secvault 3.0.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7e9d55bf6f12233064ea7ced4e9b40c84f8f3a6ce38d6b5b79d5f0e8f4a7214a
-  data.tar.gz: 7ade516b0c550c0b3c98f04fc39ff1079d5c46436da6a7fd6153bdc1d9eac4fb
+  metadata.gz: ff511b4da4c277844438956507222da90bd15416fd8e4adec1e973a4e5b73993
+  data.tar.gz: 45219a2e917ac366af2c94c8a848cc5557219b4856daab6fcd870d19898d1685
 SHA512:
-  metadata.gz: b2939f3acd3e9525d000b7195fd9967a4e8f80c04800e4cbac9da774625bc1cae7b26e1f0320d4d57d53abbf1bdb53a3899977deb9625880fd84458c7c302277
-  data.tar.gz: 84de3b9f8ecd84e820668d3ac2bd7fedeb7946e2707f88e00cd7219f258d597417b025a72b889dc93bf6e408c2686b2c444b90e1d2eaee856f1040d9f5b8d63a
+  metadata.gz: 45e5d96b9eaa32ea9396921451dfb2ed148e485992236ae45bf58acf9a380869cde8df8b3e93e621cdfe1bcd9710f4eccbeaee3880fa5436c73e336d063d866f
+  data.tar.gz: db91a660ae62430a0c27f311bd512d964efc485f4a224e42f958b9215d31c9c553db765b638b622413b18c9b236ab6865d14328594f8d6ab726452484eddc767

data/README.md

@@ -1,456 +1,110 @@
 # Secvault
 
-Secvault restores the classic Rails `secrets.yml` functionality using simple, plain YAML files for environment-specific secrets management. Compatible with all modern Rails versions (7.1+, 7.2+, 8.0+).
+Simple YAML secrets management for Rails. Uses standard YAML anchors for sharing configuration.
 
 [![Gem Version](https://img.shields.io/gem/v/secvault.svg)](https://rubygems.org/gems/secvault)
-
-## Why Secvault?
-
-- **Drop-in replacement** for Rails 7.2+'s removed `secrets.yml` functionality
-- **Universal compatibility** across Rails 7.1+, 7.2+, and 8.0+
-- **ERB templating** support for environment variables
-- **Multi-file support** with deep merging capabilities
-- **Shared sections** for common configuration across environments
-- **Simple YAML** - no complex credential management required
+[![CI](https://github.com/unnitallman/secvault/actions/workflows/ci.yml/badge.svg)](https://github.com/unnitallman/secvault/actions/workflows/ci.yml)
 
 ## Installation
 
 ```ruby
-# Gemfile
 gem 'secvault'
 ```
 
-```bash
-bundle install
-```
-
-## Quick Start
-
-### 1. Simple Setup
-
-Create `config/initializers/secvault.rb`:
+## Usage
 
+**1. Add to initializer:**
 ```ruby
-# The simplest setup - works across all Rails versions
+# config/initializers/secvault.rb
 Secvault.start!
 ```
 
-Create `config/secrets.yml`:
-
+**2. Create secrets file:**
 ```yaml
-shared:
-  app_name: "My Rails App"
-  timeout: 30
+# config/secrets.yml
+defaults: &defaults
+  app_name: "MyApp"
 
 development:
-  secret_key_base: "dev_secret_key_here"
-  api_key: "dev_key_123"
-  database_url: "postgresql://localhost/myapp_dev"
-  debug: true
-
-test:
-  secret_key_base: "test_secret_key_here"
-  api_key: "test_key_123"
+  <<: *defaults
+  secret_key_base: "dev_secret"
+  api_key: "dev_key"
 
 production:
+  <<: *defaults
   secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
   api_key: <%= ENV['API_KEY'] %>
-  database_url: <%= ENV['DATABASE_URL'] %>
-  debug: false
-```
-
-### 2. Access Your Secrets
-
-```ruby
-# In your Rails application
-Rails.application.secrets.api_key
-Rails.application.secrets.app_name
-Rails.application.secrets.database_url
-
-# Nested secrets work too
-Rails.application.secrets.database.host
-Rails.application.secrets.features.analytics
 ```
 
-## Setup Methods
-
-### Unified start! Method
-
-Secvault now uses a single, simplified `start!` method for all use cases:
-
+**3. Use in your app:**
 ```ruby
-# Simplest setup - loads config/secrets.yml with Rails integration
-Secvault.start!
-
-# Custom single file
-Secvault.start!(files: ['custom.yml'])
-
-# Multiple files with hot reload
-Secvault.start!(
-  files: ['config/secrets.yml', 'config/secrets.local.yml'],
-  hot_reload: true
-)
-
-# All available options
-Secvault.start!(
-  files: ['config/secrets.yml'],           # Default: ['config/secrets.yml']
-  integrate_with_rails: true,              # Default: true
-  set_secret_key_base: true,              # Default: true
-  hot_reload: true,                       # Default: true in development
-  logger: true                            # Default: true except production
-)
+Secvault.secrets.api_key
+Secvault.secrets.app_name
 ```
 
