teak-attr_encrypted 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1a3df230e2f241f656f7f25cf32f726dab34da3428c5c7d863022e34900ee892
-  data.tar.gz: df129ea74fef65d0a01c10579fe9e3be64e43ba5cf191bfae8859d06dcf76e20
+  metadata.gz: 5b8497e264b6044541cba0bad8679afb3a4d49344947ae4493bca833f063fff1
+  data.tar.gz: e141a21ae14066c3d65fe51083d2c00ac46423434a2f8c3ab28783f5d5e578f7
 SHA512:
-  metadata.gz: 286500d3573ca70ca514a559adf01a1f9ec16a3f0034319935550f490110c039ad2325cc32d20b1df573f29cb140392522f7e892b163d10feb44b27bf22e9bb4
-  data.tar.gz: dda4068e8b804b311fd62caa6ad6e0504a166d9fa1a251d04fddd1fa36e323424359ddbd37f0689dee6a0d41d795985d136ac888030d97f0c6a037d7d3da9024
+  metadata.gz: 81136834d78fdc45c21c0384b41330a3aab5bd2f2cefbbf8953a0e707944794b412def9fe55597257bdbad2ee4d45d1d02f7a684c4afb5bca40cd2eed3dcd5bf
+  data.tar.gz: 5ca2ab3c1dea9c09c0e0c114be7e4f5377ecd53e76d3833885a544692c72f02900d19f11a2de24fc7a3c801fa4f17c91279412bb117dbe5523946149d22825b7

data/.circleci/config.yml

@@ -0,0 +1,156 @@
+version: 2.1
+
+parameters:
+  scheduled_run:
+    type: boolean
+    default: false
+
+references:
+  AUDIT_ALERT_RECIPIENTS: &AUDIT_ALERT_RECIPIENTS
+    "@jfrisby"
+  RUBY_IMAGE: &RUBY_IMAGE
+    cimg/ruby:3.2.2
+  CACHE_KEY: &BUNDLE_CACHE_KEY
+    v1-teak-attr_encrypted-{{ checksum "Gemfile.lock" }}
+  # ONLY_DEVELOP: &ONLY_DEVELOP
+  #   filters:
+  #     branches:
+  #       only:
+  #         - develop
+  # ONLY_MAIN: &ONLY_MAIN
+  #   filters:
+  #     branches:
+  #       only:
+  #         - main
+  # BRANCHES_ONLY: &BRANCHES_ONLY
+  #   filters:
+  #     branches:
+  #       ignore:
+  #         - main
+  #         - develop
+
+orbs:
+  slack: circleci/slack@6.1 # https://github.com/CircleCI-Public/slack-orb/releases
+
+jobs:
+  refresh_ruby_deps:
+    docker:
+      - image: *RUBY_IMAGE
+        environment:
+          RACK_ENV: test
+    working_directory: ~/teak-attr_encrypted-build
+    steps:
+      - checkout
+      - restore_cache:
+          key: *BUNDLE_CACHE_KEY
+      - run: bundle config set --local path 'vendor/bundle'
+      - run: bundle install --jobs 3 --retry 3
+      - save_cache:
+          key: *BUNDLE_CACHE_KEY
+          paths:
+            - ~/teak-attr_encrypted-build/vendor/bundle
+            - ~/teak-attr_encrypted-build/.bundle
+
+  rspec:
+    docker:
+      - image: *RUBY_IMAGE
+    parallelism: 4
+    working_directory: ~/teak-attr_encrypted-build
+    steps:
+      - checkout
+      - restore_cache:
+          key: *BUNDLE_CACHE_KEY
+      - run: mkdir ~/rspec
+      - run: gem list
+      - run: bundle list
+      - run:
+          command: |
+            circleci tests glob "spec/**/*_spec.rb" | circleci tests run --command="xargs bundle exec rspec --format progress --format RspecJunitFormatter -o ~/rspec/rspec.xml" --verbose --split-by=timings
+      - store_test_results:
+          path: ~/rspec
+      - store_artifacts:
+          path: ~/rspec/rspec.xml
+      - run: mv ./coverage /tmp/coverage_${CIRCLE_NODE_INDEX}
+      - persist_to_workspace:
+          root: /tmp
+          paths:
+          - "coverage_*"
+
+  report_coverage:
+    docker:
+      - image: *RUBY_IMAGE
+    working_directory: ~/teak-attr_encrypted-build
+    steps:
+      - checkout
+      - restore_cache:
+          key: *BUNDLE_CACHE_KEY
+      - attach_workspace:
+          at: /tmp/coverage
+      - run: bundle exec rake report:coverage
+
+  lint_rubocop:
+    docker:
+      - image: *RUBY_IMAGE
+    working_directory: ~/teak-attr_encrypted-build
+    steps:
+      - checkout
+      - restore_cache:
+          key: *BUNDLE_CACHE_KEY
+      - run: bundle exec rake lint:rubocop
+
+  report_rubocop:
+    docker:
+      - image: *RUBY_IMAGE
+    working_directory: ~/teak-attr_encrypted-build
+    steps:
+      - checkout
+      - restore_cache:
+          key: *BUNDLE_CACHE_KEY
+      - run: bundle exec rake report:rubocop
+
+  lint_bundler_audit:
+    docker:
+      - image: *RUBY_IMAGE
+    working_directory: ~/teak-attr_encrypted-build
+    steps:
+      - checkout
+      - restore_cache:
+          key: *BUNDLE_CACHE_KEY
+      - run: bundle exec rake lint:bundler_audit
+      - slack/notify:
+          event: fail
+          template: basic_fail_1
+          mentions: *AUDIT_ALERT_RECIPIENTS
+
+workflows:
+  build:
+    when:
+      not: << pipeline.parameters.scheduled_run >>
+    jobs:
+      - refresh_ruby_deps
+      - rspec:
+          requires:
+            - refresh_ruby_deps
+      - report_coverage:
+          requires:
+            - rspec
+          context:
+            - DataDog
+      - lint_rubocop:
+          requires:
+            - refresh_ruby_deps
+      - report_rubocop:
+          requires:
+            - refresh_ruby_deps
+          context:
+            - DataDog
+
+  period_dependency_audits:
+    when: << pipeline.parameters.scheduled_run >>
+    jobs:
+      - refresh_ruby_deps
+      - lint_bundler_audit:
+          context:
+            - Slack
+          requires:
+            - refresh_ruby_deps

