secvault 3.0.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7e9d55bf6f12233064ea7ced4e9b40c84f8f3a6ce38d6b5b79d5f0e8f4a7214a
-  data.tar.gz: 7ade516b0c550c0b3c98f04fc39ff1079d5c46436da6a7fd6153bdc1d9eac4fb
+  metadata.gz: d57e110e287dd498f1751e5d823283c7f673c5f7511fca743772bec1ba25c5fc
+  data.tar.gz: b4c48354b471bc32634eb40dc15a99869e86825aae010f9f338ca4ab91850d66
 SHA512:
-  metadata.gz: b2939f3acd3e9525d000b7195fd9967a4e8f80c04800e4cbac9da774625bc1cae7b26e1f0320d4d57d53abbf1bdb53a3899977deb9625880fd84458c7c302277
-  data.tar.gz: 84de3b9f8ecd84e820668d3ac2bd7fedeb7946e2707f88e00cd7219f258d597417b025a72b889dc93bf6e408c2686b2c444b90e1d2eaee856f1040d9f5b8d63a
+  metadata.gz: 6c1f2e1f452cfca7bbcc34117a32b05d252589d156b59175158577548f9158628bf1d0f01ace21714b3f8cf7fd8de195769ecf0d60b6d11915d4ca10163070e3
+  data.tar.gz: 1b5ffc0246423e154b2c0e12799e6d11370c8fa242eed3bec9f902e98df9119e70d0ae1da27f02c206a62a47b839c8e0788f35afd0d5a5cca7fe360739c66ced

data/README.md

@@ -1,456 +1,109 @@
 # Secvault
 
-Secvault restores the classic Rails `secrets.yml` functionality using simple, plain YAML files for environment-specific secrets management. Compatible with all modern Rails versions (7.1+, 7.2+, 8.0+).
+Simple YAML secrets management for Rails. Uses standard YAML anchors for sharing configuration.
 
 [![Gem Version](https://img.shields.io/gem/v/secvault.svg)](https://rubygems.org/gems/secvault)
 
-## Why Secvault?
-
-- **Drop-in replacement** for Rails 7.2+'s removed `secrets.yml` functionality
-- **Universal compatibility** across Rails 7.1+, 7.2+, and 8.0+
-- **ERB templating** support for environment variables
-- **Multi-file support** with deep merging capabilities
-- **Shared sections** for common configuration across environments
-- **Simple YAML** - no complex credential management required
-
 ## Installation
 
 ```ruby
-# Gemfile
 gem 'secvault'
 ```
 
-```bash
-bundle install
-```
-
-## Quick Start
-
-### 1. Simple Setup
-
-Create `config/initializers/secvault.rb`:
+## Usage
 
+**1. Add to initializer:**
 ```ruby
-# The simplest setup - works across all Rails versions
+# config/initializers/secvault.rb
 Secvault.start!
 ```
 
-Create `config/secrets.yml`:
-
+**2. Create secrets file:**
 ```yaml
-shared:
-  app_name: "My Rails App"
-  timeout: 30
+# config/secrets.yml
+defaults: &defaults
+  app_name: "MyApp"
 
 development:
-  secret_key_base: "dev_secret_key_here"
-  api_key: "dev_key_123"
-  database_url: "postgresql://localhost/myapp_dev"
-  debug: true
-
-test:
-  secret_key_base: "test_secret_key_here"
-  api_key: "test_key_123"
+  <<: *defaults
+  secret_key_base: "dev_secret"
+  api_key: "dev_key"
 
 production:
+  <<: *defaults
   secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
   api_key: <%= ENV['API_KEY'] %>
-  database_url: <%= ENV['DATABASE_URL'] %>
-  debug: false
-```
-
-### 2. Access Your Secrets
-
-```ruby
-# In your Rails application
-Rails.application.secrets.api_key
-Rails.application.secrets.app_name
-Rails.application.secrets.database_url
-
-# Nested secrets work too
-Rails.application.secrets.database.host
-Rails.application.secrets.features.analytics
 ```
 