-### Advanced Usage
+## Options
 
 ```ruby
-# Load without Rails integration (standalone mode)
-Secvault.start!(integrate_with_rails: false)
-# Access via: Secvault.secrets.your_key
-
-# Multi-file with hot reload for development
 Secvault.start!(
-  files: [
-    'config/secrets.yml',
-    'config/secrets.oauth.yml', 
-    'config/secrets.local.yml'   # Git-ignored local overrides
-  ],
-  hot_reload: true,
-  logger: true
+  files: ['config/secrets.yml'],     # Files to load (later files override earlier ones)
+  integrate_with_rails: false,       # Add Rails.application.secrets
+  set_secret_key_base: true,         # Auto-set Rails.application.config.secret_key_base from secrets
+  hot_reload: true,                  # Auto-reload in development
+  logger: true                       # Log loading activity
 )
 ```
 
-
-## Advanced Features
-
-### ERB Templating
-
-Secvault supports full ERB templating for dynamic configuration:
-
-```yaml
-production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  api_key: <%= ENV['API_KEY'] %>
-  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
-  
-  # Complex expressions
-  features:
-    enabled: <%= ENV.fetch('FEATURES_ON', 'false') == 'true' %>
-    analytics: <%= Rails.env.production? && ENV['ANALYTICS'] != 'false' %>
-  
-  # Arrays and complex data structures
-  allowed_hosts: <%= ENV.fetch('ALLOWED_HOSTS', 'localhost').split(',') %>
-  
-  # Conditional values
-  redis_url: <%=
-    if ENV['REDIS_URL']
-      ENV['REDIS_URL']
-    else
-      "redis://localhost:6379/#{Rails.env}"
-    end
-  %>
-```
-
-### Shared Sections
-
-Define common secrets that apply to all environments:
-
-```yaml
-shared:
-  app_name: "MyApp"
-  version: "2.1.0"
-  timeout: 30
-  features:
-    analytics: true
-    
-development:
-  secret_key_base: "dev_secret"
-  features:
-    debug: true    # Merges with shared.features
-    
-production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  features:
-    analytics: false  # Overrides shared.features.analytics
-```
-
-### Multi-File Configuration
-
-Organize your secrets across multiple files for better maintainability:
-
+**Multiple files:**
 ```ruby
-Secvault.setup_multi_file!([
-  'config/secrets.yml',           # Base secrets
-  'config/secrets.oauth.yml',     # OAuth provider settings
-  'config/secrets.database.yml',  # Database configurations
-  'config/secrets.local.yml'      # Local overrides (git-ignored)
-])
+# Later files override earlier ones
+Secvault.start!(files: ['secrets.yml', 'local.yml'])
 ```
 
-**File merging behavior:**
-- Files are processed in order
-- Later files override earlier ones
-- Deep merging for nested hashes
-- Shared sections are merged first, then environment-specific
-
-### Hot Reload (Development)
-
-Secvault provides hot reload functionality for development:
-
+**Rails integration:**
 ```ruby
-# Enable hot reload when starting Secvault
-Secvault.start!(hot_reload: true)  # Default: true in development
-
-# Then reload secrets without restarting Rails
-reload_secrets!
-
-# Or via Rails.application
-Rails.application.reload_secrets!
-```
-
-Hot reload is automatically enabled in development mode and provides instant feedback when you change your secrets files.
-
-## Manual API
-
-For advanced use cases, you can use the lower-level API:
-
-```ruby
-# Parse specific files
-secrets = Rails::Secrets.parse(['config/secrets.yml'], env: 'production')
-
-# Load from default location
-secrets = Rails::Secrets.load(env: 'development')
-
-# Check if Secvault is active
-Secvault.active?  # => true/false
-
-# Check if integrated with Rails
-Secvault.rails_integrated?  # => true/false
-
-# Access loaded secrets directly
-Secvault.secrets.api_key  # Available after Secvault.start!
+Secvault.start!(integrate_with_rails: true)
+Rails.application.secrets.api_key  # Now available
 ```
 
-## Rails Version Compatibility
-
-| Rails Version | Support Level | Notes |
-|---------------|---------------|-------|
-| **Rails 7.1+** | ✅ Full compatibility | Manual setup required |
-| **Rails 7.2+** | ✅ Drop-in replacement | Automatic setup works |
-| **Rails 8.0+** | ✅ Full compatibility | Future-proof |
-
-### Rails 7.2+ Notes
-Rails 7.2 removed the built-in `secrets.yml` functionality. Secvault provides a complete replacement with the same API.
-
-### Rails 7.1 Notes
-Rails 7.1 still has `secrets.yml` support but shows deprecation warnings. Secvault provides a consistent experience across Rails versions.
-
-## Migration Guide
-
-### From Previous Secvault Versions
-
-**BREAKING CHANGE**: The API has been simplified. Update your initializers:
-
+**Secret key base:**
 ```ruby
-# Old API (no longer supported):
-Secvault.setup!
-Secvault.setup_multi_file!(['file1.yml', 'file2.yml'])
-Secvault.integrate_with_rails!
-
-# New unified API:
-Secvault.start!                                     # Simple case
-Secvault.start!(files: ['file1.yml', 'file2.yml'])  # Multi-file case
-Secvault.start!(integrate_with_rails: false)        # Standalone mode
+# If your secrets.yml has secret_key_base, it's automatically set
+# This replaces the need for Rails.application.config.secret_key_base
+Secvault.start!(set_secret_key_base: true)  # Default behavior
 ```
 