data/.gitignore

@@ -9,3 +9,5 @@
 
 # rspec failure tracking
 .rspec_status
+
+.claude/settings.local.json

data/.reek.yml

@@ -0,0 +1,36 @@
+exclude_paths:
+- bin
+- spec # We might want to reconsider this at some point, but...
+detectors:
+  IrresponsibleModule:
+    enabled: false # Duplicative vs. RuboCop.
+  TooManyStatements:
+    enabled: false # Duplicative vs. RuboCop.
+  ControlParameter:
+    exclude:
+    - Teak::AttrEncrypted::DSL::ClassMethods#attr_encrypted
+    - Teak::AttrEncrypted::KEKProvider::AwsKMS#initialize
+  DuplicateMethodCall:
+    exclude:
+    - Teak::AttrEncrypted::DSL::ClassMethods#attr_encrypted
+    - Teak::AttrEncrypted::DSL::ClassMethods#attr_encrypted
+    - Teak::AttrEncrypted::KEKProvider::AES#request_data_key
+    - Teak::AttrEncrypted::Testing#context_allowed?
+  FeatureEnvy:
+    exclude:
+    - Teak::AttrEncrypted::Encryptor#decrypt
+    - Teak::AttrEncrypted::Encryptor#encrypt
+    - Teak::AttrEncrypted::KEKProvider::AES#decrypt_data_key
+    - Teak::AttrEncrypted::KEKProvider::AES#request_data_key
+  LongParameterList:
+      exclude:
+      - Teak::AttrEncrypted::DSL::ClassMethods#attr_encrypted
+  NilCheck:
+      exclude:
+      - Teak::AttrEncrypted::DSL::ClassMethods#attr_encrypted
+  TooManyConstants:
+      exclude:
+      - Teak::AttrEncrypted::Encryptor
+  UtilityFunction:
+      exclude:
+      - Teak::AttrEncrypted::Testing::RSpecHelpers#allow_encryption_contexts

data/.rubocop.yml

@@ -0,0 +1,7 @@
+inherit_gem:
+  teak-dev: config/rubocop-base.yml
+
+inherit_from: .rubocop_todo.yml
+inherit_mode:
+  merge:
+    - Exclude