-## Setup Methods
-
-### Unified start! Method
-
-Secvault now uses a single, simplified `start!` method for all use cases:
-
+**3. Use in your app:**
 ```ruby
-# Simplest setup - loads config/secrets.yml with Rails integration
-Secvault.start!
-
-# Custom single file
-Secvault.start!(files: ['custom.yml'])
-
-# Multiple files with hot reload
-Secvault.start!(
-  files: ['config/secrets.yml', 'config/secrets.local.yml'],
-  hot_reload: true
-)
-
-# All available options
-Secvault.start!(
-  files: ['config/secrets.yml'],           # Default: ['config/secrets.yml']
-  integrate_with_rails: true,              # Default: true
-  set_secret_key_base: true,              # Default: true
-  hot_reload: true,                       # Default: true in development
-  logger: true                            # Default: true except production
-)
+Secvault.secrets.api_key
+Secvault.secrets.app_name
 ```
 
-### Advanced Usage
+## Options
 
 ```ruby
-# Load without Rails integration (standalone mode)
-Secvault.start!(integrate_with_rails: false)
-# Access via: Secvault.secrets.your_key
-
-# Multi-file with hot reload for development
 Secvault.start!(
-  files: [
-    'config/secrets.yml',
-    'config/secrets.oauth.yml', 
-    'config/secrets.local.yml'   # Git-ignored local overrides
-  ],
-  hot_reload: true,
-  logger: true
+  files: ['config/secrets.yml'],     # Files to load (later files override earlier ones)
+  integrate_with_rails: false,       # Add Rails.application.secrets
+  set_secret_key_base: true,         # Auto-set Rails.application.config.secret_key_base from secrets
+  hot_reload: true,                  # Auto-reload in development
+  logger: true                       # Log loading activity
 )
 ```
 
-
-## Advanced Features
-
-### ERB Templating
-
-Secvault supports full ERB templating for dynamic configuration:
-
-```yaml
-production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  api_key: <%= ENV['API_KEY'] %>
-  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
-  
-  # Complex expressions
-  features:
-    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
-    analytics: <%= Rails.env.production? && ENV['ANALYTICS'] != 'false' %>
-  
-  # Arrays and complex data structures
-  allowed_hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
-  
-  # Conditional values
-  redis_url: <%=
-    if ENV['REDIS_URL']
-      ENV['REDIS_URL']
-    else
-      "redis://localhost:6379/#{Rails.env}"
-    end
-  %>
-```
-
-### Shared Sections
-
-Define common secrets that apply to all environments:
-
-```yaml
-shared:
-  app_name: "MyApp"
-  version: "2.1.0"
-  timeout: 30
-  features:
-    analytics: true
-    
-development:
-  secret_key_base: "dev_secret"
-  features:
-    debug: true    # Merges with shared.features
-    
-production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  features:
-    analytics: false  # Overrides shared.features.analytics
-```
-
-### Multi-File Configuration
-
-Organize your secrets across multiple files for better maintainability:
-
+**Multiple files:**
 ```ruby
-Secvault.setup_multi_file!([
-  'config/secrets.yml',           # Base secrets
-  'config/secrets.oauth.yml',     # OAuth provider settings
-  'config/secrets.database.yml',  # Database configurations
-  'config/secrets.local.yml'      # Local overrides (git-ignored)
-])
+# Later files override earlier ones
+Secvault.start!(files: ['secrets.yml', 'local.yml'])
 ```
 
-**File merging behavior:**
-- Files are processed in order
-- Later files override earlier ones
-- Deep merging for nested hashes
-- Shared sections are merged first, then environment-specific
-
-### Hot Reload (Development)
-
-Secvault provides hot reload functionality for development:
-
+**Rails integration:**
 ```ruby
-# Enable hot reload when starting Secvault
-Secvault.start!(hot_reload: true)  # Default: true in development
-
-# Then reload secrets without restarting Rails
-reload_secrets!
-
-# Or via Rails.application
-Rails.application.reload_secrets!
-```
-
-Hot reload is automatically enabled in development mode and provides instant feedback when you change your secrets files.
-
-## Manual API
-
-For advanced use cases, you can use the lower-level API:
-
-```ruby
-# Parse specific files
-secrets = Rails::Secrets.parse(['config/secrets.yml'], env: 'production')
-
-# Load from default location
-secrets = Rails::Secrets.load(env: 'development')
-
-# Check if Secvault is active
-Secvault.active?  # => true/false
-
-# Check if integrated with Rails
-Secvault.rails_integrated?  # => true/false
-
-# Access loaded secrets directly
-Secvault.secrets.api_key  # Available after Secvault.start!
+Secvault.start!(integrate_with_rails: true)
+Rails.application.secrets.api_key  # Now available
 ```
 