-### From Rails < 7.2 Built-in Secrets
-
-1. **Add Secvault to your Gemfile**:
-   ```ruby
-   gem 'secvault'
-   ```
-
-2. **Create initializer**:
-   ```ruby
-   # config/initializers/secvault.rb
-   Secvault.start!
-   ```
-
-3. **Your existing `config/secrets.yml` works as-is** - no changes needed!
-
-### From Rails Credentials
-
-1. **Extract your credentials to YAML**:
-   ```bash
-   # Export existing credentials
-   rails credentials:show > config/secrets.yml
-   ```
-
-2. **Format as environment-specific YAML**:
-   ```yaml
-   development:
-     secret_key_base: "your_dev_secret"
-     # ... other secrets
-   
-   production:
-     secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-     # ... other secrets
-   ```
-
-3. **Set up Secvault**:
-   ```ruby
-   # config/initializers/secvault.rb
-   Secvault.start!
-   ```
 
-## Configuration Examples
-
-### Basic Application
+## Advanced
 
+**ERB templating:**
 ```yaml
-# config/secrets.yml
-shared:
-  app_name: "MyApp"
-  
-development:
-  secret_key_base: "long_random_string_for_dev"
-  database_url: "postgresql://localhost/myapp_dev"
-  
-test:
-  secret_key_base: "long_random_string_for_test"
-  database_url: "postgresql://localhost/myapp_test"
-  
 production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  database_url: <%= ENV['DATABASE_URL'] %>
-```
-
-### Multi-Service Application
-
-```ruby
-# config/initializers/secvault.rb
-Secvault.start!(
-  files: [
-    'config/secrets.yml',
-    'config/secrets.oauth.yml',
-    'config/secrets.external_apis.yml',
-    'config/secrets.local.yml'  # Git-ignored
-  ],
-  hot_reload: true
-)
+  api_key: <%= ENV['API_KEY'] %>
+  pool_size: <%= ENV.fetch('DB_POOL', '5').to_i %>
 ```
 
+**YAML anchors for sharing:**
 ```yaml
-# config/secrets.yml (base)
-shared:
+defaults: &defaults
   app_name: "MyApp"
   timeout: 30
 
 development:
-  secret_key_base: "dev_secret"
+  <<: *defaults
   debug: true
 
 production:
-  secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
-  debug: false
-```
-
-```yaml
-# config/secrets.oauth.yml
-shared:
-  oauth:
-    google:
-      scope: "email profile"
-
-development:
-  oauth:
-    google:
-      client_id: "dev_google_client_id"
-      client_secret: "dev_google_client_secret"
-
-production:
-  oauth:
-    google:
-      client_id: <%= ENV['GOOGLE_CLIENT_ID'] %>
-      client_secret: <%= ENV['GOOGLE_CLIENT_SECRET'] %>
-```
-
-## Troubleshooting
-
-### Common Issues
-
-**1. "No secrets.yml file found"**
-```bash
-# Create the file
-mkdir -p config
-touch config/secrets.yml
-```
-
-**2. "undefined method `secrets' for Rails.application"**
-```ruby
-# Make sure Secvault is set up in an initializer
-# config/initializers/secvault.rb
-Secvault.start!
-```
-
-**3. "Secrets not loading in tests"**
-```ruby
-# In your test helper or rails_helper.rb
-Secvault.start! if defined?(Secvault)
-```
-
-**4. "Environment variables not working"**
-```yaml
-# Make sure you're using ERB syntax
-production:
-  api_key: <%= ENV['API_KEY'] %>  # ✅ Correct
-  api_key: $API_KEY               # ❌ Wrong
+  <<: *defaults
+  timeout: 10  # Override specific values
 ```
 
-### Debug Mode
-
+**Development helpers:**
 ```ruby
-# Enable detailed logging (development/test only)
-Secvault.start!(files: ['config/secrets.yml'], logger: true)
-
-# Check if Secvault is working
-Secvault.active?           # Should return true
-Secvault.rails_integrated? # Should return true
-Rails.application.secrets  # Should show your secrets
+reload_secrets!            # Reload files
+Secvault.active?           # Check status
 ```
 
-## API Reference
-
-### Setup Methods
-
-- `Secvault.start!(files: [], integrate_with_rails: true, set_secret_key_base: true, hot_reload: auto, logger: auto)` - Main and only setup method
-
-### Status Methods
-
-- `Secvault.active?` - Check if secrets are loaded
-- `Secvault.rails_integrated?` - Check if Rails integration is active
-- `Secvault.secrets` - Access loaded secrets directly
-
-### Rails API Compatibility
-
-- `Rails::Secrets.parse(files, env:)` - Parse specific files
-- `Rails::Secrets.load(env:)` - Load from default config/secrets.yml
-- `Rails.application.secrets` - Access secrets (same as classic Rails)
-
-### Legacy Aliases
-
-- `Secvault.setup_backward_compatibility_with_older_rails!` (alias for `setup!`)
-- `Secvault.setup_rails_71_integration!` (alias for `setup!`)
-- `Secvault.setup_multi_files!` (alias for `setup_multi_file!`)
-
-## Contributing
-
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Pull Request
 
