TypeDialog/examples/08-encryption/nickel-secrets.ncl

# Nickel Schema with Encryption Annotations
#
# This demonstrates how to define encryption in Nickel schemas
# The `Sensitive` contract annotation specifies encryption backend and key path
#
# Usage:
#   1. Convert Nickel schema to TOML form:
#      nickel query nickel-secrets.ncl inputs | typedialog parse-nickel
#
#   2. The resulting TOML form will have encryption_backend and encryption_config
#
#   3. Execute the form:
#      typedialog form output.toml --encrypt --backend age --key-file ~/.age/key.txt
#

# Non-sensitive user information
{
  username | String = "",
  email | String = "",

  # =====================================================================
  # Age Backend (Local X25519 encryption)
  # =====================================================================
  password | Sensitive Backend="age" Key="~/.age/key.txt" = "",
  ssh_private_key | Sensitive Backend="age" = "",

  # =====================================================================
  # SOPS Backend (Multi-KMS support via .sops.yaml)
  # Uses .sops.yaml for KMS configuration (AWS/GCP/Azure)
  # =====================================================================
  database_password | Sensitive Backend="sops" = "",
  vault_token | Sensitive Backend="sops" = "",

  # =====================================================================
  # SecretumVault (Post-quantum cryptography ready)
  # =====================================================================
  api_key | Sensitive Backend="secretumvault" Vault="https://vault:8200" Key="app-key" = "",
  encryption_key | Sensitive Backend="secretumvault" = "",

  # =====================================================================
  # AWS KMS (Direct integration)
  # =====================================================================
  aws_secret | Sensitive Backend="awskms" Region="us-east-1" KeyId="arn:aws:kms:..." = "",

  # Sensitive fields without explicit backend
  # Will use CLI --backend flag or global default (Age)
  backup_key | Sensitive = "",

  # Nested structure with mixed backends
  server | {
    host | String = "localhost",
    port | Number = 8080,
    # Age backend
    admin_token | Sensitive Backend="age" = "",
    # SOPS backend
    db_password | Sensitive Backend="sops" = "",
  } = {},

  # Optional sensitive field (Age)
  ssh_public_key | String? = null,
}
feat(encryption): integrate external encryption services with Nickel contracts ADDED: - encryption_bridge.rs: Service integration layer - encryption_contract_parser.rs: Nickel contract parsing - encryption_integration.rs: Integration tests (+442 lines) - docs/ENCRYPTION-*.md: Quick start, setup, architecture - examples/08-encryption: Usage examples - scripts/encryption-test-setup.sh: Provisioning MODIFIED: - helpers.rs: +570 lines utility functions - nickel/: Enhanced contract parsing & serialization - form_parser.rs: Constraint interpolation improvements - config/mod.rs: New configuration (+24 lines) - typedialog/src/main.rs: CLI updates (+83 lines) - Cargo.toml: encryption_bridge dependency - Cargo.lock, SBOMs: Updated AFFECTED BACKENDS: cli, tui, web (core-level changes) 2025-12-22 10:40:01 +00:00			`# Nickel Schema with Encryption Annotations`
			`#`
			`# This demonstrates how to define encryption in Nickel schemas`
			# The `Sensitive` contract annotation specifies encryption backend and key path
			`#`
			`# Usage:`
			`# 1. Convert Nickel schema to TOML form:`
			`# nickel query nickel-secrets.ncl inputs \| typedialog parse-nickel`
			`#`
			`# 2. The resulting TOML form will have encryption_backend and encryption_config`
			`#`
			`# 3. Execute the form:`
			`# typedialog form output.toml --encrypt --backend age --key-file ~/.age/key.txt`
			`#`

			`# Non-sensitive user information`
			`{`
			`username \| String = "",`
			`email \| String = "",`

			`# =====================================================================`
			`# Age Backend (Local X25519 encryption)`
			`# =====================================================================`
			`password \| Sensitive Backend="age" Key="~/.age/key.txt" = "",`
			`ssh_private_key \| Sensitive Backend="age" = "",`

			`# =====================================================================`
			`# SOPS Backend (Multi-KMS support via .sops.yaml)`
			`# Uses .sops.yaml for KMS configuration (AWS/GCP/Azure)`
			`# =====================================================================`
			`database_password \| Sensitive Backend="sops" = "",`
			`vault_token \| Sensitive Backend="sops" = "",`

			`# =====================================================================`
			`# SecretumVault (Post-quantum cryptography ready)`
			`# =====================================================================`
			`api_key \| Sensitive Backend="secretumvault" Vault="https://vault:8200" Key="app-key" = "",`
			`encryption_key \| Sensitive Backend="secretumvault" = "",`

			`# =====================================================================`
			`# AWS KMS (Direct integration)`
			`# =====================================================================`
			`aws_secret \| Sensitive Backend="awskms" Region="us-east-1" KeyId="arn:aws:kms:..." = "",`

			`# Sensitive fields without explicit backend`
			`# Will use CLI --backend flag or global default (Age)`
			`backup_key \| Sensitive = "",`

			`# Nested structure with mixed backends`
			`server \| {`
			`host \| String = "localhost",`
			`port \| Number = 8080,`
			`# Age backend`
			`admin_token \| Sensitive Backend="age" = "",`
			`# SOPS backend`
			`db_password \| Sensitive Backend="sops" = "",`
			`} = {},`

			`# Optional sensitive field (Age)`
			`ssh_public_key \| String? = null,`
			`}`