-## Rails Version Compatibility
-
-| Rails Version | Support Level | Notes |
-|---------------|---------------|-------|
-| **Rails 7.1+** | ✅ Full compatibility | Manual setup required |
-| **Rails 7.2+** | ✅ Drop-in replacement | Automatic setup works |
-| **Rails 8.0+** | ✅ Full compatibility | Future-proof |
-
-### Rails 7.2+ Notes
-Rails 7.2 removed the built-in `secrets.yml` functionality. Secvault provides a complete replacement with the same API.
-
-### Rails 7.1 Notes
-Rails 7.1 still has `secrets.yml` support but shows deprecation warnings. Secvault provides a consistent experience across Rails versions.
-
-## Migration Guide
-
-### From Previous Secvault Versions
-
-**BREAKING CHANGE**: The API has been simplified. Update your initializers:
-
+**Secret key base:**
 ```ruby
-# Old API (no longer supported):
-Secvault.setup!
-Secvault.setup_multi_file!(['file1.yml', 'file2.yml'])
-Secvault.integrate_with_rails!
-
-# New unified API:
-Secvault.start!                                     # Simple case
-Secvault.start!(files: ['file1.yml', 'file2.yml'])  # Multi-file case
-Secvault.start!(integrate_with_rails: false)        # Standalone mode
+# If your secrets.yml has secret_key_base, it's automatically set
+# This replaces the need for Rails.application.config.secret_key_base
+Secvault.start!(set_secret_key_base: true)  # Default behavior
 ```
 
-### From Rails < 7.2 Built-in Secrets
-
-1. **Add Secvault to your Gemfile**:
-   ```ruby
-   gem 'secvault'
-   ```
-
-2. **Create initializer**:
-   ```ruby
-   # config/initializers/secvault.rb
-   Secvault.start!
-   ```
-
-3. **Your existing `config/secrets.yml` works as-is** - no changes needed!
-
-### From Rails Credentials
-
-1. **Extract your credentials to YAML**:
-   ```bash
-   # Export existing credentials
-   rails credentials:show > config/secrets.yml
-   ```
-
-2. **Format as environment-specific YAML**:
-   ```yaml
-   development:
-     secret_key_base: "your_dev_secret"
-     # ... other secrets
-   
-   production:
-     secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-     # ... other secrets
-   ```
-
-3. **Set up Secvault**:
-   ```ruby
-   # config/initializers/secvault.rb
-   Secvault.start!
-   ```
 
-## Configuration Examples
-
-### Basic Application
+## Advanced
 
+**ERB templating:**
 ```yaml
-# config/secrets.yml
-shared:
-  app_name: "MyApp"
-  
-development:
-  secret_key_base: "long_random_string_for_dev"
-  database_url: "postgresql://localhost/myapp_dev"
-  
-test:
-  secret_key_base: "long_random_string_for_test"
-  database_url: "postgresql://localhost/myapp_test"
-  
 production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  database_url: <%= ENV['DATABASE_URL'] %>
-```
-
-### Multi-Service Application
-
-```ruby
-# config/initializers/secvault.rb
-Secvault.start!(
-  files: [
-    'config/secrets.yml',
-    'config/secrets.oauth.yml',
-    'config/secrets.external_apis.yml',
-    'config/secrets.local.yml'  # Git-ignored
-  ],
-  hot_reload: true
-)
+  api_key: <%= ENV['API_KEY'] %>
+  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
 ```
 
