secvault 2.7.1 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3f3f850252ea738c99ee2fd7bb7c2e9a2688082abc78245f0ac1ae4f262c9f57
-  data.tar.gz: 95c9d1b54bdf4fdeaf490e7bbf4bd1bb13411d50ce9a11291f89848049258636
+  metadata.gz: d57e110e287dd498f1751e5d823283c7f673c5f7511fca743772bec1ba25c5fc
+  data.tar.gz: b4c48354b471bc32634eb40dc15a99869e86825aae010f9f338ca4ab91850d66
 SHA512:
-  metadata.gz: a2399e023247f056496230dc96da152b5c9fcdd1db98b5f7359a5406f9ce45dc190ce0c93cd5dc4736abb16e7396043d78482b0879785faa60353fe0a1d773dd
-  data.tar.gz: e3deef79404b1c382c2e6167e6cb2b2981f511b6e9058fdf4fc484d8b9fce0f041551121631165f60f2220ee1d3be0ef444fb12296dac803a58afb4800b18ce0
+  metadata.gz: 6c1f2e1f452cfca7bbcc34117a32b05d252589d156b59175158577548f9158628bf1d0f01ace21714b3f8cf7fd8de195769ecf0d60b6d11915d4ca10163070e3
+  data.tar.gz: 1b5ffc0246423e154b2c0e12799e6d11370c8fa242eed3bec9f902e98df9119e70d0ae1da27f02c206a62a47b839c8e0788f35afd0d5a5cca7fe360739c66ced

data/README.md

@@ -1,101 +1,109 @@
 # Secvault
 
-Restores Rails `secrets.yml` functionality for environment-specific secrets management using YAML files with ERB templating.
+Simple YAML secrets management for Rails. Uses standard YAML anchors for sharing configuration.
 
-## Rails Version Support
-
-- **Rails 7.2+**: Automatic setup (drop-in replacement for removed functionality)
-- **Rails 7.1**: Manual setup required
-- **Rails 8.0+**: Full compatibility
+[![Gem Version](https://img.shields.io/gem/v/secvault.svg)](https://rubygems.org/gems/secvault)
 
 ## Installation
 
 ```ruby
-# Gemfile
 gem 'secvault'
 ```
 
-## Quick Start
+## Usage
 
-Create `config/secrets.yml`:
+**1. Add to initializer:**
+```ruby
+# config/initializers/secvault.rb
+Secvault.start!
+```
 
+**2. Create secrets file:**
 ```yaml
+# config/secrets.yml
+defaults: &defaults
+  app_name: "MyApp"
+
 development:
-  api_key: "dev_key_123"
-  database_url: "postgresql://localhost/myapp_dev"
+  <<: *defaults
+  secret_key_base: "dev_secret"
+  api_key: "dev_key"
 
 production:
+  <<: *defaults
+  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
   api_key: <%= ENV['API_KEY'] %>
-  database_url: <%= ENV['DATABASE_URL'] %>
 ```
 
-Access secrets in your app:
-
+**3. Use in your app:**
 ```ruby
-Rails.application.secrets.api_key
-Rails.application.secrets.database_url
+Secvault.secrets.api_key
+Secvault.secrets.app_name
 ```
 
-## Multi-File Configuration
-
-Load and merge multiple secrets files:
+## Options
 
 ```ruby
-# config/initializers/secvault.rb
-Secvault.setup_multi_file!([
-  'config/secrets.yml',
-  'config/secrets.oauth.yml',
-  'config/secrets.local.yml'
-])
+Secvault.start!(
+  files: ['config/secrets.yml'],     # Files to load (later files override earlier ones)
+  integrate_with_rails: false,       # Add Rails.application.secrets
+  set_secret_key_base: true,         # Auto-set Rails.application.config.secret_key_base from secrets
+  hot_reload: true,                  # Auto-reload in development
+  logger: true                       # Log loading activity
+)
 ```
 
-Files are merged in order with deep merge support for nested hashes.
-
-## Manual API
-
+**Multiple files:**
 ```ruby
-# Parse specific files
-secrets = Rails::Secrets.parse(['config/secrets.yml'], env: Rails.env)
-
-# Load default config/secrets.yml
-secrets = Rails::Secrets.load(env: 'production')
-
-# Check if active
-Secvault.active? # => true/false
+# Later files override earlier ones
+Secvault.start!(files: ['secrets.yml', 'local.yml'])
 ```
 
