TypeDialog/examples/08-encryption/multi-backend-sops.toml

# Multi-Backend Encryption with SOPS Focus
#
# This example demonstrates how different sensitive fields can use different
# encryption backends in the same form. Useful for multi-environment deployments:
# - Development: Age (local, no external service)
# - Staging: SOPS (team collaboration, key management)
# - Production: SecretumVault or direct AWS KMS (enterprise)
#
# Usage:
#
# Development (Age - local):
#   age-keygen -o ~/.age/key.txt  # Only needed once
#   typedialog form examples/08-encryption/multi-backend-sops.toml \
#     --encrypt --backend age --key-file ~/.age/key.txt --format json
#
# Staging (SOPS - AWS KMS via .sops.yaml):
#   # Create .sops.yaml
#   cat > .sops.yaml << 'EOF'
#   creation_rules:
#     - path_regex: .*
#       kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID
#   EOF
#   export AWS_REGION=us-east-1
#   typedialog form examples/08-encryption/multi-backend-sops.toml \
#     --encrypt --backend sops --format json
#
# Production (SecretumVault - post-quantum):
#   export VAULT_ADDR=https://vault.prod:8200
#   export VAULT_TOKEN=hvs.token
#   typedialog form examples/08-encryption/multi-backend-sops.toml \
#     --encrypt --backend secretumvault --format json
#

name = "multi_backend_config"
description = "Configuration with multiple encryption backends for different environments"
display_mode = "complete"

# ============================================================================
# Application Configuration (Non-sensitive)
# ============================================================================

[[fields]]
name = "app_name"
type = "text"
prompt = "Application name"
required = true
sensitive = false

[[fields]]
name = "environment"
type = "select"
prompt = "Environment"
required = true
sensitive = false
options = ["development", "staging", "production"]

[[fields]]
name = "log_level"
type = "select"
prompt = "Log level"
required = false
sensitive = false
options = ["debug", "info", "warn", "error"]

# ============================================================================
# Database Configuration
# Field-level backend: SOPS (team-friendly, multi-KMS support)
# ============================================================================

[[fields]]
name = "db_host"
type = "text"
prompt = "Database hostname"
required = true
sensitive = false

[[fields]]
name = "db_port"
type = "text"
prompt = "Database port"
required = false
sensitive = false
default = "5432"

[[fields]]
name = "db_username"
type = "text"
prompt = "Database username"
required = true
sensitive = false

[[fields]]
name = "db_password"
type = "password"
prompt = "Database password (encrypted with SOPS)"
required = true
sensitive = true
encryption_backend = "sops"
# Note: SOPS configuration comes from .sops.yaml
# Supports AWS KMS, GCP KMS, Azure Key Vault via that config

# ============================================================================
# API Keys and Tokens
# Field-level backend: Age (simple, local)
# These might be development tokens that don't need KMS
# ============================================================================

[[fields]]
name = "api_key"
type = "text"
prompt = "API Key (encrypted with Age)"
required = false
sensitive = true
encryption_backend = "age"

[[fields]]
name = "api_secret"
type = "password"
prompt = "API Secret (encrypted with Age)"
required = false
sensitive = true
encryption_backend = "age"

# ============================================================================
# Enterprise/Production Secrets
# Field-level backend: AWS KMS (direct cloud integration)
# These are critical secrets that require cloud KMS
# ============================================================================

[[fields]]
name = "master_key"
type = "password"
prompt = "Master encryption key (AWS KMS protected)"
required = false
sensitive = true
encryption_backend = "awskms"

[fields.encryption_config]
region = "us-east-1"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

[[fields]]
name = "root_token"
type = "password"
prompt = "Root access token (AWS KMS protected)"
required = false
sensitive = true
encryption_backend = "awskms"

[fields.encryption_config]
region = "us-east-1"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"

# ============================================================================
# Certificate and Key Material
# Field-level backend: SecretumVault (post-quantum, enterprise)
# Uses Transit Engine for encryption with PQC support
# ============================================================================