data/.rubocop_todo.yml

@@ -0,0 +1,268 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config --auto-gen-only-exclude --no-exclude-limit --no-auto-gen-enforced-style`
+# on 2026-03-25 19:14:20 UTC using RuboCop version 1.86.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 5
+Cop/RequireSpecHelper:
+  Exclude:
+    - 'spec/teak/attr_encrypted_spec.rb'
+    - 'spec/teak/dsl_spec.rb'
+    - 'spec/teak/encryptor_spec.rb'
+    - 'spec/teak/kek_provider/aes_spec.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+
+# Offense count: 7
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowAliasSyntax, AllowedMethods.
+# AllowedMethods: alias_method, public, protected, private
+Layout/EmptyLinesAroundAttributeAccessor:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowForAlignment, AllowBeforeTrailingComments, ForceEqualSignAlignment.
+Layout/ExtraSpacing:
+  Exclude:
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 19
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowMultipleStyles, EnforcedHashRocketStyle, EnforcedColonStyle, EnforcedLastArgumentHashStyle.
+# SupportedHashRocketStyles: key, separator, table
+# SupportedColonStyles: key, separator, table
+# SupportedLastArgumentHashStyles: always_inspect, always_ignore, ignore_implicit, ignore_explicit
+Layout/HashAlignment:
+  Exclude:
+    - 'lib/teak/attr_encrypted/encryptor.rb'
+    - 'lib/teak/attr_encrypted/kek_provider/aws_kms.rb'
+    - 'spec/teak/dsl_spec.rb'
+    - 'spec/teak/kek_provider/aes_spec.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowForAlignment, EnforcedStyleForExponentOperator, EnforcedStyleForRationalLiterals.
+# SupportedStylesForExponentOperator: space, no_space
+# SupportedStylesForRationalLiterals: space, no_space
+Layout/SpaceAroundOperators:
+  Exclude:
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 2
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle, EnforcedStyleForEmptyBraces.
+# SupportedStyles: space, no_space, compact
+# SupportedStylesForEmptyBraces: space, no_space
+Layout/SpaceInsideHashLiteralBraces:
+  Exclude:
+    - 'lib/teak/attr_encrypted/kek_provider/aes.rb'
+
+# Offense count: 5
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: enums
+Lint/ConstantDefinitionInBlock:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+
+# Offense count: 1
+# Configuration parameters: AllowComments, AllowNil.
+Lint/SuppressedException:
+  Exclude:
+    - 'Rakefile'
+
+# Offense count: 2
+# Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes, Max.
+Metrics/AbcSize:
+  Exclude:
+    - 'lib/teak/attr_encrypted/dsl.rb'
+    - 'lib/teak/attr_encrypted/encryptor.rb'
+
+# Offense count: 1
+# Configuration parameters: AllowedMethods, AllowedPatterns, Max.
+Metrics/CyclomaticComplexity:
+  Exclude:
+    - 'lib/teak/attr_encrypted/dsl.rb'
+
+# Offense count: 3
+# Configuration parameters: CountComments, Max, CountAsOne, AllowedMethods, AllowedPatterns.
+Metrics/MethodLength:
+  Exclude:
+    - 'lib/teak/attr_encrypted/dsl.rb'
+    - 'lib/teak/attr_encrypted/encryptor.rb'
+
+# Offense count: 1
+# Configuration parameters: AllowedMethods, AllowedPatterns, Max.
+Metrics/PerceivedComplexity:
+  Exclude:
+    - 'lib/teak/attr_encrypted/dsl.rb'
+
+# Offense count: 2
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: be, be_nil
+RSpec/BeNil:
+  Exclude:
+    - 'spec/teak/attr_encrypted_spec.rb'
+    - 'spec/teak/dsl_spec.rb'
+
+# Offense count: 6
+# This cop supports safe autocorrection (--autocorrect).
+RSpec/EmptyLineAfterFinalLet:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+    - 'spec/teak/encryptor_spec.rb'
+    - 'spec/teak/kek_provider/aes_spec.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+
+# Offense count: 6
+# This cop supports safe autocorrection (--autocorrect).
+RSpec/LeadingSubject:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+    - 'spec/teak/encryptor_spec.rb'