-## Rails 7.1 Integration
-
-For Rails 7.1 with existing secrets functionality:
+**Rails integration:**
+```ruby
+Secvault.start!(integrate_with_rails: true)
+Rails.application.secrets.api_key  # Now available
+```
 
+**Secret key base:**
 ```ruby
-# config/initializers/secvault.rb
-Secvault.setup_backward_compatibility_with_older_rails!
+# If your secrets.yml has secret_key_base, it's automatically set
+# This replaces the need for Rails.application.config.secret_key_base
+Secvault.start!(set_secret_key_base: true)  # Default behavior
 ```
 
-## ERB Templating
 
-Supports full ERB templating for environment variables:
+## Advanced
 
+**ERB templating:**
 ```yaml
 production:
   api_key: <%= ENV['API_KEY'] %>
   pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
-  features:
-    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
-  hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
 ```
 
-## Development Tools
+**YAML anchors for sharing:**
+```yaml
+defaults: &defaults
+  app_name: "MyApp"
+  timeout: 30
 
-Reload secrets in development:
+development:
+  <<: *defaults
+  debug: true
 
+production:
+  <<: *defaults
+  timeout: 10  # Override specific values
+```
+
+**Development helpers:**
 ```ruby
-# Available after setup_multi_file!
-reload_secrets!
-Rails.application.reload_secrets!
+reload_secrets!            # Reload files
+Secvault.active?           # Check status
 ```
 
+
 ## License
 
 MIT

data/lib/secvault/rails_secrets.rb

@@ -1,54 +1,57 @@
 # frozen_string_literal: true
 
 module Secvault
-  # Rails::Secrets compatibility module
+  # Rails::Secrets compatibility class
   # Provides the classic Rails::Secrets interface for backwards compatibility
-  # This replicates the Rails < 7.2 Rails::Secrets module functionality
-  module RailsSecrets
-    extend self
+  # This replicates the Rails < 7.2 Rails::Secrets class functionality
+  class RailsSecrets
+    class << self
+      attr_accessor :root
 
-    # Parse secrets from one or more YAML files
-    #
-    # Supports:
-    # - ERB templating for environment variables
-    # - Shared sections that apply to all environments
-    # - Environment-specific sections
-    # - Multiple files (merged in order)
-    # - Deep symbolized keys
-    #
-    # Examples:
-    #   # Single file
-    #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
-    #
-    #   # Multiple files (merged in order)
-    #   Rails::Secrets.parse([
-    #     'config/secrets.yml',
-    #     'config/secrets.local.yml'
-    #   ], env: 'development')
-    #
-    #   # Load default config/secrets.yml
-    #   Rails::Secrets.load  # uses current Rails.env
-    #   Rails::Secrets.load(env: 'production')
-    def parse(paths, env:)
-      Secvault::Secrets.parse(paths, env: env.to_s)
-    end
+      # Parse secrets from one or more YAML files
+      #
+      # Supports:
+      # - ERB templating for environment variables
+      # - Environment-specific sections (YAML anchors handle sharing)
+      # - Multiple files (merged in order)
+      # - Deep symbolized keys
+      #
+      # Examples:
+      #   # Single file
+      #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
+      #
+      #   # Multiple files (merged in order)
+      #   Rails::Secrets.parse([
+      #     'config/secrets.yml',
+      #     'config/secrets.local.yml'
+      #   ], env: 'development')
+      #
+      #   # Load default config/secrets.yml
+      #   Rails::Secrets.load  # uses current Rails.env
+      #   Rails::Secrets.load(env: 'production')
+      def parse(paths, env:)
+        Secvault::Secrets.parse(paths, env: env.to_s)
+      end
 
-    # Load secrets from the default config/secrets.yml file
-    def load(env: Rails.env)
-      secrets_path = Rails.root.join("config/secrets.yml")
-      parse([secrets_path], env: env)
-    end
+      # Load secrets from the default config/secrets.yml file
+      def load(env: Rails.env)
+        secrets_path = Rails.root.join("config/secrets.yml")
+        parse([secrets_path], env: env)
+      end
 