+**YAML anchors for sharing:**
 ```yaml
-# config/secrets.yml (base)
-shared:
+defaults: &defaults
   app_name: "MyApp"
   timeout: 30
 
 development:
-  secret_key_base: "dev_secret"
+  <<: *defaults
   debug: true
 
 production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  debug: false
-```
-
-```yaml
-# config/secrets.oauth.yml
-shared:
-  oauth:
-    google:
-      scope: "email profile"
-
-development:
-  oauth:
-    google:
-      client_id: "dev_google_client_id"
-      client_secret: "dev_google_client_secret"
-
-production:
-  oauth:
-    google:
-      client_id: <%= ENV['GOOGLE_CLIENT_ID'] %>
-      client_secret: <%= ENV['GOOGLE_CLIENT_SECRET'] %>
-```
-
-## Troubleshooting
-
-### Common Issues
-
-**1. "No secrets.yml file found"**
-```bash
-# Create the file
-mkdir -p config
-touch config/secrets.yml
-```
-
-**2. "undefined method `secrets' for Rails.application"**
-```ruby
-# Make sure Secvault is set up in an initializer
-# config/initializers/secvault.rb
-Secvault.start!
-```
-
-**3. "Secrets not loading in tests"**
-```ruby
-# In your test helper or rails_helper.rb
-Secvault.start! if defined?(Secvault)
-```
-
-**4. "Environment variables not working"**
-```yaml
-# Make sure you're using ERB syntax
-production:
-  api_key: <%= ENV['API_KEY'] %>  # ✅ Correct
-  api_key: $API_KEY               # ❌ Wrong
+  <<: *defaults
+  timeout: 10  # Override specific values
 ```
 
-### Debug Mode
-
+**Development helpers:**
 ```ruby
-# Enable detailed logging (development/test only)
-Secvault.start!(files: ['config/secrets.yml'], logger: true)
-
-# Check if Secvault is working
-Secvault.active?           # Should return true
-Secvault.rails_integrated? # Should return true
-Rails.application.secrets  # Should show your secrets
+reload_secrets!            # Reload files
+Secvault.active?           # Check status
 ```
 
-## API Reference
-
-### Setup Methods
-
-- `Secvault.start!(files: [], integrate_with_rails: true, set_secret_key_base: true, hot_reload: auto, logger: auto)` - Main and only setup method
-
-### Status Methods
-
-- `Secvault.active?` - Check if secrets are loaded
-- `Secvault.rails_integrated?` - Check if Rails integration is active
-- `Secvault.secrets` - Access loaded secrets directly
-
-### Rails API Compatibility
-
-- `Rails::Secrets.parse(files, env:)` - Parse specific files
-- `Rails::Secrets.load(env:)` - Load from default config/secrets.yml
-- `Rails.application.secrets` - Access secrets (same as classic Rails)
-
-### Legacy Aliases
-
-- `Secvault.setup_backward_compatibility_with_older_rails!` (alias for `setup!`)
-- `Secvault.setup_rails_71_integration!` (alias for `setup!`)
-- `Secvault.setup_multi_files!` (alias for `setup_multi_file!`)
-
-## Contributing
-
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
 
 ## License
 
-MIT License. See [LICENSE](LICENSE) for details.
+MIT

data/lib/secvault/rails_secrets.rb

@@ -1,54 +1,57 @@
 # frozen_string_literal: true
 
 module Secvault
-  # Rails::Secrets compatibility module
+  # Rails::Secrets compatibility class
   # Provides the classic Rails::Secrets interface for backwards compatibility
-  # This replicates the Rails < 7.2 Rails::Secrets module functionality
-  module RailsSecrets
-    extend self
+  # This replicates the Rails < 7.2 Rails::Secrets class functionality
+  class RailsSecrets
+    class << self
+      attr_accessor :root
 
-    # Parse secrets from one or more YAML files
-    #
-    # Supports:
-    # - ERB templating for environment variables
-    # - Shared sections that apply to all environments
-    # - Environment-specific sections
-    # - Multiple files (merged in order)
-    # - Deep symbolized keys
-    #
-    # Examples:
-    #   # Single file
-    #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
-    #
-    #   # Multiple files (merged in order)
-    #   Rails::Secrets.parse([
-    #     'config/secrets.yml',
-    #     'config/secrets.local.yml'
-    #   ], env: 'development')
-    #
-    #   # Load default config/secrets.yml
-    #   Rails::Secrets.load  # uses current Rails.env
-    #   Rails::Secrets.load(env: 'production')
-    def parse(paths, env:)
-      Secvault::Secrets.parse(paths, env: env.to_s)
-    end
+      # Parse secrets from one or more YAML files
+      #
+      # Supports:
+      # - ERB templating for environment variables
+      # - Environment-specific sections (YAML anchors handle sharing)
+      # - Multiple files (merged in order)
+      # - Deep symbolized keys
+      #
+      # Examples:
+      #   # Single file
+      #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
+      #
+      #   # Multiple files (merged in order)
+      #   Rails::Secrets.parse([
+      #     'config/secrets.yml',
+      #     'config/secrets.local.yml'
+      #   ], env: 'development')
+      #
+      #   # Load default config/secrets.yml
+      #   Rails::Secrets.load  # uses current Rails.env
+      #   Rails::Secrets.load(env: 'production')
+      def parse(paths, env:)
+        Secvault::Secrets.parse(paths, env: env.to_s)
+      end
 
