valvet 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 33f178cef255bdb28655e535b3a1b8901611fca9473c7f972df42302775eedd4
+  data.tar.gz: 0e03ef112f57112481ffbc7beadd99c9894851961a3fa992eac4a6273851cb11
+SHA512:
+  metadata.gz: a84ac8a7b64f0674755c258e9af9317446b77fe16c99568ef2b2b200402efb8069f14f019d79f5de51be30ed0bd3df29206ef9e4ca739bdccd395af4357d5db7
+  data.tar.gz: d6a5a0ca17f859749437b5fd2e9ae6be14cf2668849d555668cc078720ac082048f867f0722be7ae12293a4eae1792615cfcec253ce8e23ebb19714a9cdc211f

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2026-02-27
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,10 @@
+# Code of Conduct
+
+"valvet" follows [The Ruby Community Conduct Guideline](https://www.ruby-lang.org/en/conduct) in all "collaborative space", which is defined as community communications channels (such as mailing lists, submitted patches, commit comments, etc.):
+
+* Participants will be tolerant of opposing views.
+* Participants must ensure that their language and actions are free of personal attacks and disparaging personal remarks.
+* When interpreting the words and actions of others, participants should always assume good intentions.
+* Behaviour which can be reasonably considered harassment will not be tolerated.
+
+If you have any concerns about behaviour within this project, please contact us at ["kim@burgestrand.se"](mailto:"kim@burgestrand.se").

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Kim Burgestrand
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,69 @@
+# Valvet
+
+Keep secrets in your config files. Valvet encrypts sensitive values while leaving everything else readable, so you can check the whole file into version control, just like Rails credentials.
+
+It uses asymmetric encryption ([NaCl sealed boxes](https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) via [RbNaCl](https://github.com/RbNaCl/rbnacl)), which means anyone on the team can add new secrets using the public key — without ever needing the private key.
+
+Give each environment its own keypair and they can all live in one file, each unable to decrypt the other's secrets.
+
+## Usage
+
+## CLI
+
+Generate a keypair (public key to stdout, private key to stderr):
+
+```bash
+valvet keypair                            # prints both, labeled
+valvet keypair > public.key 2> private.key  # saves each to a file
+```
+
+Encrypt and decrypt individual values:
+
+```bash
+valvet encrypt "my secret" --key public.key
+valvet decrypt "ciphertext..." --key private.key
+```
+
+## Config files
+
+Put your config in a YAML file with `!public_key` and `!encrypted` tags:
+
+```yaml
+development:
+  public_key: !public_key cWgtEYZ3bDXYgiHGbanGr+vl4HQrDgiAmOlBRc+hhgo=
+  secret_key_base: !encrypted 7oc+QbPyIa3Oe4ty09tNWRhgkAvlFjyWcggfeRAz8olE5VRF3lNvJEVGs8xgGquoXvItXPWOfus0ntQaUphFEsANyAE=
+  database:
+    password: !encrypted 3ad2zo3NKQU1EZm7XB2uFiqE6wAWjPPqjvPTD8rUB3m+ya2xrE5YvEuxDYkswgxqMjRfm5V1OHyz4cnez0GLUTif1+0=
+
+production:
+  public_key: !public_key R7ljpsyGiOm2Yz3ElbQwCDDapAMEhCHl6WYWS/ep4vM=
+  secret_key_base: !encrypted HWZrJnY+AxBW5+W71Ar6DHkW2clqmtccrcCy5iek+9H4BfYTS1VR5/P3p+YhNzIgd7+MTTJxSTXmGeG9k0CQfoUpnn0=
+  database:
+    password: !encrypted 8Z2QiPc7gKWqTmjs6mlNiKWPJ997ftzgpiMO/NdEEjzAvXAAckYIqeyOxem+OeCsDHsCwM8j2x8XPH/7VM383dmw+jA=
+```
+
+## Rails
+
+Place your config in `config/valvet.yml` and set `VALVET_PRIVATE_KEY` in your environment. The Railtie is loaded automatically and exposes `Rails.configuration.valvet`:
+
+```ruby
+Rails.configuration.valvet.secret_key_base
+Rails.configuration.valvet.database.password
+```
+
+## Installation
+
+```bash
+bundle add valvet
+```
+
+## Development
+
+```bash
+bin/setup
+rake          # runs tests, linting, and RBS validation
+```
+
+## License
+
+[MIT](LICENSE.txt)