-    # Backward compatibility aliases (deprecated)
-    alias_method :parse_default, :load
-    alias_method :read, :load
+      # Backward compatibility aliases (deprecated)
+      alias_method :parse_default, :load
+      alias_method :read, :load
+    end
   end
 end
 
-# Monkey patch to restore Rails::Secrets interface for backwards compatibility
+# Replace Rails::Secrets interface for backwards compatibility
 # Works consistently across all Rails versions with warning suppression
 if defined?(Rails)
   module Rails
+    # Remove existing constant to avoid warnings
+    remove_const(:Secrets) if const_defined?(:Secrets, false)
     Secrets = Secvault::RailsSecrets
   end
 end

data/lib/secvault/railtie.rb

@@ -2,34 +2,154 @@
 
 require "rails/railtie"
 
+# Extremely early hook to set up Rails.application.secrets before Application class is defined
+if defined?(Rails)
+  # Set up a robust Rails.application with secrets support
+  unless Rails.respond_to?(:application) && Rails.application.respond_to?(:secrets)
+    # Create a minimal application-like object
+    temp_app = Object.new
+
+    # Add secrets method with default empty secrets that include needed encryption keys
+    temp_app.define_singleton_method(:secrets) do
+      @secrets ||= begin
+        secrets = ActiveSupport::OrderedOptions.new
+
+        # Add empty encryption section to prevent NoMethodError
+        secrets.encryption = {
+          primary_key: nil,
+          deterministic_key: nil,
+          key_derivation_salt: nil
+        }
+
+        secrets
+      end
+    end
+
+    # Set up Rails.application if it doesn't exist
+    Rails.define_singleton_method(:application) { temp_app } unless Rails.respond_to?(:application)
+  end
+end
+
 module Secvault
   class Railtie < Rails::Railtie
     railtie_name :secvault
 
+    # Hook to set up early secrets access before application configuration
+    config.before_configuration do |app|
+      Secvault::EarlyLoader.setup_early_secrets(app)
+    end
+
     initializer "secvault.initialize", before: :load_environment_hook do |app|
       Secvault::Secrets.setup(app)
     end
+  end
 
-    # Ensure initialization happens early in all environments
-    config.before_configuration do |app|
-      secrets_path = app.root.join("config/secrets.yml")
+  # Early loader class to handle secrets before application configuration
+  class EarlyLoader
+    class << self
+      def setup_early_secrets(app)
+        puts "[Secvault Debug] setup_early_secrets called" unless Rails.env.production?
+
+        if Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
+          puts "[Secvault Debug] Secrets already exist, skipping early load" unless Rails.env.production?
+          return
+        end
+
+        # Look for Secvault configuration in the app
+        secrets_config = find_secvault_config(app)
+        puts "[Secvault Debug] Found config: #{secrets_config&.keys}" unless Rails.env.production?
+        return unless secrets_config
 
-      if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
-        # Early initialization for test environment compatibility
-        current_env = ENV["RAILS_ENV"] || "development"
-        secrets = Secvault::Secrets.read_secrets(secrets_path, current_env)
+        begin
+          # Load secrets using the configuration found
+          all_secrets = Secvault::Secrets.parse(secrets_config[:files], env: Rails.env)
+          puts "[Secvault Debug] Loaded secrets keys: #{all_secrets.keys}" unless Rails.env.production?
 