-    # Load secrets from the default config/secrets.yml file
-    def load(env: Rails.env)
-      secrets_path = Rails.root.join("config/secrets.yml")
-      parse([secrets_path], env: env)
-    end
+      # Load secrets from the default config/secrets.yml file
+      def load(env: Rails.env)
+        secrets_path = Rails.root.join("config/secrets.yml")
+        parse([secrets_path], env: env)
+      end
 
-    # Backward compatibility aliases (deprecated)
-    alias_method :parse_default, :load
-    alias_method :read, :load
+      # Backward compatibility aliases (deprecated)
+      alias_method :parse_default, :load
+      alias_method :read, :load
+    end
   end
 end
 
-# Monkey patch to restore Rails::Secrets interface for backwards compatibility
+# Replace Rails::Secrets interface for backwards compatibility
 # Works consistently across all Rails versions with warning suppression
 if defined?(Rails)
   module Rails
+    # Remove existing constant to avoid warnings
+    remove_const(:Secrets) if const_defined?(:Secrets, false)
     Secrets = Secvault::RailsSecrets
   end
 end

data/lib/secvault/railtie.rb

@@ -2,34 +2,154 @@
 
 require "rails/railtie"
 
+# Extremely early hook to set up Rails.application.secrets before Application class is defined
+if defined?(Rails)
+  # Set up a robust Rails.application with secrets support
+  unless Rails.respond_to?(:application) && Rails.application.respond_to?(:secrets)
+    # Create a minimal application-like object
+    temp_app = Object.new
+
+    # Add secrets method with default empty secrets that include needed encryption keys
+    temp_app.define_singleton_method(:secrets) do
+      @secrets ||= begin
+        secrets = ActiveSupport::OrderedOptions.new
+
+        # Add empty encryption section to prevent NoMethodError
+        secrets.encryption = {
+          primary_key: nil,
+          deterministic_key: nil,
+          key_derivation_salt: nil
+        }
+
+        secrets
+      end
+    end
+
+    # Set up Rails.application if it doesn't exist
+    Rails.define_singleton_method(:application) { temp_app } unless Rails.respond_to?(:application)
+  end
+end
+
 module Secvault
   class Railtie < Rails::Railtie
     railtie_name :secvault
 
+    # Hook to set up early secrets access before application configuration
+    config.before_configuration do |app|
+      Secvault::EarlyLoader.setup_early_secrets(app)
+    end
+
     initializer "secvault.initialize", before: :load_environment_hook do |app|
       Secvault::Secrets.setup(app)
     end
+  end
 
-    # Ensure initialization happens early in all environments
-    config.before_configuration do |app|
-      secrets_path = app.root.join("config/secrets.yml")
+  # Early loader class to handle secrets before application configuration
+  class EarlyLoader
+    class << self
+      def setup_early_secrets(app)
+        puts "[Secvault Debug] setup_early_secrets called" unless Rails.env.production?
+
+        if Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
+          puts "[Secvault Debug] Secrets already exist, skipping early load" unless Rails.env.production?
+          return
+        end
+
+        # Look for Secvault configuration in the app
+        secrets_config = find_secvault_config(app)
+        puts "[Secvault Debug] Found config: #{secrets_config&.keys}" unless Rails.env.production?
+        return unless secrets_config
 
-      if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
-        # Early initialization for test environment compatibility
-        current_env = ENV["RAILS_ENV"] || "development"
-        secrets = Secvault::Secrets.read_secrets(secrets_path, current_env)
+        begin
+          # Load secrets using the configuration found
+          all_secrets = Secvault::Secrets.parse(secrets_config[:files], env: Rails.env)
+          puts "[Secvault Debug] Loaded secrets keys: #{all_secrets.keys}" unless Rails.env.production?
 