 ## License
 
-MIT License. See [LICENSE](LICENSE) for details.
+MIT

data/SECURITY.md

@@ -0,0 +1,98 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of Secvault with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.1.x   | :white_check_mark: |
+| 3.0.x   | :white_check_mark: |
+| < 3.0   | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report security vulnerabilities by emailing **unnikrishnan.kp@bigbinary.com**.
+
+You should receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but typically within 7 days.
+
+### What to Include in Your Report
+
+Please include the following information in your vulnerability report:
+
+- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+- Full paths of source file(s) related to the manifestation of the issue
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+## Security Best Practices
+
+When using Secvault in your applications, please follow these security best practices:
+
+### 1. File Permissions
+- Ensure your secrets files (`config/secrets.yml`, etc.) have restrictive file permissions (600 or 640)
+- Never commit secrets files to version control
+- Use `.gitignore` to exclude secrets files from your repository
+
+### 2. Environment Separation
+- Use different secrets files for different environments (development, staging, production)
+- Never use production secrets in development or testing environments
+- Implement proper environment-specific configuration
+
+### 3. Secret Management
+- Rotate secrets regularly
+- Use strong, randomly generated secrets
+- Avoid hardcoding secrets in application code
+- Consider using external secret management services for production environments
+
+### 4. Access Control
+- Limit access to secrets files to only necessary personnel and processes
+- Use proper deployment practices that don't expose secrets in logs or process lists
+- Implement proper access controls in your deployment infrastructure
+
+### 5. Monitoring and Auditing
+- Monitor access to secrets files
+- Implement logging for secrets access (without logging the actual secret values)
+- Regular security audits of your secrets management practices
+
+## Dependencies and Supply Chain Security
+
+Secvault has minimal dependencies to reduce attack surface:
+
+- **Rails**: We require Rails >= 7.1.0 and stay updated with security patches
+- **Zeitwerk**: Used for autoloading, maintained by the Rails core team
+
+We regularly monitor our dependencies for security vulnerabilities and update them promptly when security issues are discovered.
+
+## Security Considerations
+
+### Hot Reload Feature
+The hot reload feature (`reload_secrets!`) is designed for development environments only. It should not be enabled in production as it can potentially expose secrets through memory dumps or debugging tools.
+
+### Rails Integration
+Secvault integrates deeply with Rails' secrets system. While this provides seamless functionality, it's important to understand that secrets are loaded into memory and may be visible to processes with sufficient privileges.
+
+### File System Security
+Secvault reads secrets from the file system. Ensure your deployment environment has proper file system security controls in place.
+
+## Acknowledgments
+
+We appreciate the security research community and responsible disclosure. Contributors who report valid security vulnerabilities will be acknowledged in our release notes (unless they prefer to remain anonymous).
+
+## Contact
+
+For any security-related questions or concerns, please contact:
+
+**Email**: unnikrishnan.kp@bigbinary.com  
+**Project**: https://github.com/unnitallman/secvault
+
+---
+
+*This security policy is effective as of the date of the latest commit to this file and applies to all current and future versions of Secvault.*

data/lib/secvault/rails_secrets.rb

@@ -1,54 +1,57 @@
 # frozen_string_literal: true
 
 module Secvault
-  # Rails::Secrets compatibility module
+  # Rails::Secrets compatibility class
   # Provides the classic Rails::Secrets interface for backwards compatibility
-  # This replicates the Rails < 7.2 Rails::Secrets module functionality
-  module RailsSecrets
-    extend self
+  # This replicates the Rails < 7.2 Rails::Secrets class functionality
+  class RailsSecrets
+    class << self
+      attr_accessor :root
 
-    # Parse secrets from one or more YAML files
-    #
-    # Supports:
-    # - ERB templating for environment variables
-    # - Shared sections that apply to all environments
-    # - Environment-specific sections
-    # - Multiple files (merged in order)
-    # - Deep symbolized keys
-    #
-    # Examples:
-    #   # Single file
-    #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
-    #
-    #   # Multiple files (merged in order)
-    #   Rails::Secrets.parse([
-    #     'config/secrets.yml',
-    #     'config/secrets.local.yml'
-    #   ], env: 'development')
-    #
-    #   # Load default config/secrets.yml
-    #   Rails::Secrets.load  # uses current Rails.env
-    #   Rails::Secrets.load(env: 'production')
-    def parse(paths, env:)
-      Secvault::Secrets.parse(paths, env: env.to_s)
-    end
+      # Parse secrets from one or more YAML files
+      #
+      # Supports:
+      # - ERB templating for environment variables
+      # - Environment-specific sections (YAML anchors handle sharing)
+      # - Multiple files (merged in order)
+      # - Deep symbolized keys
+      #
+      # Examples:
+      #   # Single file
+      #   Rails::Secrets.parse(['config/secrets.yml'], env: 'development')
+      #
+      #   # Multiple files (merged in order)
+      #   Rails::Secrets.parse([
+      #     'config/secrets.yml',
+      #     'config/secrets.local.yml'
+      #   ], env: 'development')
+      #
+      #   # Load default config/secrets.yml
+      #   Rails::Secrets.load  # uses current Rails.env
+      #   Rails::Secrets.load(env: 'production')
+      def parse(paths, env:)
+        Secvault::Secrets.parse(paths, env: env.to_s)
+      end
 