-        if secrets
+          # Set up Rails.application.secrets immediately
           Rails.application.define_singleton_method(:secrets) do
             @secrets ||= begin
               current_secrets = ActiveSupport::OrderedOptions.new
-              env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
-              current_secrets.merge!(env_secrets) if env_secrets
+              current_secrets.merge!(all_secrets)
+              puts "[Secvault Debug] Returning secrets with encryption: #{current_secrets.encryption}" unless Rails.env.production?
               current_secrets
             end
           end
+
+          # Test the secrets immediately
+          test_encryption = Rails.application.secrets.encryption
+          puts "[Secvault Debug] Test access - encryption: #{test_encryption.class} - #{test_encryption}" unless Rails.env.production?
+
+          Rails.logger&.info "[Secvault] Early secrets loaded from #{secrets_config[:files].size} files" unless Rails.env.production?
+        rescue => e
+          Rails.logger&.warn "[Secvault] Failed to load early secrets: #{e.message}"
         end
       end
+
+      private
+
+      def find_secvault_config(app)
+        # Look for Secvault configuration in various locations
+        config_locations = [
+          app.root.join("config/initializers/secvault.rb"),
+          app.root.join("config/secvault.rb")
+        ]
+
+        config_locations.each do |config_file|
+          next unless config_file.exist?
+
+          config = parse_secvault_config(config_file)
+          return config if config
+        end
+
+        # Fallback to default configuration
+        default_files = [app.root.join("config/secrets.yml")]
+
+        # Check if neeto-commons-backend is available for default config
+        if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+          default_files.unshift(NeetoCommonsBackend.shared_secrets_file)
+        end
+
+        # Only return default if at least one file exists
+        existing_files = default_files.select(&:exist?)
+        return {files: existing_files} if existing_files.any?
+
+        nil
+      end
+
+      def parse_secvault_config(config_file)
+        # Read the configuration file and extract Secvault.start! parameters
+        content = config_file.read
+
+        # Look for Secvault.start! calls
+        if /Secvault\.start!\s*\(/m.match?(content)
+          # Try to extract the files parameter using a simple regex
+          files_match = content.match(/files:\s*\[(.*?)\]/m)
+          if files_match
+            # Parse the files array (basic string parsing)
+            files_content = files_match[1]
+            files = []
+
+            # Handle various file specification patterns
+            files_content.scan(/["'](.*?)["']|([A-Za-z_][\w.]*\([^)]*\))/) do |quoted, method_call|
+              if quoted
+                files << Rails.root.join(quoted.strip)
+              elsif method_call
+                # Handle method calls like NeetoCommonsBackend.shared_secrets_file
+                if method_call.include?("NeetoCommonsBackend.shared_secrets_file") && defined?(NeetoCommonsBackend)
+                  files << NeetoCommonsBackend.shared_secrets_file
+                end
+              end
+            end
+
+            return {files: files.compact} if files.any?
+          end
+        end
+
+        nil
+      rescue => e
+        Rails.logger&.warn "[Secvault] Failed to parse config file #{config_file}: #{e.message}"
+        nil
+      end
     end
   end
 end

data/lib/secvault/secrets.rb

@@ -56,7 +56,7 @@ module Secvault
       end
 
       # Classic Rails::Secrets.parse implementation
-      # Parses plain YAML secrets files and merges shared + environment-specific sections
+      # Parses plain YAML secrets files for specific environment
       def parse(paths, env:)
         paths.each_with_object({}) do |path, all_secrets|
           # Handle string paths by converting to Pathname
@@ -72,8 +72,7 @@ module Secvault
 
           secrets ||= {}
 
-          # Merge shared secrets first, then environment-specific (using deep merge)
-          all_secrets.deep_merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+          # Only load environment-specific section (YAML anchors handle sharing)
           all_secrets.deep_merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
       end

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "2.7.1"
+  VERSION = "3.1.0"
 end

data/lib/secvault.rb

@@ -15,7 +15,7 @@ loader.setup
 #
 # Secvault restores the classic Rails secrets.yml functionality using simple,
 # plain YAML files for environment-specific secrets management. Works consistently
-# across all Rails versions with automatic deprecation warning suppression.
+# across all Rails versions.
 #
 # ## Rails Version Support:
 # - Rails 7.1+: Full compatibility with automatic setup
@@ -26,18 +26,20 @@ loader.setup
 # Add this to an initializer:
 #
 #   # config/initializers/secvault.rb
-#   Secvault.setup!
+#   Secvault.start!
 #
 # ## Usage:
 #   Rails.application.secrets.api_key
 #   Rails.application.secrets.oauth_settings[:google_client_id]
+#   Secvault.secrets.your_key  # Direct access
 #   Rails::Secrets.load(env: 'development')  # Load default config/secrets.yml
 #   Rails::Secrets.parse(['custom.yml'], env: Rails.env)  # Parse custom files
 #
 # ## Getting Started:
 #   1. Create config/secrets.yml with your secrets
-#   2. Use Rails.application.secrets.your_secret in your app
-#   3. For production, use environment variables with ERB syntax
+#   2. Call Secvault.start! in an initializer
+#   3. Use Rails.application.secrets.your_secret in your app
+#   4. For production, use environment variables with ERB syntax
 #
 # @see https://github.com/unnitallman/secvault
 module Secvault
@@ -63,122 +65,135 @@ module Secvault
     defined?(Rails) && Rails::Secrets == Secvault::RailsSecrets
   end
 