+    - 'spec/teak/kek_provider/aes_spec.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+
+# Offense count: 5
+RSpec/LeakyConstantDeclaration:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+RSpec/ScatteredLet:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+
+# Offense count: 4
+# Configuration parameters: CustomTransform, IgnoreMethods, IgnoreMetadata, InflectorPath, EnforcedInflector.
+# SupportedInflectors: default, active_support
+RSpec/SpecFilePathFormat:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+    - 'spec/teak/encryptor_spec.rb'
+    - 'spec/teak/kek_provider/aes_spec.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+
+# Offense count: 4
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: separated, grouped
+Style/AccessorGrouping:
+  Exclude:
+    - 'spec/teak/dsl_spec.rb'
+
+# Offense count: 6
+# Configuration parameters: AllowedConstants.
+Style/Documentation:
+  Exclude:
+    - 'lib/teak/attr_encrypted.rb'
+    - 'lib/teak/attr_encrypted/dsl.rb'
+    - 'lib/teak/attr_encrypted/encryptor.rb'
+    - 'lib/teak/attr_encrypted/kek_provider/aws_kms.rb'
+    - 'lib/teak/attr_encrypted/kek_provider/base.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+Style/ExpandPathArguments:
+  Exclude:
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 7
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: always, always_true, never
+Style/FrozenStringLiteralComment:
+  Exclude:
+    - 'Gemfile'
+    - 'Rakefile'
+    - 'bin/console'
+    - 'lib/teak/attr_encrypted/version.rb'
+    - 'spec/spec_helper.rb'
+    - 'spec/teak/attr_encrypted_spec.rb'
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle, EnforcedShorthandSyntax, UseHashRocketsWithSymbolValues, PreferHashRocketsForNonAlnumEndingSymbols.
+# SupportedStyles: ruby19, hash_rockets, no_mixed_keys, ruby19_no_mixed_keys
+# SupportedShorthandSyntax: always, never, either, consistent, either_consistent
+Style/HashSyntax:
+  Exclude:
+    - 'Rakefile'
+
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: literals, strict
+Style/MutableConstant:
+  Exclude:
+    - 'lib/teak/attr_encrypted/version.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: PreferredDelimiters.
+Style/PercentLiteralDelimiters:
+  Exclude:
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 2
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: AllowedCompactTypes.
+# SupportedStyles: compact, exploded
+Style/RaiseArgs:
+  Exclude:
+    - 'lib/teak/attr_encrypted.rb'
+    - 'lib/teak/attr_encrypted/encryptor.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: AllowedMethods.
+# AllowedMethods: infinite?, nonzero?
+Style/RedundantCondition:
+  Exclude:
+    - 'lib/teak/attr_encrypted.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+Style/RedundantPercentQ:
+  Exclude:
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 36
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
+# SupportedStyles: single_quotes, double_quotes
+Style/StringLiterals:
+  Exclude:
+    - 'Gemfile'
+    - 'Rakefile'
+    - 'bin/console'
+    - 'lib/teak/attr_encrypted/version.rb'
+    - 'spec/spec_helper.rb'
+    - 'spec/teak/attr_encrypted_spec.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+    - 'teak-attr_encrypted.gemspec'
+
+# Offense count: 9
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: EnforcedStyleForMultiline.
+# SupportedStylesForMultiline: comma, consistent_comma, diff_comma, no_comma
+Style/TrailingCommaInHashLiteral:
+  Exclude:
+    - 'lib/teak/attr_encrypted/encryptor.rb'
+    - 'lib/teak/attr_encrypted/kek_provider/aws_kms.rb'
+    - 'spec/teak/kek_provider/aws_kms_spec.rb'
+
+# Offense count: 1
+# This cop supports safe autocorrection (--autocorrect).
+# Configuration parameters: MinSize, WordRegex.
+# SupportedStyles: percent, brackets
+Style/WordArray:
+  Exclude:
+    - 'teak-attr_encrypted.gemspec'