data/Rakefile

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create do |t|
+  t.test_prelude = 'require "test_helper"'
+end
+
+require "standard/rake"
+
+desc "Validate RBS type signatures"
+task "rbs:validate" do
+  sh "bundle exec rbs -I sig validate"
+end
+
+task default: %i[test standard rbs:validate]

data/exe/valvet

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require "valvet"
+require "valvet/cli"
+
+exit Valvet::CLI.start(ARGV)

data/lib/valvet/cli.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+require "optparse"
+
+module Valvet
+  class CLI
+    def self.start(argv, ...)
+      new(...).run(argv.dup)
+    end
+
+    def initialize(out: $stdout, err: $stderr)
+      @out = out
+      @err = err
+      @commands = {
+        "keypair" => method(:keypair), "g" => method(:keypair),
+        "encrypt" => method(:encrypt), "e" => method(:encrypt),
+        "decrypt" => method(:decrypt), "d" => method(:decrypt),
+        "help" => method(:help)
+      }
+    end
+
+    def run(argv)
+      command = @commands.fetch(argv.shift.to_s) { method(:help) }
+      command.call(argv) || 0
+    end
+
+    private
+
+    def keypair(_argv)
+      decryptor = Crypto.generate
+
+      if @out.tty?
+        @out.puts "public_key: #{decryptor.public_key}"
+      else
+        @out.puts decryptor.public_key
+      end
+
+      if @err.tty?
+        @err.puts "private_key: #{decryptor}"
+        @err.puts "\e[33mKeep the private key secret. Store it in an environment variable, not in version control.\e[0m"
+      else
+        @err.puts decryptor
+      end
+    end
+
+    def encrypt(argv)
+      key = nil
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: valvet encrypt VALUE --key PUBLIC_KEY"
+        opts.on("-k", "--key KEY", "Public key (base64 or file path)") { |k| key = k }
+      end
+      parser.parse!(argv)
+
+      value = argv.shift
+      if value.nil? || key.nil?
+        @err.puts parser.to_s
+        return 1
+      end
+
+      @out.puts Crypto::Encryptor.new(read_key(key)).encrypt(value)
+    end
+
+    def decrypt(argv)
+      key = nil
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: valvet decrypt CIPHERTEXT --key PRIVATE_KEY"
+        opts.on("-k", "--key KEY", "Private key (base64 or file path)") { |k| key = k }
+      end
+      parser.parse!(argv)
+
+      ciphertext = argv.shift
+      if ciphertext.nil? || key.nil?
+        @err.puts parser.to_s
+        return 1
+      end
+
+      @out.puts Crypto::Decryptor.new(read_key(key)).decrypt(ciphertext)
+    end
+
+    def read_key(key)
+      File.exist?(key) ? File.binread(key).strip : key
+    end
+
+    def help(_argv)
+      @out.puts <<~HELP
+        Usage: valvet COMMAND [OPTIONS]
+
+        Commands:
+          keypair, g     Generate a new keypair
+          encrypt, e     Encrypt a value (requires --key)
+          decrypt, d     Decrypt a value (requires --key)
+          help           Show this help
+
+        Run `valvet COMMAND --help` for more information.
+      HELP
+    end
+  end
+end