-  def install!
-    return if defined?(Rails::Railtie).nil?
+  # Early setup method for use in config/application.rb before other configuration
+  # This ensures Rails.application has secrets available during application class definition
+  def setup_early_application_secrets!(files: nil, application_class: nil)
+    return false unless defined?(Rails)
 
-    require "secvault/railtie"
-    require "secvault/rails_secrets"
-  end
+    # Default files if not provided
+    files ||= begin
+      default_files = ["config/secrets.yml"]
 
-  # Set up Secvault for all Rails versions
-  # This provides a universal way to integrate Secvault into Rails apps
-  # with consistent behavior across all Rails versions.
-  #
-  # Usage in an initializer:
-  #   Secvault.setup!
-  #   Secvault.setup!(suppress_warnings: false)
-  #
-  # This will:
-  # 1. Set up Rails::Secrets with Secvault implementation
-  # 2. Replace Rails.application.secrets with Secvault-powered functionality
-  # 3. Load secrets from config/secrets.yml automatically
-  # 4. Suppress Rails deprecation warnings about secrets (default: true)
-  # 5. Set Rails.application.config.secret_key_base from secrets (default: true)
-  def setup!(suppress_warnings: true, set_secret_key_base: true)
-    # Override native Rails::Secrets
-    Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
-    Rails.const_set(:Secrets, Secvault::RailsSecrets)
+      # Add neeto-commons-backend file if available
+      if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+        default_files.unshift(NeetoCommonsBackend.shared_secrets_file)
+      end
 
-    # Set up Rails.application.secrets replacement
-    Rails.application.config.after_initialize do
-      # Suppress Rails deprecation warnings about secrets if requested
-      suppress_secrets_deprecation_warning! if suppress_warnings
+      default_files
+    end
 
-      secrets_path = Rails.root.join("config/secrets.yml")
+    # Create a temporary Rails.application if it doesn't exist
+    unless Rails.respond_to?(:application) && Rails.application
+      # Create a temporary application-like object with secrets
+      temp_app = Object.new
+
+      # Add lazy secrets loading
+      temp_app.define_singleton_method(:secrets) do
+        @secrets ||= begin
+          # Convert to full paths and filter existing files
+          file_paths = files.map do |file|
+            file.is_a?(Pathname) ? file : Rails.root.join(file)
+          end.select(&:exist?)
+
+          if file_paths.any?
+            # Load secrets using Secvault
+            all_secrets = Secvault::Secrets.parse(file_paths, env: Rails.env)
+            current_secrets = ActiveSupport::OrderedOptions.new
+            current_secrets.merge!(all_secrets)
+            current_secrets
+          else
+            # Return empty secrets if no files found but include encryption structure
+            secrets = ActiveSupport::OrderedOptions.new
+            secrets.encryption = ActiveSupport::OrderedOptions.new
+            secrets.encryption.primary_key = nil
+            secrets.encryption.deterministic_key = nil
+            secrets.encryption.key_derivation_salt = nil
+            secrets
+          end
+        end
+      end
 
-      if secrets_path.exist?
-        # Load secrets using Secvault
-        loaded_secrets = Rails::Secrets.parse([secrets_path], env: Rails.env)
+      # Set up Rails.application to point to this temporary object
+      Rails.define_singleton_method(:application) { temp_app }
+    end
 
-        # Create ActiveSupport::OrderedOptions object for compatibility
-        secrets_object = ActiveSupport::OrderedOptions.new
-        secrets_object.merge!(loaded_secrets)
+    true
+  rescue => e
+    warn "[Secvault] Early application secrets setup failed: #{e.message}"
+    false
+  end
 
-        # Replace Rails.application.secrets
-        Rails.application.define_singleton_method(:secrets) do
-          secrets_object
-        end
+  # Alias for backward compatibility
+  alias_method :setup_early_secrets!, :setup_early_application_secrets!
 
-        # Set secret_key_base in Rails config to avoid accessing it from secrets
-        if set_secret_key_base && loaded_secrets.key?("secret_key_base")
-          Rails.application.config.secret_key_base = loaded_secrets["secret_key_base"]
-          unless Rails.env.production?
-            Rails.logger&.info "[Secvault] Set Rails.application.config.secret_key_base from secrets.yml"
-          end
-        end
+  def install!
+    return if defined?(Rails::Railtie).nil?
 