data/.ruby-gemset

@@ -0,0 +1 @@
+teak-attr_encrypted

data/.ruby-version

@@ -0,0 +1 @@
+ruby-3.2.2

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 0.2.0
+
+FEATURES:
+* Add testing tools, to simulate availability / absence of specific encryption contexts.
+
 ## 0.1.1
 
 BUG FIXES:

data/CLAUDE.md

@@ -0,0 +1,176 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+teak-attr_encrypted is a Ruby gem that provides a DSL for transparent envelope encryption/decryption of attributes on any class (primarily ORM models). It uses a Key Encryption Key (KEK) provider pattern where data keys are generated per-encryption and themselves encrypted by the KEK.
+
+## Commands
+
+- **Install dependencies:** `bundle install`
+- **Run all tests:** `bundle exec rake spec`
+- **Run a single test file:** `bundle exec rspec spec/teak/encryptor_spec.rb`
+- **Run a single test by line:** `bundle exec rspec spec/teak/encryptor_spec.rb:42`
+- **Interactive console:** `bin/console`
+
+## Architecture
+
+The gem implements envelope encryption with a two-tier key hierarchy:
+
+- **`Teak::AttrEncrypted`** — Entry module. `include` it in a class to get the `attr_encrypted` DSL. Holds the global `default_kek_provider`.
+- **`DSL`** (`lib/teak/attr_encrypted/dsl.rb`) — Defines `attr_encrypted` class method. For each encrypted attribute, it creates a getter/setter pair that delegates to an `Encryptor` instance. Supports `context:` (symbol, proc, or literal) as additional authenticated data.
+- **`Encryptor`** (`lib/teak/attr_encrypted/encryptor.rb`) — Handles AES-256-GCM encrypt/decrypt. Produces versioned envelopes: a version char prefix + Base64-encoded MessagePack blob containing IV, auth tag, encrypted data key, and ciphertext.
+- **KEK Providers** (`lib/teak/attr_encrypted/kek_provider/`) — Generate and decrypt data keys:
+  - `Base` — Abstract base with an `id` accessor.
+  - `AES` — Local AES-256-GCM key wrapping. Intended for dev/test only.
+  - `AwsKMS` — Production provider using AWS KMS `GenerateDataKey`/`Decrypt` for envelope encryption.
+- **`Testing`** (`lib/teak/attr_encrypted/testing.rb`) — Test helpers that prepend onto `Encryptor` to allow/deny encryption contexts in test scopes. Provides `RSpecHelpers` module.
+
+## Key Details
+
+- Ruby 3.2.2 (`.ruby-version`), gemset managed via `.ruby-gemset`
+- Only runtime dependency: `msgpack ~> 1.7`
+- Test dependencies: `rspec`, `simplecov` (branch coverage enabled), `aws-sdk-kms`
+- RSpec configured with `disable_monkey_patching!` and `expect` syntax only
+- Envelope format is versioned (currently version `'1'`) to allow future format changes
+
+
+## 📋 Commit Requirements (ALL Work - Features, Docs, Refactoring, Everything)
+
+### Every Commit Must Capture Human-Claude Interaction
+
+**The commit template below is MANDATORY for ALL commits** - documentation changes, refactoring, bug fixes, features, CLAUDE.md updates, everything. This captures how humans effectively guide Claude.
+
+### When to Commit
+Only commit when:
+- ✅ Tests pass (if applicable)
+- ✅ Human explicitly requests commit OR
+- ✅ Reached major milestone
+
+Never commit:
+- ❌ Without capturing full interaction log
+- ❌ With failing tests or lint errors
+- ❌ "Proactively" without meeting above criteria
+
+### Commit Checklist
+Before ANY commit:
+- [ ] Did I run `rake lint` and fix any issues?
+- [ ] Did I run tests (`rspec`) if applicable?
+- [ ] Did I search for existing patterns before writing code?
+- [ ] Did I document any NEW problem/solution in CLAUDE.md?
+- [ ] Am I solving a genuinely new problem? (Rare!)
+- [ ] **Did I capture VERBATIM human-Claude interactions in commit message?**
+
+### MANDATORY: Output Before EVERY Commit (All Work Types, Including Amends!)
+You MUST output exactly (even for `git commit --amend`):
+```
+📝 COMMIT READY CHECK:
+☑️ Lint clean: [YES/NO/NA - only if code changed]