-        if secrets
+          # Set up Rails.application.secrets immediately
           Rails.application.define_singleton_method(:secrets) do
             @secrets ||= begin
               current_secrets = ActiveSupport::OrderedOptions.new
-              env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
-              current_secrets.merge!(env_secrets) if env_secrets
+              current_secrets.merge!(all_secrets)
+              puts "[Secvault Debug] Returning secrets with encryption: #{current_secrets.encryption}" unless Rails.env.production?
               current_secrets
             end
           end
+
+          # Test the secrets immediately
+          test_encryption = Rails.application.secrets.encryption
+          puts "[Secvault Debug] Test access - encryption: #{test_encryption.class} - #{test_encryption}" unless Rails.env.production?
+
+          Rails.logger&.info "[Secvault] Early secrets loaded from #{secrets_config[:files].size} files" unless Rails.env.production?
+        rescue => e
+          Rails.logger&.warn "[Secvault] Failed to load early secrets: #{e.message}"
         end
       end
+
+      private
+
+      def find_secvault_config(app)
+        # Look for Secvault configuration in various locations
+        config_locations = [
+          app.root.join("config/initializers/secvault.rb"),
+          app.root.join("config/secvault.rb")
+        ]
+
+        config_locations.each do |config_file|
+          next unless config_file.exist?
+
+          config = parse_secvault_config(config_file)
+          return config if config
+        end
+
+        # Fallback to default configuration
+        default_files = [app.root.join("config/secrets.yml")]
+
+        # Check if neeto-commons-backend is available for default config
+        if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+          default_files.unshift(NeetoCommonsBackend.shared_secrets_file)
+        end
+
+        # Only return default if at least one file exists
+        existing_files = default_files.select(&:exist?)
+        return {files: existing_files} if existing_files.any?
+
+        nil
+      end
+
+      def parse_secvault_config(config_file)
+        # Read the configuration file and extract Secvault.start! parameters
+        content = config_file.read
+
+        # Look for Secvault.start! calls
+        if /Secvault\.start!\s*\(/m.match?(content)
+          # Try to extract the files parameter using a simple regex
+          files_match = content.match(/files:\s*\[(.*?)\]/m)
+          if files_match
+            # Parse the files array (basic string parsing)
+            files_content = files_match[1]
+            files = []
+
+            # Handle various file specification patterns
+            files_content.scan(/["'](.*?)["']|([A-Za-z_][\w.]*\([^)]*\))/) do |quoted, method_call|
+              if quoted
+                files << Rails.root.join(quoted.strip)
+              elsif method_call
+                # Handle method calls like NeetoCommonsBackend.shared_secrets_file
+                if method_call.include?("NeetoCommonsBackend.shared_secrets_file") && defined?(NeetoCommonsBackend)
+                  files << NeetoCommonsBackend.shared_secrets_file
+                end
+              end
+            end
+
+            return {files: files.compact} if files.any?
+          end
+        end
+
+        nil
+      rescue => e
+        Rails.logger&.warn "[Secvault] Failed to parse config file #{config_file}: #{e.message}"
+        nil
+      end
     end
   end
 end

data/lib/secvault/secrets.rb

@@ -56,7 +56,7 @@ module Secvault
       end
 
       # Classic Rails::Secrets.parse implementation
-      # Parses plain YAML secrets files and merges shared + environment-specific sections
+      # Parses plain YAML secrets files for specific environment
       def parse(paths, env:)
         paths.each_with_object({}) do |path, all_secrets|
           # Handle string paths by converting to Pathname
@@ -72,8 +72,7 @@ module Secvault
 
           secrets ||= {}
 
-          # Merge shared secrets first, then environment-specific (using deep merge)
-          all_secrets.deep_merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+          # Only load environment-specific section (YAML anchors handle sharing)
           all_secrets.deep_merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
       end

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "3.0.0"
+  VERSION = "3.1.0"
 end

data/lib/secvault.rb

@@ -65,6 +65,67 @@ module Secvault
     defined?(Rails) && Rails::Secrets == Secvault::RailsSecrets
   end
 
