"
+
 production:
-  api_key: <%= ENV['API_KEY'] %>
-  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
-  features:
-    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
-  hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
+  oauth:
+    google:
+      client_id: <%= ENV['GOOGLE_CLIENT_ID'] %>
+      client_secret: <%= ENV['GOOGLE_CLIENT_SECRET'] %>
 ```
 
-## Development Tools
+## Troubleshooting
 
-Reload secrets in development:
+### Common Issues
 
+**1. "No secrets.yml file found"**
+```bash
+# Create the file
+mkdir -p config
+touch config/secrets.yml
+```
+
+**2. "undefined method `secrets' for Rails.application"**
 ```ruby
-# Available after setup_multi_file!
-reload_secrets!
-Rails.application.reload_secrets!
+# Make sure Secvault is set up in an initializer
+# config/initializers/secvault.rb
+Secvault.start!
+```
+
+**3. "Secrets not loading in tests"**
+```ruby
+# In your test helper or rails_helper.rb
+Secvault.start! if defined?(Secvault)
+```
+
+**4. "Environment variables not working"**
+```yaml
+# Make sure you're using ERB syntax
+production:
+  api_key: <%= ENV['API_KEY'] %>  # ✅ Correct
+  api_key: $API_KEY               # ❌ Wrong
 ```
 
+### Debug Mode
+
+```ruby
+# Enable detailed logging (development/test only)
+Secvault.start!(files: ['config/secrets.yml'], logger: true)
+
+# Check if Secvault is working
+Secvault.active?           # Should return true
+Secvault.rails_integrated? # Should return true
+Rails.application.secrets  # Should show your secrets
+```
+
+## API Reference
+
+### Setup Methods
+
+- `Secvault.start!(files: [], integrate_with_rails: true, set_secret_key_base: true, hot_reload: auto, logger: auto)` - Main and only setup method
+
+### Status Methods
+
+- `Secvault.active?` - Check if secrets are loaded
+- `Secvault.rails_integrated?` - Check if Rails integration is active
+- `Secvault.secrets` - Access loaded secrets directly
+
+### Rails API Compatibility
+
+- `Rails::Secrets.parse(files, env:)` - Parse specific files
+- `Rails::Secrets.load(env:)` - Load from default config/secrets.yml
+- `Rails.application.secrets` - Access secrets (same as classic Rails)
+
+### Legacy Aliases
+
+- `Secvault.setup_backward_compatibility_with_older_rails!` (alias for `setup!`)
+- `Secvault.setup_rails_71_integration!` (alias for `setup!`)
+- `Secvault.setup_multi_files!` (alias for `setup_multi_file!`)
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
 ## License
 
-MIT
+MIT License. See [LICENSE](LICENSE) for details.

data/lib/secvault/rails_secrets.rb

@@ -46,15 +46,9 @@ module Secvault
 end
 
 # Monkey patch to restore Rails::Secrets interface for backwards compatibility
-# Only for Rails 7.2+ where Rails::Secrets was removed
-if defined?(Rails) && Rails.respond_to?(:version)
-  rails_version = Rails.version
-  major, minor = rails_version.split(".").map(&:to_i)
-
-  # Only alias for Rails 7.2+ to avoid conflicts with native Rails::Secrets in 7.1
-  if major > 7 || (major == 7 && minor >= 2)
-    module Rails
-      Secrets = Secvault::RailsSecrets
-    end
+# Works consistently across all Rails versions with warning suppression
+if defined?(Rails)
+  module Rails
+    Secrets = Secvault::RailsSecrets
   end
 end

data/lib/secvault/secrets.rb

@@ -11,62 +11,48 @@ module Secvault
   class Secrets
     class << self
       def setup(app)
-        # Only auto-setup for Rails 7.2+ where secrets functionality was removed
-        return unless rails_7_2_or_later?
-
+        # Auto-setup for all Rails versions with consistent behavior
         secrets_path = app.root.join("config/secrets.yml")
 
-        if secrets_path.exist?
-          # Use a more reliable approach that works in all environments
-          app.config.before_configuration do
-            current_env = ENV["RAILS_ENV"] || Rails.env || "development"
-            setup_secrets_immediately(app, secrets_path, current_env)
-          end
+        return unless secrets_path.exist?