[[fields]]
name = "tls_cert"
type = "editor"
prompt = "TLS Certificate (SecretumVault with PQC)"
required = false
sensitive = true
encryption_backend = "secretumvault"

[[fields]]
name = "tls_key"
type = "editor"
prompt = "TLS Private Key (SecretumVault with PQC)"
required = false
sensitive = true
encryption_backend = "secretumvault"

# ============================================================================
# Configuration Summary
# ============================================================================
# This form demonstrates backend selection per field:
#
# Age Backend:      API keys (simple, local)
# SOPS Backend:     Database password (team collaboration)
# AWS KMS:          Critical production tokens
# SecretumVault:    TLS materials (post-quantum ready)
#
# Same form works for all environments with proper CLI flags:
#   --encrypt --backend age              # Dev
#   --encrypt --backend sops             # Staging (requires .sops.yaml)
#   --encrypt --backend secretumvault    # Production
#
# Field-level encryption_backend overrides CLI --backend for that specific field
# This allows mixing backends even within the same form execution.
feat(encryption): integrate external encryption services with Nickel contracts ADDED: - encryption_bridge.rs: Service integration layer - encryption_contract_parser.rs: Nickel contract parsing - encryption_integration.rs: Integration tests (+442 lines) - docs/ENCRYPTION-*.md: Quick start, setup, architecture - examples/08-encryption: Usage examples - scripts/encryption-test-setup.sh: Provisioning MODIFIED: - helpers.rs: +570 lines utility functions - nickel/: Enhanced contract parsing & serialization - form_parser.rs: Constraint interpolation improvements - config/mod.rs: New configuration (+24 lines) - typedialog/src/main.rs: CLI updates (+83 lines) - Cargo.toml: encryption_bridge dependency - Cargo.lock, SBOMs: Updated AFFECTED BACKENDS: cli, tui, web (core-level changes) 2025-12-22 10:40:01 +00:00			`# Multi-Backend Encryption with SOPS Focus`
			`#`
			`# This example demonstrates how different sensitive fields can use different`
			`# encryption backends in the same form. Useful for multi-environment deployments:`
			`# - Development: Age (local, no external service)`
			`# - Staging: SOPS (team collaboration, key management)`
			`# - Production: SecretumVault or direct AWS KMS (enterprise)`
			`#`
			`# Usage:`
			`#`
			`# Development (Age - local):`
			`# age-keygen -o ~/.age/key.txt # Only needed once`
			`# typedialog form examples/08-encryption/multi-backend-sops.toml \`
			`# --encrypt --backend age --key-file ~/.age/key.txt --format json`
			`#`
			`# Staging (SOPS - AWS KMS via .sops.yaml):`
			`# # Create .sops.yaml`
			`# cat > .sops.yaml << 'EOF'`
			`# creation_rules:`
			`# - path_regex: .*`
			`# kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID`
			`# EOF`
			`# export AWS_REGION=us-east-1`
			`# typedialog form examples/08-encryption/multi-backend-sops.toml \`
			`# --encrypt --backend sops --format json`
			`#`
			`# Production (SecretumVault - post-quantum):`
			`# export VAULT_ADDR=https://vault.prod:8200`
			`# export VAULT_TOKEN=hvs.token`
			`# typedialog form examples/08-encryption/multi-backend-sops.toml \`
			`# --encrypt --backend secretumvault --format json`
			`#`

			`name = "multi_backend_config"`
			`description = "Configuration with multiple encryption backends for different environments"`
			`display_mode = "complete"`

			`# ============================================================================`
			`# Application Configuration (Non-sensitive)`
			`# ============================================================================`

			`[[fields]]`
			`name = "app_name"`
			`type = "text"`
			`prompt = "Application name"`
			`required = true`
			`sensitive = false`

			`[[fields]]`
			`name = "environment"`
			`type = "select"`
			`prompt = "Environment"`
			`required = true`
			`sensitive = false`
			`options = ["development", "staging", "production"]`