+  # Early setup method for use in config/application.rb before other configuration
+  # This ensures Rails.application has secrets available during application class definition
+  def setup_early_application_secrets!(files: nil, application_class: nil)
+    return false unless defined?(Rails)
+
+    # Default files if not provided
+    files ||= begin
+      default_files = ["config/secrets.yml"]
+
+      # Add neeto-commons-backend file if available
+      if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+        default_files.unshift(NeetoCommonsBackend.shared_secrets_file)
+      end
+
+      default_files
+    end
+
+    # Create a temporary Rails.application if it doesn't exist
+    unless Rails.respond_to?(:application) && Rails.application
+      # Create a temporary application-like object with secrets
+      temp_app = Object.new
+
+      # Add lazy secrets loading
+      temp_app.define_singleton_method(:secrets) do
+        @secrets ||= begin
+          # Convert to full paths and filter existing files
+          file_paths = files.map do |file|
+            file.is_a?(Pathname) ? file : Rails.root.join(file)
+          end.select(&:exist?)
+
+          if file_paths.any?
+            # Load secrets using Secvault
+            all_secrets = Secvault::Secrets.parse(file_paths, env: Rails.env)
+            current_secrets = ActiveSupport::OrderedOptions.new
+            current_secrets.merge!(all_secrets)
+            current_secrets
+          else
+            # Return empty secrets if no files found but include encryption structure
+            secrets = ActiveSupport::OrderedOptions.new
+            secrets.encryption = ActiveSupport::OrderedOptions.new
+            secrets.encryption.primary_key = nil
+            secrets.encryption.deterministic_key = nil
+            secrets.encryption.key_derivation_salt = nil
+            secrets
+          end
+        end
+      end
+
+      # Set up Rails.application to point to this temporary object
+      Rails.define_singleton_method(:application) { temp_app }
+    end
+
+    true
+  rescue => e
+    warn "[Secvault] Early application secrets setup failed: #{e.message}"
+    false
+  end
+
+  # Alias for backward compatibility
+  alias_method :setup_early_secrets!, :setup_early_application_secrets!
+
   def install!
     return if defined?(Rails::Railtie).nil?
 
@@ -88,35 +149,34 @@ module Secvault
   #
   # Options:
   #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
-  #   - integrate_with_rails: Integrate with Rails.application.secrets (default: true)
+  #   - integrate_with_rails: Integrate with Rails.application.secrets (default: false)
   #   - set_secret_key_base: Set Rails.application.config.secret_key_base from secrets (default: true)
   #   - hot_reload: Add reload_secrets! methods for development (default: true in development)
   #   - logger: Enable logging (default: true except production)
-  def start!(files: [], integrate_with_rails: true, set_secret_key_base: true, 
-             hot_reload: (defined?(Rails) && Rails.env.respond_to?(:development?) ? Rails.env.development? : false), 
-             logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
-    
+  def start!(files: [], integrate_with_rails: false, set_secret_key_base: true,
+    hot_reload: ((defined?(Rails) && Rails.env.respond_to?(:development?)) ? Rails.env.development? : false),
+    logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     # Default to config/secrets.yml if no files specified
     files_to_load = files.empty? ? ["config/secrets.yml"] : Array(files)
-    
+
     # Convert to Pathname objects and resolve relative to Rails.root
     file_paths = files_to_load.map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
-    
+
     # Load secrets into Secvault.secrets
     load_secrets!(file_paths, logger: logger)
-    
+
     # Integrate with Rails if requested
     if integrate_with_rails
       setup_rails_integration!(file_paths, set_secret_key_base: set_secret_key_base, logger: logger)
     end
-    
+
     # Add hot reload functionality if requested
     if hot_reload
       add_hot_reload!(file_paths)
     end
-    
+
     true
   rescue => e
     Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails) && logger
@@ -126,24 +186,24 @@ module Secvault
   private
 