-    # Load secrets from the default config/secrets.yml file
-    def load(env: Rails.env)
-      secrets_path = Rails.root.join("config/secrets.yml")
-      parse([secrets_path], env: env)
-    end
+      # Load secrets from the default config/secrets.yml file
+      def load(env: Rails.env)
+        secrets_path = Rails.root.join("config/secrets.yml")
+        parse([secrets_path], env: env)
+      end
 
-    # Backward compatibility aliases (deprecated)
-    alias_method :parse_default, :load
-    alias_method :read, :load
+      # Backward compatibility aliases (deprecated)
+      alias_method :parse_default, :load
+      alias_method :read, :load
+    end
   end
 end
 
-# Monkey patch to restore Rails::Secrets interface for backwards compatibility
+# Replace Rails::Secrets interface for backwards compatibility
 # Works consistently across all Rails versions with warning suppression
 if defined?(Rails)
   module Rails
+    # Remove existing constant to avoid warnings
+    remove_const(:Secrets) if const_defined?(:Secrets, false)
     Secrets = Secvault::RailsSecrets
   end
 end

data/lib/secvault/railtie.rb

@@ -2,34 +2,154 @@
 
 require "rails/railtie"
 
+# Extremely early hook to set up Rails.application.secrets before Application class is defined
+if defined?(Rails)
+  # Set up a robust Rails.application with secrets support
+  unless Rails.respond_to?(:application) && Rails.application.respond_to?(:secrets)
+    # Create a minimal application-like object
+    temp_app = Object.new
+
+    # Add secrets method with default empty secrets that include needed encryption keys
+    temp_app.define_singleton_method(:secrets) do
+      @secrets ||= begin
+        secrets = ActiveSupport::OrderedOptions.new
+
+        # Add empty encryption section to prevent NoMethodError
+        secrets.encryption = {
+          primary_key: nil,
+          deterministic_key: nil,
+          key_derivation_salt: nil
+        }
+
+        secrets
+      end
+    end
+
+    # Set up Rails.application if it doesn't exist
+    Rails.define_singleton_method(:application) { temp_app } unless Rails.respond_to?(:application)
+  end
+end
+
 module Secvault
   class Railtie < Rails::Railtie
     railtie_name :secvault
 
+    # Hook to set up early secrets access before application configuration
+    config.before_configuration do |app|
+      Secvault::EarlyLoader.setup_early_secrets(app)
+    end
+
     initializer "secvault.initialize", before: :load_environment_hook do |app|
       Secvault::Secrets.setup(app)
     end
+  end
 
-    # Ensure initialization happens early in all environments
-    config.before_configuration do |app|
-      secrets_path = app.root.join("config/secrets.yml")
+  # Early loader class to handle secrets before application configuration
+  class EarlyLoader
+    class << self
+      def setup_early_secrets(app)
+        puts "[Secvault Debug] setup_early_secrets called" unless Rails.env.production?
+
+        if Rails.application.respond_to?(:secrets) && !Rails.application.secrets.empty?
+          puts "[Secvault Debug] Secrets already exist, skipping early load" unless Rails.env.production?
+          return
+        end
+
+        # Look for Secvault configuration in the app
+        secrets_config = find_secvault_config(app)
+        puts "[Secvault Debug] Found config: #{secrets_config&.keys}" unless Rails.env.production?
+        return unless secrets_config
 
-      if secrets_path.exist? && !Rails.application.respond_to?(:secrets)
-        # Early initialization for test environment compatibility
-        current_env = ENV["RAILS_ENV"] || "development"
-        secrets = Secvault::Secrets.read_secrets(secrets_path, current_env)
+        begin
+          # Load secrets using the configuration found
+          all_secrets = Secvault::Secrets.parse(secrets_config[:files], env: Rails.env)
+          puts "[Secvault Debug] Loaded secrets keys: #{all_secrets.keys}" unless Rails.env.production?
 