			`[[fields]]`
			`name = "log_level"`
			`type = "select"`
			`prompt = "Log level"`
			`required = false`
			`sensitive = false`
			`options = ["debug", "info", "warn", "error"]`

			`# ============================================================================`
			`# Database Configuration`
			`# Field-level backend: SOPS (team-friendly, multi-KMS support)`
			`# ============================================================================`

			`[[fields]]`
			`name = "db_host"`
			`type = "text"`
			`prompt = "Database hostname"`
			`required = true`
			`sensitive = false`

			`[[fields]]`
			`name = "db_port"`
			`type = "text"`
			`prompt = "Database port"`
			`required = false`
			`sensitive = false`
			`default = "5432"`

			`[[fields]]`
			`name = "db_username"`
			`type = "text"`
			`prompt = "Database username"`
			`required = true`
			`sensitive = false`

			`[[fields]]`
			`name = "db_password"`
			`type = "password"`
			`prompt = "Database password (encrypted with SOPS)"`
			`required = true`
			`sensitive = true`
			`encryption_backend = "sops"`
			`# Note: SOPS configuration comes from .sops.yaml`
			`# Supports AWS KMS, GCP KMS, Azure Key Vault via that config`

			`# ============================================================================`
			`# API Keys and Tokens`
			`# Field-level backend: Age (simple, local)`
			`# These might be development tokens that don't need KMS`
			`# ============================================================================`

			`[[fields]]`
			`name = "api_key"`
			`type = "text"`
			`prompt = "API Key (encrypted with Age)"`
			`required = false`
			`sensitive = true`
			`encryption_backend = "age"`

			`[[fields]]`
			`name = "api_secret"`
			`type = "password"`
			`prompt = "API Secret (encrypted with Age)"`
			`required = false`
			`sensitive = true`
			`encryption_backend = "age"`

			`# ============================================================================`
			`# Enterprise/Production Secrets`
			`# Field-level backend: AWS KMS (direct cloud integration)`
			`# These are critical secrets that require cloud KMS`
			`# ============================================================================`

			`[[fields]]`
			`name = "master_key"`
			`type = "password"`
			`prompt = "Master encryption key (AWS KMS protected)"`
			`required = false`
			`sensitive = true`
			`encryption_backend = "awskms"`

			`[fields.encryption_config]`
			`region = "us-east-1"`
			`key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"`

			`[[fields]]`
			`name = "root_token"`
			`type = "password"`
			`prompt = "Root access token (AWS KMS protected)"`
			`required = false`
			`sensitive = true`
			`encryption_backend = "awskms"`

			`[fields.encryption_config]`
			`region = "us-east-1"`
			`key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"`

			`# ============================================================================`
			`# Certificate and Key Material`
			`# Field-level backend: SecretumVault (post-quantum, enterprise)`
			`# Uses Transit Engine for encryption with PQC support`
			`# ============================================================================`

			`[[fields]]`
			`name = "tls_cert"`
			`type = "editor"`
			`prompt = "TLS Certificate (SecretumVault with PQC)"`
			`required = false`
			`sensitive = true`
			`encryption_backend = "secretumvault"`

			`[[fields]]`
			`name = "tls_key"`
			`type = "editor"`
			`prompt = "TLS Private Key (SecretumVault with PQC)"`
			`required = false`
			`sensitive = true`
			`encryption_backend = "secretumvault"`

			`# ============================================================================`
			`# Configuration Summary`
			`# ============================================================================`
			`# This form demonstrates backend selection per field:`
			`#`
			`# Age Backend: API keys (simple, local)`
			`# SOPS Backend: Database password (team collaboration)`
			`# AWS KMS: Critical production tokens`
			`# SecretumVault: TLS materials (post-quantum ready)`
			`#`
			`# Same form works for all environments with proper CLI flags:`
			`# --encrypt --backend age # Dev`
			`# --encrypt --backend sops # Staging (requires .sops.yaml)`
			`# --encrypt --backend secretumvault # Production`
			`#`
			`# Field-level encryption_backend overrides CLI --backend for that specific field`
			`# This allows mixing backends even within the same form execution.`