data/lib/valvet/crypto.rb

@@ -0,0 +1,40 @@
+module Valvet
+  module Crypto
+    def self.encode(data) = Base64.strict_encode64(data)
+    def self.decode(data) = Base64.decode64(data)
+
+    def self.generate
+      key = encode(RbNaCl::PrivateKey.generate.to_s)
+      Decryptor.new(key)
+    end
+
+    class Encryptor
+      def initialize(public_key)
+        @public_key = RbNaCl::PublicKey.new(Crypto.decode(public_key))
+      end
+
+      def to_s = Crypto.encode(@public_key.to_s)
+
+      def encrypt(plaintext)
+        box = RbNaCl::Boxes::Sealed.from_public_key(@public_key)
+        Crypto.encode(box.encrypt(plaintext))
+      end
+    end
+
+    class Decryptor
+      def initialize(private_key)
+        @private_key = RbNaCl::PrivateKey.new(Crypto.decode(private_key))
+      end
+
+      def to_s = Crypto.encode(@private_key.to_s)
+      def public_key = Crypto.encode(@private_key.public_key.to_s)
+
+      def encryptor = Encryptor.new(public_key)
+
+      def decrypt(ciphertext)
+        box = RbNaCl::Boxes::Sealed.from_private_key(@private_key)
+        box.decrypt(Crypto.decode(ciphertext))
+      end
+    end
+  end
+end

data/lib/valvet/encrypted.rb

@@ -0,0 +1,5 @@
+module Valvet
+  Encrypted = Data.define(:ciphertext) do
+    def empty? = ciphertext.empty?
+  end
+end

data/lib/valvet/error.rb

@@ -0,0 +1,17 @@
+module Valvet
+  module Error
+    class Base < StandardError
+    end
+
+    class NoDecryptorError < Base
+      attr_reader :public_key
+      attr_reader :ciphertext
+
+      def initialize(public_key:, ciphertext:)
+        @public_key = public_key
+        @ciphertext = ciphertext
+        super("No decryptor for public key #{public_key}")
+      end
+    end
+  end
+end

data/lib/valvet/public_key.rb

@@ -0,0 +1,3 @@
+module Valvet
+  PublicKey = Data.define(:key)
+end

data/lib/valvet/rails.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "valvet"
+require "rails"
+
+module Valvet
+  class Railtie < ::Rails::Railtie
+    config.valvet = ActiveSupport::OrderedOptions.new
+    config.valvet.private_keys = [ENV["VALVET_PRIVATE_KEY"]].compact
+
+    initializer "valvet.register_yaml_tags", before: :load_environment_config do
+      Valvet::YAML.register
+    end
+
+    initializer "valvet.configure" do |app|
+      valvet_path = app.root.join("config", "valvet.yml")
+
+      if valvet_path.exist?
+        hash = app.config_for(:valvet).to_h.deep_stringify_keys
+        app.config.valvet = Valvet.new(hash, private_keys: app.config.valvet.private_keys)
+      end
+    end
+  end
+end