-        if secrets
+          # Set up Rails.application.secrets immediately
           Rails.application.define_singleton_method(:secrets) do
             @secrets ||= begin
               current_secrets = ActiveSupport::OrderedOptions.new
-              env_secrets = Secvault::Secrets.read_secrets(secrets_path, Rails.env)
-              current_secrets.merge!(env_secrets) if env_secrets
+              current_secrets.merge!(all_secrets)
+              puts "[Secvault Debug] Returning secrets with encryption: #{current_secrets.encryption}" unless Rails.env.production?
               current_secrets
             end
           end
+
+          # Test the secrets immediately
+          test_encryption = Rails.application.secrets.encryption
+          puts "[Secvault Debug] Test access - encryption: #{test_encryption.class} - #{test_encryption}" unless Rails.env.production?
+
+          Rails.logger&.info "[Secvault] Early secrets loaded from #{secrets_config[:files].size} files" unless Rails.env.production?
+        rescue => e
+          Rails.logger&.warn "[Secvault] Failed to load early secrets: #{e.message}"
         end
       end
+
+      private
+
+      def find_secvault_config(app)
+        # Look for Secvault configuration in various locations
+        config_locations = [
+          app.root.join("config/initializers/secvault.rb"),
+          app.root.join("config/secvault.rb")
+        ]
+
+        config_locations.each do |config_file|
+          next unless config_file.exist?
+
+          config = parse_secvault_config(config_file)
+          return config if config
+        end
+
+        # Fallback to default configuration
+        default_files = [app.root.join("config/secrets.yml")]
+
+        # Check if neeto-commons-backend is available for default config
+        if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+          default_files.unshift(NeetoCommonsBackend.shared_secrets_file)
+        end
+
+        # Only return default if at least one file exists
+        existing_files = default_files.select(&:exist?)
+        return {files: existing_files} if existing_files.any?
+
+        nil
+      end
+
+      def parse_secvault_config(config_file)
+        # Read the configuration file and extract Secvault.start! parameters
+        content = config_file.read
+
+        # Look for Secvault.start! calls
+        if /Secvault\.start!\s*\(/m.match?(content)
+          # Try to extract the files parameter using a simple regex
+          files_match = content.match(/files:\s*\[(.*?)\]/m)
+          if files_match
+            # Parse the files array (basic string parsing)
+            files_content = files_match[1]
+            files = []
+
+            # Handle various file specification patterns
+            files_content.scan(/["'](.*?)["']|([A-Za-z_][\w.]*\([^)]*\))/) do |quoted, method_call|
+              if quoted
+                files << Rails.root.join(quoted.strip)
+              elsif method_call
+                # Handle method calls like NeetoCommonsBackend.shared_secrets_file
+                if method_call.include?("NeetoCommonsBackend.shared_secrets_file") && defined?(NeetoCommonsBackend)
+                  files << NeetoCommonsBackend.shared_secrets_file
+                end
+              end
+            end
+
+            return {files: files.compact} if files.any?
+          end
+        end
+
+        nil
+      rescue => e
+        Rails.logger&.warn "[Secvault] Failed to parse config file #{config_file}: #{e.message}"
+        nil
+      end
     end
   end
 end

data/lib/secvault/secrets.rb

@@ -56,7 +56,7 @@ module Secvault
       end
 
       # Classic Rails::Secrets.parse implementation
-      # Parses plain YAML secrets files and merges shared + environment-specific sections
+      # Parses plain YAML secrets files for specific environment
       def parse(paths, env:)
         paths.each_with_object({}) do |path, all_secrets|
           # Handle string paths by converting to Pathname
@@ -66,22 +66,22 @@ module Secvault
           # Read and process the plain YAML file content
           source = path.read
 
-          # Process ERB and parse YAML
+          # Process ERB and parse YAML - using same method as Rails
           erb_result = ERB.new(source).result
-          secrets = YAML.safe_load(erb_result, aliases: true, permitted_classes: [])
+          secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.load(erb_result)
 
           secrets ||= {}
 
-          # Merge shared secrets first, then environment-specific (using deep merge)
-          all_secrets.deep_merge!(secrets["shared"].deep_symbolize_keys) if secrets["shared"]
+          # Only load environment-specific section (YAML anchors handle sharing)
           all_secrets.deep_merge!(secrets[env].deep_symbolize_keys) if secrets[env]
         end
       end
 
       def read_secrets(secrets_path, env)
         if secrets_path.exist?
-          # Handle plain YAML secrets.yml only
-          all_secrets = YAML.safe_load(ERB.new(secrets_path.read).result, aliases: true)
+          # Handle plain YAML secrets.yml only - using same method as Rails
+          erb_result = ERB.new(secrets_path.read).result
+          all_secrets = YAML.respond_to?(:unsafe_load) ? YAML.unsafe_load(erb_result) : YAML.load(erb_result)
 
           env_secrets = all_secrets[env.to_s]
           return env_secrets.deep_symbolize_keys if env_secrets

data/lib/secvault/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Secvault
-  VERSION = "3.0.0"
+  VERSION = "3.2.0"
 end

data/lib/secvault.rb

@@ -65,6 +65,67 @@ module Secvault
     defined?(Rails) && Rails::Secrets == Secvault::RailsSecrets
   end
 