 
-          # Also try during to_prepare as a fallback
-          app.config.to_prepare do
-            current_env = Rails.env
-            unless Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
-              setup_secrets_immediately(app, secrets_path, current_env)
-            end
-          end
+        # Use a reliable approach that works in all environments
+        app.config.before_configuration do
+          current_env = ENV["RAILS_ENV"] || Rails.env || "development"
+          setup_secrets_immediately(app, secrets_path, current_env)
         end
-      end
-
-      # Manual setup method for Rails 7.1 (opt-in)
-      def setup_for_rails_71!(app)
-        secrets_path = app.root.join("config/secrets.yml")
 
-        if secrets_path.exist?
-          app.config.before_configuration do
-            current_env = ENV["RAILS_ENV"] || Rails.env || "development"
+        # Also try during to_prepare as a fallback
+        app.config.to_prepare do
+          current_env = Rails.env
+          unless Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
             setup_secrets_immediately(app, secrets_path, current_env)
           end
         end
       end
 
-      def setup_secrets_immediately(app, secrets_path, env)
+      def setup_secrets_immediately(_app, secrets_path, env)
         # Set up secrets if they exist
         secrets = read_secrets(secrets_path, env)
-        if secrets
-          # Rails 8.0+ compatibility: Add secrets accessor that initializes on first access
-          unless Rails.application.respond_to?(:secrets)
-            Rails.application.define_singleton_method(:secrets) do
-              @secrets ||= begin
-                current_secrets = ActiveSupport::OrderedOptions.new
-                # Re-read secrets to ensure we have the right environment
-                env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
-                current_secrets.merge!(env_secrets) if env_secrets
-                current_secrets
-              end
+        return unless secrets
+
+        # Rails 8.0+ compatibility: Add secrets accessor that initializes on first access
+        unless Rails.application.respond_to?(:secrets)
+          Rails.application.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              # Re-read secrets to ensure we have the right environment
+              env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
+              current_secrets.merge!(env_secrets) if env_secrets
+              current_secrets
             end
           end
-
-          # If secrets accessor already exists, merge the secrets
-          if Rails.application.respond_to?(:secrets) && Rails.application.secrets.respond_to?(:merge!)
-            Rails.application.secrets.merge!(secrets)
-          end
         end
+
+        # If secrets accessor already exists, merge the secrets
+        return unless Rails.application.respond_to?(:secrets) && Rails.application.secrets.respond_to?(:merge!)
+
+        Rails.application.secrets.merge!(secrets)
       end
 
       # Classic Rails::Secrets.parse implementation
@@ -103,14 +89,6 @@ module Secvault
 
         {}
       end
-
-      private
-
-      def rails_7_2_or_later?
-        rails_version = Rails.version
-        major, minor = rails_version.split(".").map(&:to_i)
-        major > 7 || (major == 7 && minor >= 2)
-      end
     end
   end
 end

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "2.7.0"
+  VERSION = "3.0.0"
 end

data/lib/secvault.rb

@@ -13,44 +13,33 @@ loader.setup
 
 # Secvault - Simple secrets management for Rails
 #
-# Secvault restores the classic Rails secrets.yml functionality that was removed
-# in Rails 7.2, using simple, plain YAML files for environment-specific secrets
-# management.
+# Secvault restores the classic Rails secrets.yml functionality using simple,
+# plain YAML files for environment-specific secrets management. Works consistently
+# across all Rails versions.
 #
 # ## Rails Version Support:
-# - Rails 7.1: Requires manual setup (see Rails 7.1 integration guide)
-# - Rails 7.2+: Automatic setup, drop-in replacement for removed functionality
+# - Rails 7.1+: Full compatibility with automatic setup
+# - Rails 7.2+: Drop-in replacement for removed functionality
 # - Rails 8.0+: Full compatibility
 #
-# ## Rails 7.1 Integration:
-# For Rails 7.1 apps, add this initializer to override native Rails::Secrets:
+# ## Quick Start:
+# Add this to an initializer:
 #
 #   # config/initializers/secvault.rb
-#   module Rails
-#     remove_const(:Secrets) if defined?(Secrets)
-#     Secrets = Secvault::RailsSecrets
-#   end
-#
-#   Rails.application.config.after_initialize do
-#     secrets_path = Rails.root.join("config/secrets.yml")
-#     if secrets_path.exist?
-#       loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
-#       secrets_object = ActiveSupport::OrderedOptions.new
-#       secrets_object.merge!(loaded_secrets)
-#       Rails.application.define_singleton_method(:secrets) { secrets_object }
-#     end
-#   end
+#   Secvault.start!