data/lib/valvet/store.rb

@@ -0,0 +1,86 @@
+module Valvet
+  class Store
+    Decrypt = Data.define(:public_key, :ciphertext)
+    Encrypt = Data.define(:public_key, :plaintext)
+
+    def initialize(hash, public_key: nil, &handler)
+      @hash = hash
+      @handler = handler
+      @public_key = find_public_key(hash)&.key || public_key
+    end
+
+    def key?(key) = @hash.key?(key)
+
+    def each(path: [], &block)
+      @hash.each do |key, value|
+        case value
+        when Valvet::PublicKey
+          next
+        when Valvet::Encrypted
+          yield path + [key], value, self
+        when Hash
+          child_scope(value).each(path: path + [key], &block)
+        else
+          yield path + [key], value, self
+        end
+      end
+    end
+
+    def to_h
+      @hash.each_with_object({}) do |(key, value), result|
+        next if value.is_a?(Valvet::PublicKey)
+        result[key] = resolve(key)
+        result[key] = result[key].to_h if result[key].is_a?(self.class)
+      end
+    end
+
+    def resolve(key)
+      value = @hash[key]
+      case value
+      when Valvet::Encrypted then decrypt(value)
+      when Hash then child_scope(value)
+      else value
+      end
+    end
+
+    def method_missing(name, ...)
+      key = name.to_s
+      if key.end_with?("=")
+        assign(key.chomp("="), ...)
+      elsif @hash.key?(key)
+        resolve(key)
+      else
+        super
+      end
+    end
+
+    def respond_to_missing?(name, ...)
+      key = name.to_s
+      @hash.key?(key) || (key.end_with?("=") && @hash.key?(key.chomp("="))) || super
+    end
+
+    private
+
+    def assign(key, value)
+      if @hash[key].is_a?(Valvet::Encrypted)
+        ciphertext = @handler.call(Encrypt.new(@public_key, value))
+        @hash[key] = Valvet::Encrypted.new(ciphertext:)
+      else
+        @hash[key] = value
+      end
+    end
+
+    def decrypt(encrypted)
+      @handler.call(Decrypt.new(@public_key, encrypted.ciphertext))
+    end
+
+    def child_scope(hash)
+      self.class.new(hash, public_key: @public_key, &@handler)
+    end
+
+    def find_public_key(hash)
+      hash.each_value { |v| return v if v.is_a?(Valvet::PublicKey) }
+      nil
+    end
+  end
+end

data/lib/valvet/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Valvet
+  VERSION = "0.1.0"
+end

data/lib/valvet/yaml.rb

@@ -0,0 +1,30 @@
+require "yaml"
+
+module Valvet
+  module YAML
+    def self.register
+      ::YAML.add_tag("!encrypted", Valvet::Encrypted)
+      ::YAML.add_tag("!public_key", Valvet::PublicKey)
+    end
+  end
+
+  class Encrypted
+    def init_with(coder) = initialize(ciphertext: coder.scalar)
+
+    def encode_with(coder)
+      coder.scalar = ciphertext
+    end
+  end
+
+  class PublicKey
+    def init_with(coder) = initialize(key: coder.scalar)
+
+    def encode_with(coder)
+      coder.scalar = key
+    end
+  end
+
+  class Store
+    def to_yaml(...) = ::YAML.dump(@hash, ...)
+  end
+end

data/lib/valvet.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require_relative "valvet/version"
+
+require "rbnacl"
+require "base64"
+
+require "zeitwerk"
+loader = Zeitwerk::Loader.for_gem
+loader.inflector.inflect("yaml" => "YAML")
+loader.ignore("#{__dir__}/valvet/version.rb")
+loader.ignore("#{__dir__}/valvet/cli.rb")
+loader.ignore("#{__dir__}/valvet/rails.rb")
+loader.setup
+
+module Valvet
+  def self.new(hash, private_keys: [])
+    decryptors = private_keys.to_h do |private_key|
+      decryptor = Crypto::Decryptor.new(private_key)
+      [decryptor.public_key, decryptor]
+    end
+
+    Store.new(hash) do |intent|
+      case intent
+      in Store::Decrypt(public_key:, ciphertext:)
+        decryptors.fetch(public_key) {
+          raise Error::NoDecryptorError.new(public_key:, ciphertext:)
+        }.decrypt(ciphertext)
+      in Store::Encrypt(public_key:, plaintext:)
+        Crypto::Encryptor.new(public_key).encrypt(plaintext)
+      end
+    end
+  end
+end
+
+require "valvet/rails" if defined?(Rails::Railtie)