-        # Log integration success (except in production)
-        unless Rails.env.production?
-          Rails.logger&.info "[Secvault] Integration complete. Loaded #{loaded_secrets.keys.size} secret keys."
-        end
-      else
-        Rails.logger&.warn "[Secvault] No secrets.yml file found at #{secrets_path}"
-      end
-    end
+    require "secvault/railtie"
+    require "secvault/rails_secrets"
   end
 
-  # Set up multi-file secrets loading with a clean API
-  # Just pass an array of file paths and Secvault handles the rest
+  # Start Secvault with simplified, unified API
+  # This is the main entry point for all Secvault functionality
   #
-  # Usage in an initializer:
-  #   Secvault.setup_multi_file!([
-  #     'config/secrets.yml',
-  #     'config/secrets.oauth.yml',
-  #     'config/secrets.local.yml'
-  #   ])
+  # Usage examples:
+  #   Secvault.start!                                    # Simple: config/secrets.yml + Rails integration
+  #   Secvault.start!(files: ['custom.yml'])            # Custom single file
+  #   Secvault.start!(files: ['base.yml', 'local.yml']) # Multiple files
+  #   Secvault.start!(integrate_with_rails: false)      # Load only, no Rails integration
+  #   Secvault.start!(hot_reload: true)                 # Enable hot reload in development
+  #
+  # Access secrets:
+  #   Rails.application.secrets.your_key  # When integrate_rails: true (default)
+  #   Secvault.secrets.your_key           # Direct access (always available)
   #
   # Options:
-  #   - files: Array of file paths (String or Pathname)
-  #   - reload_method: Add a reload helper method (default: true in development)
-  #   - logger: Enable/disable logging (default: true except in production)
-  #   - suppress_warnings: Suppress Rails deprecation warnings about secrets (default: true)
+  #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
+  #   - integrate_with_rails: Integrate with Rails.application.secrets (default: false)
   #   - set_secret_key_base: Set Rails.application.config.secret_key_base from secrets (default: true)
-  def setup_multi_file!(files, reload_method: Rails.env.development?, logger: !Rails.env.production?,
-    suppress_warnings: true, set_secret_key_base: true)
-    # Ensure Secvault integration is active
-    setup!(suppress_warnings: suppress_warnings, set_secret_key_base: set_secret_key_base) unless active?
-
-    # Convert strings to Pathname objects and resolve relative to Rails.root
-    file_paths = Array(files).map do |file|
+  #   - hot_reload: Add reload_secrets! methods for development (default: true in development)
+  #   - logger: Enable logging (default: true except production)
+  def start!(files: [], integrate_with_rails: false, set_secret_key_base: true,
+    hot_reload: ((defined?(Rails) && Rails.env.respond_to?(:development?)) ? Rails.env.development? : false),
+    logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
+    # Default to config/secrets.yml if no files specified
+    files_to_load = files.empty? ? ["config/secrets.yml"] : Array(files)
+
+    # Convert to Pathname objects and resolve relative to Rails.root
+    file_paths = files_to_load.map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
 
-    # Set up the multi-file loading
-    Rails.application.config.after_initialize do
-      load_multi_file_secrets!(file_paths, logger: logger, suppress_warnings: suppress_warnings,
-        set_secret_key_base: set_secret_key_base)
+    # Load secrets into Secvault.secrets
+    load_secrets!(file_paths, logger: logger)
+
+    # Integrate with Rails if requested
+    if integrate_with_rails
+      setup_rails_integration!(file_paths, set_secret_key_base: set_secret_key_base, logger: logger)
     end
 
-    # Add reload helper in development
-    return unless reload_method
+    # Add hot reload functionality if requested
+    if hot_reload
+      add_hot_reload!(file_paths)
+    end
 
-    add_reload_helper!(file_paths)
+    true
+  rescue => e
+    Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails) && logger
+    false
   end
 
-  # Load secrets into Secvault.secrets only (no Rails integration)
-  def load_secrets_only!(files, logger: !Rails.env.production?)
-    # Convert strings to Pathname objects and resolve relative to Rails.root
-    file_paths = Array(files).map do |file|
-      file.is_a?(Pathname) ? file : Rails.root.join(file)
-    end
+  private
 