+☑️ Tests pass: [YES/NO/NA - only if code changed]
+☑️ Tested in CLI: [YES/NO/NA - only if CLI code changed]
+☑️ Documented new patterns: [YES/NO/NA - only if applicable]
+☑️ ALL prompts since last commit captured: [YES - X prompts captured VERBATIM]
+
+[If ANY are NO: "❌ NOT ready - need to: (list required actions)"]
+[If ALL are YES/NA: "✅ Ready to commit with COMPLETE Human-Claude interaction log."]
+```
+
+When ready, commit your work with the human-Claude interaction log.
+
+**Note on Amending**: `git commit --amend` still requires the full checklist - code may have changed since original commit.
+
+**Universal Commit Message Template** (USE FOR EVERY COMMIT - docs, refactoring, features, EVERYTHING):
+```bash
+# First, check what you modified:
+git status
+# Then add YOUR specific changes (not everything):
+git add [specific files you changed]
+# For multiple files:
+git add file1.js file2.rb CLAUDE.md
+# Commit with interaction log:
+git commit -m "$(cat <<'EOF'
+Brief description of what was done
+
+[Technical changes made]
+
+## Human-Claude Interaction Log
+
+### Human prompts (VERBATIM - include typos, informal language, COMPLETE text):
+**Include EVERY prompt since last commit - even short ones, corrections, clarifications**
+1. "[Copy-paste ENTIRE first prompt since last commit]"
+   → Claude: [What Claude did in response]
+
+2. "[Copy-paste ENTIRE second prompt - including [Request interrupted] if present]"
+   → Claude: [How Claude adjusted]
+
+[Continue numbering ALL prompts - don't skip any or judge importance]
+
+### Key decisions made:
+- Human guided: [specific guidance provided]
+- Claude discovered: [patterns found]
+
+🤖 Generated with Claude Code
+Co-Authored-By: Claude <noreply@anthropic.com>
+EOF
+)"
+```
+**Note**: Avoid `git add -A` when multiple Claudes work in parallel - add only YOUR files.
+
+## GitHub Operations and Pull Request Creation
+
+### Team GitHub Usernames
+- Mark → **@blamfantastico**
+- Alex → **@AlexSc**
+- Jon → **@MrJoy**
+
+### Creating Pull Requests with Proper Escaping
+
+When creating pull requests using `gh pr create`, **ALWAYS use heredoc syntax** to ensure proper escaping of all special characters in the PR body.
+
+**Critical Requirements:**
+
+- **ALWAYS use heredoc (`cat <<'EOF'...EOF`)** for the `--body` parameter to ensure proper escaping of all special characters (quotes, backticks, dollar signs, parentheses, brackets, etc.)
+- The single quotes around `'EOF'` prevent variable expansion within the heredoc
+- This pattern safely handles any text content without manual escaping
+- Never attempt to manually escape characters - let the heredoc handle it
+
+**Correct PR Creation Example:**
+
+```bash
+# IMPORTANT: Always use heredoc syntax for --body to properly escape special characters
+gh pr create --title "the pr title" --body "$(cat <<'EOF'
+## Summary
+- Feature implementation with special chars like $, `, ", ', [], ()
+- Bug fixes for edge cases
+
+## Test plan
+- [ ] Unit tests pass
+- [ ] Integration tests complete
+- [ ] Manual testing done
+
+## Notes
+Any text here is safe, including: "quotes", `backticks`, $variables,
+[brackets], (parentheses), and other special characters!
+
+🤖 Generated with [Claude Code](https://claude.ai/code)
+EOF
+)"
+```
+
+**Why Heredocs Solve Escaping Issues:**
+
+1. The heredoc delimiter (`'EOF'`) with single quotes prevents shell expansion
+2. All content between delimiters is treated as literal text
+3. No need to escape individual characters
+4. Handles multi-line content naturally
+5. Same pattern used successfully for commit messages
+
+### Other GitHub CLI Operations
+
+- View PR comments: `gh pr view <number> --comments`
+- Check PR status: `gh pr status`
+- List PRs: `gh pr list`
+- View PR diff: `gh pr diff <number>`
+
+**Important:** Never update git config or push to remote unless explicitly requested by the user.