 #
 # ## Usage:
 #   Rails.application.secrets.api_key
 #   Rails.application.secrets.oauth_settings[:google_client_id]
+#   Secvault.secrets.your_key  # Direct access
 #   Rails::Secrets.load(env: 'development')  # Load default config/secrets.yml
 #   Rails::Secrets.parse(['custom.yml'], env: Rails.env)  # Parse custom files
 #
 # ## Getting Started:
 #   1. Create config/secrets.yml with your secrets
-#   2. Use Rails.application.secrets.your_secret in your app
-#   3. For production, use environment variables with ERB syntax
+#   2. Call Secvault.start! in an initializer
+#   3. Use Rails.application.secrets.your_secret in your app
+#   4. For production, use environment variables with ERB syntax
 #
 # @see https://github.com/unnitallman/secvault
 module Secvault
@@ -83,109 +72,78 @@ module Secvault
     require "secvault/rails_secrets"
   end
 
-  # Helper method to set up Secvault for older Rails versions
-  # This provides an easy way to integrate Secvault into older Rails apps
-  # that still have native Rails::Secrets functionality (like Rails 7.1).
-  #
-  # Usage in an initializer:
-  #   Secvault.setup_backward_compatibility_with_older_rails!
+  # Start Secvault with simplified, unified API
+  # This is the main entry point for all Secvault functionality
   #
-  # This will:
-  # 1. Override native Rails::Secrets with Secvault implementation
-  # 2. Replace Rails.application.secrets with Secvault-powered functionality
-  # 3. Load secrets from config/secrets.yml automatically
-  def setup_backward_compatibility_with_older_rails!
-    # Override native Rails::Secrets
-    if defined?(Rails::Secrets)
-      Rails.send(:remove_const, :Secrets)
-    end
-    Rails.const_set(:Secrets, Secvault::RailsSecrets)
-
-    # Set up Rails.application.secrets replacement
-    Rails.application.config.after_initialize do
-      secrets_path = Rails.root.join("config/secrets.yml")
-
-      if secrets_path.exist?
-        # Load secrets using Secvault
-        loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
-
-        # Create ActiveSupport::OrderedOptions object for compatibility
-        secrets_object = ActiveSupport::OrderedOptions.new
-        secrets_object.merge!(loaded_secrets)
-
-        # Replace Rails.application.secrets
-        Rails.application.define_singleton_method(:secrets) do
-          secrets_object
-        end
-
-        # Log integration success (except in production)
-        unless Rails.env.production?
-          Rails.logger&.info "[Secvault] Rails 7.1 integration complete. Loaded #{loaded_secrets.keys.size} secret keys."
-        end
-      else
-        Rails.logger&.warn "[Secvault] No secrets.yml file found at #{secrets_path}"
-      end
-    end
-  end
-
-  # Set up multi-file secrets loading with a clean API
-  # Just pass an array of file paths and Secvault handles the rest
+  # Usage examples:
+  #   Secvault.start!                                    # Simple: config/secrets.yml + Rails integration
+  #   Secvault.start!(files: ['custom.yml'])            # Custom single file
+  #   Secvault.start!(files: ['base.yml', 'local.yml']) # Multiple files
+  #   Secvault.start!(integrate_with_rails: false)      # Load only, no Rails integration
+  #   Secvault.start!(hot_reload: true)                 # Enable hot reload in development
   #
-  # Usage in an initializer:
-  #   Secvault.setup_multi_file!([
-  #     'config/secrets.yml',
-  #     'config/secrets.oauth.yml',
-  #     'config/secrets.local.yml'
-  #   ])
+  # Access secrets:
+  #   Rails.application.secrets.your_key  # When integrate_rails: true (default)
+  #   Secvault.secrets.your_key           # Direct access (always available)
   #
   # Options:
-  #   - files: Array of file paths (String or Pathname)
-  #   - reload_method: Add a reload helper method (default: true in development)
-  #   - logger: Enable/disable logging (default: true except in production)
-  def setup_multi_file!(files, reload_method: Rails.env.development?, logger: !Rails.env.production?)
-    # Ensure Secvault integration is active
-    setup_backward_compatibility_with_older_rails! unless active?