+  # Early setup method for use in config/application.rb before other configuration
+  # This ensures Rails.application has secrets available during application class definition
+  def setup_early_application_secrets!(files: nil, application_class: nil)
+    return false unless defined?(Rails)
+
+    # Default files if not provided
+    files ||= begin
+      default_files = ["config/secrets.yml"]
+
+      # Add neeto-commons-backend file if available
+      if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+        default_files.unshift(NeetoCommonsBackend.shared_secrets_file)
+      end
+
+      default_files
+    end
+
+    # Create a temporary Rails.application if it doesn't exist
+    unless Rails.respond_to?(:application) && Rails.application
+      # Create a temporary application-like object with secrets
+      temp_app = Object.new
+
+      # Add lazy secrets loading
+      temp_app.define_singleton_method(:secrets) do
+        @secrets ||= begin
+          # Convert to full paths and filter existing files
+          file_paths = files.map do |file|
+            file.is_a?(Pathname) ? file : Rails.root.join(file)
+          end.select(&:exist?)
+
+          if file_paths.any?
+            # Load secrets using Secvault
+            all_secrets = Secvault::Secrets.parse(file_paths, env: Rails.env)
+            current_secrets = ActiveSupport::OrderedOptions.new
+            current_secrets.merge!(all_secrets)
+            current_secrets
+          else
+            # Return empty secrets if no files found but include encryption structure
+            secrets = ActiveSupport::OrderedOptions.new
+            secrets.encryption = ActiveSupport::OrderedOptions.new
+            secrets.encryption.primary_key = nil
+            secrets.encryption.deterministic_key = nil
+            secrets.encryption.key_derivation_salt = nil
+            secrets
+          end
+        end
+      end
+
+      # Set up Rails.application to point to this temporary object
+      Rails.define_singleton_method(:application) { temp_app }
+    end
+
+    true
+  rescue => e
+    warn "[Secvault] Early application secrets setup failed: #{e.message}"
+    false
+  end
+
+  # Alias for backward compatibility
+  alias_method :setup_early_secrets!, :setup_early_application_secrets!
+
   def install!
     return if defined?(Rails::Railtie).nil?
 
@@ -88,35 +149,34 @@ module Secvault
   #
   # Options:
   #   - files: Array of file paths (String or Pathname). Defaults to ['config/secrets.yml']
-  #   - integrate_with_rails: Integrate with Rails.application.secrets (default: true)
+  #   - integrate_with_rails: Integrate with Rails.application.secrets (default: false)
   #   - set_secret_key_base: Set Rails.application.config.secret_key_base from secrets (default: true)
   #   - hot_reload: Add reload_secrets! methods for development (default: true in development)
   #   - logger: Enable logging (default: true except production)
-  def start!(files: [], integrate_with_rails: true, set_secret_key_base: true, 
-             hot_reload: (defined?(Rails) && Rails.env.respond_to?(:development?) ? Rails.env.development? : false), 
-             logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
-    
+  def start!(files: [], integrate_with_rails: false, set_secret_key_base: true,
+    hot_reload: ((defined?(Rails) && Rails.env.respond_to?(:development?)) ? Rails.env.development? : false),
+    logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     # Default to config/secrets.yml if no files specified
     files_to_load = files.empty? ? ["config/secrets.yml"] : Array(files)
-    
+
     # Convert to Pathname objects and resolve relative to Rails.root
     file_paths = files_to_load.map do |file|
       file.is_a?(Pathname) ? file : Rails.root.join(file)
     end
-    
+
     # Load secrets into Secvault.secrets
     load_secrets!(file_paths, logger: logger)
-    
+
     # Integrate with Rails if requested
     if integrate_with_rails
       setup_rails_integration!(file_paths, set_secret_key_base: set_secret_key_base, logger: logger)
     end
-    
+
     # Add hot reload functionality if requested
     if hot_reload
       add_hot_reload!(file_paths)
     end
-    
+
     true
   rescue => e
     Rails.logger&.error "[Secvault] Failed to start: #{e.message}" if defined?(Rails) && logger
@@ -126,24 +186,24 @@ module Secvault
   private
 