data/Gemfile

@@ -5,5 +5,13 @@ gemspec
 
 gem "rake", "~> 12.0"
 gem "rspec", "~> 3.0"
+gem "rspec_junit_formatter", "~> 0.6"
 gem 'simplecov', '~> 0.22.0'
 gem "aws-sdk-kms", "~> 1.72"
+gem "nokogiri", "~> 1.19"
+
+group :development do
+  gem 'bundler-audit', '~> 0.8', require: false
+  gem 'reek', '~> 6.1', '>= 6.1.1', require: false
+  gem 'teak-dev', '~> 0.1', require: false, source: 'https://repo.fury.io/alexsc/'
+end

data/Gemfile.lock

@@ -1,58 +1,179 @@
 PATH
   remote: .
   specs:
-    teak-attr_encrypted (0.1.1)
+    teak-attr_encrypted (0.2.0)
       msgpack (~> 1.7)
 
+GEM
+  remote: https://repo.fury.io/alexsc/
+  specs:
+    teak-dev (0.3.0)
+      bundler-audit (~> 0.9.2)
+      datadog_api_client (~> 2.43.0)
+      rubocop (~> 1.72)
+      rubocop-performance (~> 1.23, >= 1.23.1)
+      rubocop-rake (~> 0.7.1)
+      rubocop-rspec (~> 3.4)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.2.0)
-    aws-partitions (1.844.0)
-    aws-sdk-core (3.186.0)
-      aws-eventstream (~> 1, >= 1.0.2)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+    ast (2.4.3)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1230.0)
+    aws-sdk-core (3.244.0)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.72.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.6.1)
+      logger
+    aws-sdk-kms (1.123.0)
+      aws-sdk-core (~> 3, >= 3.244.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
-    diff-lcs (1.5.0)
-    docile (1.4.0)
+    base64 (0.3.0)
+    bigdecimal (3.3.1)
+    bundler-audit (0.9.3)
+      bundler (>= 1.2.0)
+      thor (~> 1.0)
+    concurrent-ruby (1.3.6)
+    csv (3.3.5)
+    datadog_api_client (2.43.0)
+      httparty (~> 0.20, >= 0.20.0)
+      zeitwerk (~> 2.6, >= 2.6.0)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    dry-configurable (1.3.0)
+      dry-core (~> 1.1)
+      zeitwerk (~> 2.6)
+    dry-core (1.1.0)
+      concurrent-ruby (~> 1.0)
+      logger
+      zeitwerk (~> 2.6)
+    dry-inflector (1.2.0)
+    dry-initializer (3.2.0)
+    dry-logic (1.6.0)
+      bigdecimal
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 1.1)
+      zeitwerk (~> 2.6)
+    dry-schema (1.14.1)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 1.0, >= 1.0.1)
+      dry-core (~> 1.1)
+      dry-initializer (~> 3.2)
+      dry-logic (~> 1.5)
+      dry-types (~> 1.8)
+      zeitwerk (~> 2.6)
+    dry-types (1.8.3)
+      bigdecimal (~> 3.0)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 1.0)
+      dry-inflector (~> 1.0)
+      dry-logic (~> 1.4)
+      zeitwerk (~> 2.6)
+    httparty (0.24.2)
+      csv
+      mini_mime (>= 1.0.0)
+      multi_xml (>= 0.5.2)
     jmespath (1.6.2)
-    msgpack (1.7.2)
+    json (2.19.3)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    mini_mime (1.1.5)
+    mini_portile2 (2.8.9)
+    msgpack (1.8.0)
+    multi_xml (0.7.1)
+      bigdecimal (~> 3.1)
+    nokogiri (1.19.2)
+      mini_portile2 (~> 2.8.2)
+      racc (~> 1.4)
+    parallel (1.27.0)
+    parser (3.3.10.2)
+      ast (~> 2.4.1)
+      racc
+    prism (1.9.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
     rake (12.3.3)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+    reek (6.5.0)
+      dry-schema (~> 1.13)
+      logger (~> 1.6)
+      parser (~> 3.3.0)
+      rainbow (>= 2.0, < 4.0)
+      rexml (~> 3.1)
+    regexp_parser (2.11.3)
+    rexml (3.4.4)
+    rspec (3.13.2)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.6)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.6)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-support (3.12.1)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.7)
+    rspec_junit_formatter (0.6.0)
+      rspec-core (>= 2, < 4, != 2.12.0)
+    rubocop (1.86.0)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    rubocop-performance (1.26.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+    rubocop-rake (0.7.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1)
+    rubocop-rspec (3.9.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.81)
+    ruby-progressbar (1.13.0)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
+    thor (1.5.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    zeitwerk (2.6.18)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   aws-sdk-kms (~> 1.72)
+  bundler-audit (~> 0.8)
+  nokogiri (~> 1.19)
   rake (~> 12.0)
+  reek (~> 6.1, >= 6.1.1)
   rspec (~> 3.0)
+  rspec_junit_formatter (~> 0.6)
   simplecov (~> 0.22.0)
   teak-attr_encrypted!
+  teak-dev (~> 0.1)!
 
