TypeDialog/examples/08-encryption/sops-example.ncl

# Nickel Schema with SOPS Backend Focus
#
# This demonstrates encryption in Nickel using SOPS (Mozilla SOPS)
# which supports multiple KMS providers via .sops.yaml configuration.
#
# SOPS Benefits:
# - Team collaboration with key management
# - Git-friendly (diffs show plaintext)
# - Multi-KMS support (AWS, GCP, Azure)
# - File-based encryption (YAML, JSON, TOML)
#
# Usage:
#   1. Create .sops.yaml configuration:
#      cat > .sops.yaml << 'EOF'
#      creation_rules:
#        - path_regex: .*
#          kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID
#      EOF
#
#   2. Convert to form and encrypt:
#      nickel query sops-example.ncl inputs > sops-form.toml
#      export AWS_REGION=us-east-1
#      typedialog form sops-form.toml --encrypt --backend sops --format json
#

{
  # ===================================================================
  # Application Metadata (plaintext)
  # ===================================================================
  app_name | String = "",
  app_version | String = "",

  # ===================================================================
  # SOPS Encrypted Fields
  # All these fields use SOPS backend (AWS KMS via .sops.yaml)
  # ===================================================================

  # Database credentials
  db_password | Sensitive Backend="sops" = "",
  db_connection_string | Sensitive Backend="sops" = "",

  # API credentials (multiple services)
  stripe_api_key | Sensitive Backend="sops" = "",
  slack_bot_token | Sensitive Backend="sops" = "",
  github_token | Sensitive Backend="sops" = "",

  # Infrastructure secrets
  registry_password | Sensitive Backend="sops" = "",
  container_registry_url | Sensitive Backend="sops" = "",

  # Vault and secrets management
  vault_addr | String = "https://vault.internal:8200",
  vault_token | Sensitive Backend="sops" = "",
  vault_namespace | String = "",

  # TLS/SSL
  tls_cert_path | String = "",
  tls_key | Sensitive Backend="sops" = "",

  # SSH and authentication
  ssh_private_key | Sensitive Backend="sops" = "",
  ssh_known_hosts | Sensitive Backend="sops" = "",

  # Cloud provider credentials
  aws_access_key | Sensitive Backend="sops" = "",
  aws_secret_key | Sensitive Backend="sops" = "",
  gcp_service_account | Sensitive Backend="sops" = "",

  # Application secrets
  jwt_secret | Sensitive Backend="sops" = "",
  session_secret | Sensitive Backend="sops" = "",
  encryption_key | Sensitive Backend="sops" = "",

  # Optional fields
  feature_flags | String? = null,
  custom_config | String? = null,
}
feat(encryption): integrate external encryption services with Nickel contracts ADDED: - encryption_bridge.rs: Service integration layer - encryption_contract_parser.rs: Nickel contract parsing - encryption_integration.rs: Integration tests (+442 lines) - docs/ENCRYPTION-*.md: Quick start, setup, architecture - examples/08-encryption: Usage examples - scripts/encryption-test-setup.sh: Provisioning MODIFIED: - helpers.rs: +570 lines utility functions - nickel/: Enhanced contract parsing & serialization - form_parser.rs: Constraint interpolation improvements - config/mod.rs: New configuration (+24 lines) - typedialog/src/main.rs: CLI updates (+83 lines) - Cargo.toml: encryption_bridge dependency - Cargo.lock, SBOMs: Updated AFFECTED BACKENDS: cli, tui, web (core-level changes) 2025-12-22 10:40:01 +00:00			`# Nickel Schema with SOPS Backend Focus`
			`#`
			`# This demonstrates encryption in Nickel using SOPS (Mozilla SOPS)`
			`# which supports multiple KMS providers via .sops.yaml configuration.`
			`#`
			`# SOPS Benefits:`
			`# - Team collaboration with key management`
			`# - Git-friendly (diffs show plaintext)`
			`# - Multi-KMS support (AWS, GCP, Azure)`
			`# - File-based encryption (YAML, JSON, TOML)`
			`#`
			`# Usage:`
			`# 1. Create .sops.yaml configuration:`
			`# cat > .sops.yaml << 'EOF'`
			`# creation_rules:`
			`# - path_regex: .*`
			`# kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID`
			`# EOF`
			`#`
			`# 2. Convert to form and encrypt:`
			`# nickel query sops-example.ncl inputs > sops-form.toml`
			`# export AWS_REGION=us-east-1`
			`# typedialog form sops-form.toml --encrypt --backend sops --format json`
			`#`

			`{`
			`# ===================================================================`
			`# Application Metadata (plaintext)`
			`# ===================================================================`
			`app_name \| String = "",`
			`app_version \| String = "",`

			`# ===================================================================`
			`# SOPS Encrypted Fields`
			`# All these fields use SOPS backend (AWS KMS via .sops.yaml)`
			`# ===================================================================`

			`# Database credentials`
			`db_password \| Sensitive Backend="sops" = "",`
			`db_connection_string \| Sensitive Backend="sops" = "",`

			`# API credentials (multiple services)`
			`stripe_api_key \| Sensitive Backend="sops" = "",`
			`slack_bot_token \| Sensitive Backend="sops" = "",`
			`github_token \| Sensitive Backend="sops" = "",`

			`# Infrastructure secrets`
			`registry_password \| Sensitive Backend="sops" = "",`
			`container_registry_url \| Sensitive Backend="sops" = "",`

			`# Vault and secrets management`
			`vault_addr \| String = "https://vault.internal:8200",`
			`vault_token \| Sensitive Backend="sops" = "",`
			`vault_namespace \| String = "",`

			`# TLS/SSL`
			`tls_cert_path \| String = "",`
			`tls_key \| Sensitive Backend="sops" = "",`

			`# SSH and authentication`
			`ssh_private_key \| Sensitive Backend="sops" = "",`
			`ssh_known_hosts \| Sensitive Backend="sops" = "",`

			`# Cloud provider credentials`
			`aws_access_key \| Sensitive Backend="sops" = "",`
			`aws_secret_key \| Sensitive Backend="sops" = "",`
			`gcp_service_account \| Sensitive Backend="sops" = "",`

			`# Application secrets`
			`jwt_secret \| Sensitive Backend="sops" = "",`
			`session_secret \| Sensitive Backend="sops" = "",`
			`encryption_key \| Sensitive Backend="sops" = "",`

			`# Optional fields`
			`feature_flags \| String? = null,`
			`custom_config \| String? = null,`
			`}`