-
-    # Convert strings to Pathname objects and resolve relative to Rails.root
-    file_paths = Array(files).map do |file|
+  #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
+  #   - integrate_with_rails: Integrate with Rails.application.secrets (default: true)
+  #   - set_secret_key_base: Set Rails.application.config.secret_key_base from secrets (default: true)
+  #   - hot_reload: Add reload_secrets! methods for development (default: true in development)
+  #   - logger: Enable logging (default: true except production)
+  def start!(files: [], integrate_with_rails: true, set_secret_key_base: true, 
+             hot_reload: (defined?(Rails) && Rails.env.respond_to?(:development?) ? Rails.env.development? : false), 
+             logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
+    
+    # Default to config/secrets.yml if no files specified
+    files_to_load = files.empty? ? ["config/secrets.yml"] : Array(files)
+    
+    # Convert to Pathname objects and resolve relative to Rails.root
+    file_paths = files_to_load.map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
-
-    # Set up the multi-file loading
-    Rails.application.config.after_initialize do
-      load_multi_file_secrets!(file_paths, logger: logger)
+    
+    # Load secrets into Secvault.secrets
+    load_secrets!(file_paths, logger: logger)
+    
+    # Integrate with Rails if requested
+    if integrate_with_rails
+      setup_rails_integration!(file_paths, set_secret_key_base: set_secret_key_base, logger: logger)
     end
-
-    # Add reload helper in development
-    if reload_method
-      add_reload_helper!(file_paths)
+    
+    # Add hot reload functionality if requested
+    if hot_reload
+      add_hot_reload!(file_paths)
     end
+    
+    true
+  rescue => e
+    Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails) && logger
+    false
   end
 
-  # Load secrets into Secvault.secrets only (no Rails integration)
-  def load_secrets_only!(files, logger: !Rails.env.production?)
-    # Convert strings to Pathname objects and resolve relative to Rails.root
-    file_paths = Array(files).map do |file|
-      file.is_a?(Pathname) ? file : Rails.root.join(file)
-    end
+  private
 
+  # Load secrets into Secvault.secrets (internal storage)
+  def load_secrets!(file_paths, logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
     existing_files = file_paths.select(&:exist?)
-
+    
     if existing_files.any?
-      # Load and merge all secrets files using Secvault's parser directly
+      # Load and merge all secrets files
       merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
-
-      # Store in Secvault.secrets (ActiveSupport::OrderedOptions for compatibility)
+      
+      # Store in internal storage with ActiveSupport::OrderedOptions for compatibility
       @@loaded_secrets = ActiveSupport::OrderedOptions.new
       @@loaded_secrets.merge!(merged_secrets)
-
+      
       # Log successful loading
       if logger
         file_names = existing_files.map(&:basename)
         Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
         Rails.logger&.info "[Secvault] Parsed #{merged_secrets.keys.size} secret keys for #{Rails.env}"
       end
-
+      
       true
     else
       Rails.logger&.warn "[Secvault] No secrets files found" if logger
@@ -193,107 +151,65 @@ module Secvault
       false
     end
   end
-
-  # Load secrets from multiple files and merge them (with Rails integration)
-  def load_multi_file_secrets!(file_paths, logger: !Rails.env.production?)
-    existing_files = file_paths.select(&:exist?)
-
-    if existing_files.any?
-      # Load and merge all secrets files
-      merged_secrets = Rails::Secrets.parse(existing_files, env: Rails.env)
-
-      # Create ActiveSupport::OrderedOptions object for Rails compatibility
-      secrets_object = ActiveSupport::OrderedOptions.new
-      secrets_object.merge!(merged_secrets)
-
-      # Replace Rails.application.secrets
-      Rails.application.define_singleton_method(:secrets) { secrets_object }
-
-      # Log successful loading
-      if logger
-        file_names = existing_files.map(&:basename)
-        Rails.logger&.info "[Secvault Multi-File] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
-        Rails.logger&.info "[Secvault Multi-File] Merged #{merged_secrets.keys.size} secret keys for #{Rails.env}"
+  
+  # Set up Rails integration
+  def setup_rails_integration!(file_paths, set_secret_key_base: true, logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
+    # Override native Rails::Secrets with Secvault implementation
+    Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
+    Rails.const_set(:Secrets, Secvault::RailsSecrets)
+    
+    # Set up Rails.application.secrets replacement in after_initialize
+    Rails.application.config.after_initialize do
+      if @@loaded_secrets && !@@loaded_secrets.empty?