   # Load secrets into Secvault.secrets (internal storage)
-  def load_secrets!(file_paths, logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
+  def load_secrets!(file_paths, logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     existing_files = file_paths.select(&:exist?)
-    
+
     if existing_files.any?
       # Load and merge all secrets files
       merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
-      
+
       # Store in internal storage with ActiveSupport::OrderedOptions for compatibility
       @@loaded_secrets = ActiveSupport::OrderedOptions.new
       @@loaded_secrets.merge!(merged_secrets)
-      
+
       # Log successful loading
       if logger
         file_names = existing_files.map(&:basename)
         Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
         Rails.logger&.info "[Secvault] Parsed #{merged_secrets.keys.size} secret keys for #{Rails.env}"
       end
-      
+
       true
     else
       Rails.logger&.warn "[Secvault] No secrets files found" if logger
@@ -151,13 +211,13 @@ module Secvault
       false
     end
   end
-  
+
   # Set up Rails integration
-  def setup_rails_integration!(file_paths, set_secret_key_base: true, logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
+  def setup_rails_integration!(file_paths, set_secret_key_base: true, logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     # Override native Rails::Secrets with Secvault implementation
     Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
     Rails.const_set(:Secrets, Secvault::RailsSecrets)
-    
+
     # Set up Rails.application.secrets replacement in after_initialize
     Rails.application.config.after_initialize do
       if @@loaded_secrets && !@@loaded_secrets.empty?
@@ -165,51 +225,102 @@ module Secvault
         Rails.application.define_singleton_method(:secrets) do
           @@loaded_secrets
         end
-        
+
         # Set secret_key_base in Rails config to avoid accessing it from secrets
         if set_secret_key_base && @@loaded_secrets.key?(:secret_key_base)
           Rails.application.config.secret_key_base = @@loaded_secrets[:secret_key_base]
           Rails.logger&.info "[Secvault] Set Rails.application.config.secret_key_base from secrets" if logger
         end
-        
+
         # Log integration success (except in production)
         if logger
           Rails.logger&.info "[Secvault] Rails integration complete. #{@@loaded_secrets.keys.size} secret keys available."
         end
-      else
-        Rails.logger&.warn "[Secvault] No secrets loaded for Rails integration" if logger
+      elsif logger
+        Rails.logger&.warn "[Secvault] No secrets loaded for Rails integration"
       end
     end
   end
-  
+
   # Add hot reload functionality for development
   def add_hot_reload!(file_paths)
     # Define reload method on Rails.application
     Rails.application.define_singleton_method(:reload_secrets!) do
       # Reload secrets
       Secvault.send(:load_secrets!, file_paths, logger: true)
-      
+
       # Re-apply Rails integration if needed
       if Secvault.rails_integrated? && @@loaded_secrets
         Rails.application.define_singleton_method(:secrets) do
           @@loaded_secrets
         end
       end
-      
+
       puts "🔄 Hot reloaded secrets from #{file_paths.size} files"
       true
     end
-    
+
     # Also make it available as a top-level method
     Object.define_method(:reload_secrets!) do
       Rails.application.reload_secrets!
     end
-    
-    Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless (defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?)
+
+    Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?
   end
-  
+
   public
 
 end
 
-Secvault.install! if defined?(Rails)
+# Auto-install and setup when Rails is available
+if defined?(Rails)
+  Secvault.install!
+
+  # Immediate setup for early access during application loading
+  begin
+    # Try to detect and load secrets immediately if Rails.root is available
+    if Rails.respond_to?(:root) && Rails.root
+      # Look for default secrets or configuration
+      default_secrets_file = Rails.root.join("config/secrets.yml")
+      commons_secrets_file = nil
+
+      # Check for neeto-commons-backend integration
+      if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+        commons_secrets_file = NeetoCommonsBackend.shared_secrets_file
+      end
+
+      files_to_load = [commons_secrets_file, default_secrets_file].compact.select(&:exist?)
+
+      if files_to_load.any? && Rails.respond_to?(:env)
+        # Load secrets immediately
+        all_secrets = Secvault::Secrets.parse(files_to_load, env: Rails.env)
+
+        # Set up Rails.application.secrets if Rails.application exists
+        if Rails.respond_to?(:application) && Rails.application
+          Rails.application.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              current_secrets.merge!(all_secrets)
+              current_secrets
+            end
+          end
+        else
+          # Create a minimal Rails.application for early access
+          temp_app = Object.new
+          temp_app.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              current_secrets.merge!(all_secrets)
+              current_secrets
+            end
+          end
+
+          Rails.define_singleton_method(:application) { temp_app } unless Rails.respond_to?(:application)
+        end
+      end
+    end
+  rescue => e
+    # Silent fail - normal initialization will handle it
+    warn "[Secvault] Early auto-load failed: #{e.message}" unless Rails.env&.production?
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Unnikrishnan KP