   # Load secrets into Secvault.secrets (internal storage)
-  def load_secrets!(file_paths, logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
+  def load_secrets!(file_paths, logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     existing_files = file_paths.select(&:exist?)
-    
+
     if existing_files.any?
       # Load and merge all secrets files
       merged_secrets = Secvault::Secrets.parse(existing_files, env: Rails.env)
-      
+
       # Store in internal storage with ActiveSupport::OrderedOptions for compatibility
       @@loaded_secrets = ActiveSupport::OrderedOptions.new
       @@loaded_secrets.merge!(merged_secrets)
-      
+
       # Log successful loading
       if logger
         file_names = existing_files.map(&:basename)
         Rails.logger&.info "[Secvault] Loaded #{existing_files.size} files: #{file_names.join(", ")}"
         Rails.logger&.info "[Secvault] Parsed #{merged_secrets.keys.size} secret keys for #{Rails.env}"
       end
-      
+
       true
     else
       Rails.logger&.warn "[Secvault] No secrets files found" if logger
@@ -151,13 +211,13 @@ module Secvault
       false
     end
   end
-  
+
   # Set up Rails integration
-  def setup_rails_integration!(file_paths, set_secret_key_base: true, logger: (defined?(Rails) && Rails.env.respond_to?(:production?) ? !Rails.env.production? : true))
+  def setup_rails_integration!(file_paths, set_secret_key_base: true, logger: ((defined?(Rails) && Rails.env.respond_to?(:production?)) ? !Rails.env.production? : true))
     # Override native Rails::Secrets with Secvault implementation
     Rails.send(:remove_const, :Secrets) if defined?(Rails::Secrets)
     Rails.const_set(:Secrets, Secvault::RailsSecrets)
-    
+
     # Set up Rails.application.secrets replacement in after_initialize
     Rails.application.config.after_initialize do
       if @@loaded_secrets && !@@loaded_secrets.empty?
@@ -165,51 +225,99 @@ module Secvault
         Rails.application.define_singleton_method(:secrets) do
           @@loaded_secrets
         end
-        
+
         # Set secret_key_base in Rails config to avoid accessing it from secrets
         if set_secret_key_base && @@loaded_secrets.key?(:secret_key_base)
           Rails.application.config.secret_key_base = @@loaded_secrets[:secret_key_base]
           Rails.logger&.info "[Secvault] Set Rails.application.config.secret_key_base from secrets" if logger
         end
-        
+
         # Log integration success (except in production)
         if logger
           Rails.logger&.info "[Secvault] Rails integration complete. #{@@loaded_secrets.keys.size} secret keys available."
         end
-      else
-        Rails.logger&.warn "[Secvault] No secrets loaded for Rails integration" if logger
+      elsif logger
+        Rails.logger&.warn "[Secvault] No secrets loaded for Rails integration"
       end
     end
   end
-  
+
   # Add hot reload functionality for development
   def add_hot_reload!(file_paths)
     # Define reload method on Rails.application
     Rails.application.define_singleton_method(:reload_secrets!) do
       # Reload secrets
       Secvault.send(:load_secrets!, file_paths, logger: true)
-      
+
       # Re-apply Rails integration if needed
       if Secvault.rails_integrated? && @@loaded_secrets
         Rails.application.define_singleton_method(:secrets) do
           @@loaded_secrets
         end
       end
-      
+
       puts "🔄 Hot reloaded secrets from #{file_paths.size} files"
       true
     end
-    
+
     # Also make it available as a top-level method
     Object.define_method(:reload_secrets!) do
       Rails.application.reload_secrets!
     end
-    
-    Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless (defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?)
-  end
-  
-  public
 
+    Rails.logger&.info "[Secvault] Hot reload enabled. Use reload_secrets! to refresh secrets." unless defined?(Rails) && Rails.env.respond_to?(:production?) && Rails.env.production?
+  end
 end
 
-Secvault.install! if defined?(Rails)
+# Auto-install and setup when Rails is available
+if defined?(Rails)
+  Secvault.install!
+
+  # Immediate setup for early access during application loading
+  begin
+    # Try to detect and load secrets immediately if Rails.root is available
+    if Rails.respond_to?(:root) && Rails.root
+      # Look for default secrets or configuration
+      default_secrets_file = Rails.root.join("config/secrets.yml")
+      commons_secrets_file = nil
+
+      # Check for neeto-commons-backend integration
+      if defined?(NeetoCommonsBackend) && NeetoCommonsBackend.respond_to?(:shared_secrets_file)
+        commons_secrets_file = NeetoCommonsBackend.shared_secrets_file
+      end
+
+      files_to_load = [commons_secrets_file, default_secrets_file].compact.select(&:exist?)
+
+      if files_to_load.any? && Rails.respond_to?(:env)
+        # Load secrets immediately
+        all_secrets = Secvault::Secrets.parse(files_to_load, env: Rails.env)
+
+        # Set up Rails.application.secrets if Rails.application exists
+        if Rails.respond_to?(:application) && Rails.application
+          Rails.application.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              current_secrets.merge!(all_secrets)
+              current_secrets
+            end
+          end
+        else
+          # Create a minimal Rails.application for early access
+          temp_app = Object.new
+          temp_app.define_singleton_method(:secrets) do
+            @secrets ||= begin
+              current_secrets = ActiveSupport::OrderedOptions.new
+              current_secrets.merge!(all_secrets)
+              current_secrets
+            end
+          end
+
+          Rails.define_singleton_method(:application) { temp_app } unless Rails.respond_to?(:application)
+        end
+      end
+    end
+  rescue => e
+    # Silent fail - normal initialization will handle it
+    warn "[Secvault] Early auto-load failed: #{e.message}" unless Rails.env&.production?
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secvault
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Unnikrishnan KP
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-23 00:00:00.000000000 Z
+date: 2025-09-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: rspec_junit_formatter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 description: Secvault restores the classic Rails secrets.yml functionality that was
   removed in Rails 7.2, using simple, plain YAML files for environment-specific secrets
   management. Compatible with Rails 7.1+, 7.2+ and 8.0+.
@@ -52,6 +66,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- SECURITY.md
 - lib/secvault.rb
 - lib/secvault/rails_secrets.rb
 - lib/secvault/railtie.rb
@@ -73,7 +88,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.0.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="