+  # Load secrets into Secvault.secrets (internal storage)
+  def load_secrets!(file_paths, logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     existing_files = file_paths.select(&:exist?)
 
     if existing_files.any?
-      # Load and merge all secrets files using Secvault's parser directly
+      # Load and merge all secrets files
       merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
 
-      # Store in Secvault.secrets (ActiveSupport::OrderedOptions for compatibility)
+      # Store in internal storage with ActiveSupport::OrderedOptions for compatibility
       @@loaded_secrets = ActiveSupport::OrderedOptions.new
       @@loaded_secrets.merge!(merged_secrets)
 
@@ -197,51 +212,51 @@ module Secvault
     end
   end
 
-  # Load secrets from multiple files and merge them (with Rails integration)
-  def load_multi_file_secrets!(file_paths, logger: !Rails.env.production?, suppress_warnings: true,
-    set_secret_key_base: true)
-    existing_files = file_paths.select(&:exist?)
-
-    if existing_files.any?
-      # Suppress Rails deprecation warnings about secrets if requested
-      suppress_secrets_deprecation_warning! if suppress_warnings
-
-      # Load and merge all secrets files
-      merged_secrets = Rails::Secrets.parse(existing_files, env: Rails.env)
-
-      # Create ActiveSupport::OrderedOptions object for Rails compatibility
-      secrets_object = ActiveSupport::OrderedOptions.new
-      secrets_object.merge!(merged_secrets)
+  # Set up Rails integration
+  def setup_rails_integration!(file_paths, set_secret_key_base: true, logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
+    # Override native Rails::Secrets with Secvault implementation
+    Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
+    Rails.const_set(:Secrets, Secvault::RailsSecrets)
 
-      # Replace Rails.application.secrets
-      Rails.application.define_singleton_method(:secrets) { secrets_object }
+    # Set up Rails.application.secrets replacement in after_initialize
+    Rails.application.config.after_initialize do
+      if @@loaded_secrets && !@@loaded_secrets.empty?
+        # Replace Rails.application.secrets with our loaded secrets
+        Rails.application.define_singleton_method(:secrets) do
+          @@loaded_secrets
+        end
 
-      # Set secret_key_base in Rails config to avoid accessing it from secrets
-      if set_secret_key_base && merged_secrets.key?("secret_key_base")
-        Rails.application.config.secret_key_base = merged_secrets["secret_key_base"]
-        Rails.logger&.info "[Secvault Multi-File] Set Rails.application.config.secret_key_base from secrets" if logger
-      end
+        # Set secret_key_base in Rails config to avoid accessing it from secrets
+        if set_secret_key_base && @@loaded_secrets.key?(:secret_key_base)
+          Rails.application.config.secret_key_base = @@loaded_secrets[:secret_key_base]
+          Rails.logger&.info "[Secvault] Set Rails.application.config.secret_key_base from secrets" if logger
+        end
 
-      # Log successful loading
-      if logger
-        file_names = existing_files.map(&:basename)
-        Rails.logger&.info "[Secvault Multi-File] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
-        Rails.logger&.info "[Secvault Multi-File] Merged #{merged_secrets.keys.size} secret keys for #{Rails.env}"
+        # Log integration success (except in production)
+        if logger
+          Rails.logger&.info "[Secvault] Rails integration complete. #{@@loaded_secrets.keys.size} secret keys available."
+        end
+      elsif logger
+        Rails.logger&.warn "[Secvault] No secrets loaded for Rails integration"
       end
-
-      merged_secrets
-    else
-      Rails.logger&.warn "[Secvault Multi-File] No secrets files found" if logger
-      {}
     end
   end
 
-  # Add reload helper method for development
-  def add_reload_helper!(file_paths)
+  # Add hot reload functionality for development
+  def add_hot_reload!(file_paths)
     # Define reload method on Rails.application
     Rails.application.define_singleton_method(:reload_secrets!) do
-      Secvault.load_multi_file_secrets!(file_paths, logger: true)
-      puts "🔄 Reloaded secrets from #{file_paths.size} files"
+      # Reload secrets
+      Secvault.send(:load_secrets!, file_paths, logger: true)
+
+      # Re-apply Rails integration if needed
+      if Secvault.rails_integrated? && @@loaded_secrets
+        Rails.application.define_singleton_method(:secrets) do
+          @@loaded_secrets
+        end
+      end
+
+      puts "🔄 Hot reloaded secrets from #{file_paths.size} files"
       true
     end
 