data/sig/valvet.rbs

@@ -0,0 +1,111 @@
+module Valvet
+  VERSION: String
+
+  type base64_encoded = String
+
+  def self.new: (Hash[String, untyped] hash, ?private_keys: Array[base64_encoded]) -> Store
+
+  class Encrypted
+    attr_reader ciphertext: base64_encoded
+
+    def self.new: (ciphertext: base64_encoded) -> Encrypted
+
+    def empty?: () -> bool
+
+    def init_with: (untyped coder) -> void
+
+    def encode_with: (untyped coder) -> void
+  end
+
+  class PublicKey
+    attr_reader key: base64_encoded
+
+    def self.new: (key: base64_encoded) -> PublicKey
+
+    def init_with: (untyped coder) -> void
+
+    def encode_with: (untyped coder) -> void
+  end
+
+  module Error
+    class Base < StandardError
+    end
+
+    class NoDecryptorError < Base
+      attr_reader public_key: base64_encoded
+      attr_reader ciphertext: base64_encoded
+
+      def initialize: (public_key: base64_encoded, ciphertext: base64_encoded) -> void
+    end
+  end
+
+  module Crypto
+    def self.encode: (String data) -> base64_encoded
+
+    def self.decode: (base64_encoded data) -> String
+
+    def self.generate: () -> Decryptor
+
+    class Encryptor
+      def initialize: (base64_encoded public_key) -> void
+
+      def to_s: () -> base64_encoded
+
+      def encrypt: (String plaintext) -> base64_encoded
+    end
+
+    class Decryptor
+      def initialize: (base64_encoded private_key) -> void
+
+      def to_s: () -> base64_encoded
+
+      def public_key: () -> base64_encoded
+
+      def encryptor: () -> Encryptor
+
+      def decrypt: (base64_encoded ciphertext) -> String
+    end
+  end
+
+  class Store
+    class Decrypt
+      attr_reader public_key: base64_encoded
+      attr_reader ciphertext: base64_encoded
+
+      def self.new: (base64_encoded public_key, base64_encoded ciphertext) -> Decrypt
+    end
+
+    class Encrypt
+      attr_reader public_key: base64_encoded
+      attr_reader plaintext: String
+
+      def self.new: (base64_encoded public_key, String plaintext) -> Encrypt
+    end
+
+    def initialize: (Hash[String, untyped] hash, ?public_key: base64_encoded?) { (Store::Decrypt | Store::Encrypt) -> String } -> void
+
+    def key?: (String key) -> bool
+
+    def each: (?path: Array[String]) { (Array[String], untyped, Store) -> void } -> void
+
+    def to_h: () -> Hash[String, untyped]
+
+    def resolve: (String key) -> (String | Store | untyped)
+
+    def to_yaml: (*untyped) -> String
+
+    private
+
+    def assign: (String key, untyped value) -> void
+
+    def decrypt: (Encrypted encrypted) -> String
+
+    def child_scope: (Hash[String, untyped] hash) -> Store
+
+    def find_public_key: (Hash[String, untyped] hash) -> PublicKey?
+  end
+
+  module YAML
+    def self.register: () -> void
+  end
+end

metadata

@@ -0,0 +1,108 @@
+--- !ruby/object:Gem::Specification
+name: valvet
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Kim Burgestrand
+- Varvet
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Keep secrets in your config files. Valvet encrypts sensitive values while
+  leaving everything else readable, so you can check the whole file into version control.
+  Uses NaCl sealed boxes via RbNaCl.
+email:
+- kim@burgestrand.se
+executables:
+- valvet
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- exe/valvet
+- lib/valvet.rb
+- lib/valvet/cli.rb
+- lib/valvet/crypto.rb
+- lib/valvet/encrypted.rb
+- lib/valvet/error.rb
+- lib/valvet/public_key.rb
+- lib/valvet/rails.rb
+- lib/valvet/store.rb
+- lib/valvet/version.rb
+- lib/valvet/yaml.rb
+- log/test.log
+- sig/valvet.rbs
+homepage: https://github.com/varvet/valvet
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/varvet/valvet
+  source_code_uri: https://github.com/varvet/valvet
+  changelog_uri: https://github.com/varvet/valvet/blob/main/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.3
+specification_version: 4
+summary: Encrypt secrets in your config files using asymmetric encryption
+test_files: []