 BUNDLED WITH
-   2.1.4
+   2.5.4

data/Rakefile

@@ -1,6 +1,12 @@
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 
+begin
+  require 'teak/dev/tasks'
+  Teak::Dev::Tasks.install(service: 'teak-attr_encrypted')
+rescue LoadError
+end
+
 RSpec::Core::RakeTask.new(:spec)
 
 task :default => :spec

data/lib/teak/attr_encrypted/testing.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'teak/attr_encrypted'
+
+module Teak
+  module AttrEncrypted
+    # Test helpers for controlling which encryption contexts are available
+    # in test scopes. Prepends onto Encryptor to gate encrypt/decrypt calls.
+    module Testing
+      # Raised when an encryption context is not allowed in the current test scope.
+      class ContextNotAllowed < Teak::AttrEncrypted::Error
+        def initialize(context)
+          super("Encryption context #{context.inspect} is not allowed in the current test scope")
+        end
+      end
+
+      THREAD_KEY = :teak_attr_encrypted_testing_config
+
+      class << self
+        def allow_encryption_contexts(*contexts)
+          config = context_config
+          config[:allowed] = Array(contexts).flatten
+          config[:denied] = nil
+        end
+
+        def context_allowed?(context)
+          config = context_config
+          if config[:allowed]
+            config[:allowed].include?(context&.[](:type))
+          else
+            true
+          end
+        end
+
+        def check_context!(context)
+          return if context_allowed?(context)
+
+          raise ContextNotAllowed, context
+        end
+
+        def reset!
+          Thread.current[THREAD_KEY] = nil
+        end
+
+      private
+
+        def context_config
+          Thread.current[THREAD_KEY] ||= {}
+        end
+      end
+
+      # Prepended onto Encryptor to check context before encrypt/decrypt.
+      module EncryptorOverride
+        def decrypt(envelope, encryption_context)
+          Teak::AttrEncrypted::Testing.check_context!(encryption_context)
+          super
+        end
+
+        def encrypt(plaintext, encryption_context)
+          Teak::AttrEncrypted::Testing.check_context!(encryption_context)
+          super
+        end
+      end
+
+      # Include in RSpec to get allow helper methods.
+      module RSpecHelpers
+        def allow_encryption_contexts(*contexts)
+          Teak::AttrEncrypted::Testing.allow_encryption_contexts(*contexts)
+        end
+      end
+
+      Teak::AttrEncrypted::Encryptor.prepend(EncryptorOverride)
+    end
+  end
+end

data/lib/teak/attr_encrypted/version.rb

@@ -1,5 +1,5 @@
 module Teak
   module AttrEncrypted
-    VERSION = "0.1.1"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: teak-attr_encrypted
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Alex Scarborough
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-09-10 00:00:00.000000000 Z
+date: 2026-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: msgpack
@@ -31,10 +31,17 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".gitignore"
+- ".reek.yml"
 - ".rspec"
+- ".rubocop.yml"
+- ".rubocop_todo.yml"
+- ".ruby-gemset"
+- ".ruby-version"
 - ".travis.yml"
 - CHANGELOG.md
+- CLAUDE.md
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -49,6 +56,7 @@ files:
 - lib/teak/attr_encrypted/kek_provider/aes.rb
 - lib/teak/attr_encrypted/kek_provider/aws_kms.rb
 - lib/teak/attr_encrypted/kek_provider/base.rb
+- lib/teak/attr_encrypted/testing.rb
 - lib/teak/attr_encrypted/version.rb
 - teak-attr_encrypted.gemspec
 homepage: https://github.com/GoCarrot/teak-attr_encrypted
@@ -74,7 +82,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.4
 signing_key:
 specification_version: 4
 summary: Encrypts attributes on models using a key encryption key and envelopes.