+        # Replace Rails.application.secrets with our loaded secrets
+        Rails.application.define_singleton_method(:secrets) do
+          @@loaded_secrets
+        end
+        
+        # Set secret_key_base in Rails config to avoid accessing it from secrets
+        if set_secret_key_base && @@loaded_secrets.key?(:secret_key_base)
+          Rails.application.config.secret_key_base = @@loaded_secrets[:secret_key_base]
+          Rails.logger&.info "[Secvault] Set Rails.application.config.secret_key_base from secrets" if logger
+        end
+        
+        # Log integration success (except in production)
+        if logger
+          Rails.logger&.info "[Secvault] Rails integration complete. #{@@loaded_secrets.keys.size} secret keys available."
+        end
+      else
+        Rails.logger&.warn "[Secvault] No secrets loaded for Rails integration" if logger
       end
-
-      merged_secrets
-    else
-      Rails.logger&.warn "[Secvault Multi-File] No secrets files found" if logger
-      {}
     end
   end
-
-  # Add reload helper method for development
-  def add_reload_helper!(file_paths)
+  
+  # Add hot reload functionality for development
+  def add_hot_reload!(file_paths)
     # Define reload method on Rails.application
     Rails.application.define_singleton_method(:reload_secrets!) do
-      Secvault.load_multi_file_secrets!(file_paths, logger: true)
-      puts "🔄 Reloaded secrets from #{file_paths.size} files"
+      # Reload secrets
+      Secvault.send(:load_secrets!, file_paths, logger: true)
+      
+      # Re-apply Rails integration if needed
+      if Secvault.rails_integrated? && @@loaded_secrets
+        Rails.application.define_singleton_method(:secrets) do
+          @@loaded_secrets
+        end
+      end
+      
+      puts "🔄 Hot reloaded secrets from #{file_paths.size} files"
       true
     end
-
+    
     # Also make it available as a top-level method
     Object.define_method(:reload_secrets!) do
       Rails.application.reload_secrets!
     end
+    
+    Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless (defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?)
   end
+  
+  public
 
-  # Start Secvault and load secrets (without Rails integration)
-  #
-  # Usage:
-  #   Secvault.start!                                    # Uses config/secrets.yml only
-  #   Secvault.start!(files: [])                        # Same as above
-  #   Secvault.start!(files: ['path/to/secrets.yml'])   # Custom single file
-  #   Secvault.start!(files: ['gem.yml', 'app.yml'])    # Multiple files
-  #
-  # Access loaded secrets via: Secvault.secrets.your_key
-  # To integrate with Rails.application.secrets, call: Secvault.integrate_with_rails!
-  #
-  # Options:
-  #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
-  #   - logger: Enable logging (default: true except production)
-  def start!(files: [], logger: !Rails.env.production?)
-    # Default to host app's config/secrets.yml if no files specified
-    files_to_load = files.empty? ? ["config/secrets.yml"] : files
-
-    # Load secrets into Secvault.secrets (completely independent of Rails)
-    load_secrets_only!(files_to_load, logger: logger)
-
-    true
-  rescue => e
-    Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails)
-    false
-  end
-
-  # Integrate loaded secrets with Rails.application.secrets
-  def integrate_with_rails!
-    return false unless @@loaded_secrets
-
-    begin
-      # Set up Rails::Secrets to use Secvault's parser (only when integrating)
-      unless rails_integrated?
-        if defined?(Rails::Secrets)
-          Rails.send(:remove_const, :Secrets)
-        end
-        Rails.const_set(:Secrets, Secvault::RailsSecrets)
-      end
-
-      # Replace Rails.application.secrets with Secvault's loaded secrets
-      Rails.application.define_singleton_method(:secrets) do
-        Secvault.secrets
-      end
-
-      Rails.logger&.info "[Secvault] Integrated with Rails.application.secrets" unless Rails.env.production?
-      true
-    rescue => e
-      Rails.logger&.error "[Secvault] Failed to integrate with Rails: #{e.message}" if defined?(Rails)
-      false
-    end
-  end
-
-  # Backward compatibility aliases
-  alias_method :setup_rails_71_integration!, :setup_backward_compatibility_with_older_rails!
-  alias_method :setup_multi_files!, :setup_multi_file!  # Alternative name
 end
 
 Secvault.install! if defined?(Rails)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 2.7.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Unnikrishnan KP