@@ -249,63 +264,63 @@ module Secvault
     Object.define_method(:reload_secrets!) do
       Rails.application.reload_secrets!
     end
+
+    Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?
   end
 
-  # Start Secvault and load secrets (without Rails integration)
-  #
-  # Usage:
-  #   Secvault.start!                                    # Uses config/secrets.yml only
-  #   Secvault.start!(files: [])                        # Same as above
-  #   Secvault.start!(files: ['path/to/secrets.yml'])   # Custom single file
-  #   Secvault.start!(files: ['gem.yml', 'app.yml'])    # Multiple files
-  #
-  # Access loaded secrets via: Secvault.secrets.your_key
-  # To integrate with Rails.application.secrets, call: Secvault.integrate_with_rails!
-  #
-  # Options:
-  #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
-  #   - logger: Enable logging (default: true except production)
-  def start!(files: [], logger: !Rails.env.production?)
-    # Default to host app's config/secrets.yml if no files specified
-    files_to_load = files.empty? ? ["config/secrets.yml"] : files
+  public
 
-    # Load secrets into Secvault.secrets (completely independent of Rails)
-    load_secrets_only!(files_to_load, logger: logger)
+end
 
-    true
-  rescue => e
-    Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails)
-    false
-  end
+# Auto-install and setup when Rails is available
+if defined?(Rails)
+  Secvault.install!
+
+  # Immediate setup for early access during application loading
+  begin
+    # Try to detect and load secrets immediately if Rails.root is available
+    if Rails.respond_to?(:root) && Rails.root
+      # Look for default secrets or configuration
+      default_secrets_file = Rails.root.join("config/secrets.yml")
+      commons_secrets_file = nil
+
+      # Check for neeto-commons-backend integration
+      if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+        commons_secrets_file = NeetoCommonsBackend.shared_secrets_file
+      end
 
-  # Integrate loaded secrets with Rails.application.secrets
-  def integrate_with_rails!
-    return false unless @@loaded_secrets
+      files_to_load = [commons_secrets_file, default_secrets_file].compact.select(&:exist?)
 
-    begin
-      # Set up Rails::Secrets to use Secvault's parser (only when integrating)
-      unless rails_integrated?
-        Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
-        Rails.const_set(:Secrets, Secvault::RailsSecrets)
-      end
+      if files_to_load.any? && Rails.respond_to?(:env)
+        # Load secrets immediately
+        all_secrets = Secvault::Secrets.parse(files_to_load, env: Rails.env)
 
-      # Replace Rails.application.secrets with Secvault's loaded secrets
-      Rails.application.define_singleton_method(:secrets) do
-        Secvault.secrets
-      end
+        # Set up Rails.application.secrets if Rails.application exists
+        if Rails.respond_to?(:application) && Rails.application
+          Rails.application.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              current_secrets.merge!(all_secrets)
+              current_secrets
+            end
+          end
+        else
+          # Create a minimal Rails.application for early access
+          temp_app = Object.new
+          temp_app.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              current_secrets.merge!(all_secrets)
+              current_secrets
+            end
+          end
 
-      Rails.logger&.info "[Secvault] Integrated with Rails.application.secrets" unless Rails.env.production?
-      true
-    rescue => e
-      Rails.logger&.error "[Secvault] Failed to integrate with Rails: #{e.message}" if defined?(Rails)
-      false
+          Rails.define_singleton_method(:application) { temp_app } unless Rails.respond_to?(:application)
+        end
+      end
     end
+  rescue => e
+    # Silent fail - normal initialization will handle it
+    warn "[Secvault] Early auto-load failed: #{e.message}" unless Rails.env&.production?
   end
-
-  # Backward compatibility aliases
-  alias_method :setup_backward_compatibility_with_older_rails!, :setup! # Legacy name
-  alias_method :setup_rails_71_integration!, :setup! # Legacy name
-  alias_method :setup_multi_files!, :setup_multi_file! # Alternative name
 end
-
-Secvault.install! if defined?(Rails)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 2.7.1
+  version: 3.1.0
 platform: ruby
 authors:
 - Unnikrishnan KP