# Nickel Schema with Encryption Annotations
#
# This demonstrates how to define encryption in Nickel schemas
# The `Sensitive` contract annotation specifies encryption backend and key path
#
# Usage:
#   1. Convert Nickel schema to TOML form:
#      nickel query nickel-secrets.ncl inputs | typedialog parse-nickel
#
#   2. The resulting TOML form will have encryption_backend and encryption_config
#
#   3. Execute the form:
#      typedialog form output.toml --encrypt --backend age --key-file ~/.age/key.txt
#

# Non-sensitive user information
{
  username | String = "",
  email | String = "",

  # =====================================================================
  # Age Backend (Local X25519 encryption)
  # =====================================================================
  password | Sensitive Backend="age" Key="~/.age/key.txt" = "",
  ssh_private_key | Sensitive Backend="age" = "",

  # =====================================================================
  # SOPS Backend (Multi-KMS support via .sops.yaml)
  # Uses .sops.yaml for KMS configuration (AWS/GCP/Azure)
  # =====================================================================
  database_password | Sensitive Backend="sops" = "",
  vault_token | Sensitive Backend="sops" = "",

  # =====================================================================
  # SecretumVault (Post-quantum cryptography ready)
  # =====================================================================
  api_key | Sensitive Backend="secretumvault" Vault="https://vault:8200" Key="app-key" = "",
  encryption_key | Sensitive Backend="secretumvault" = "",

  # =====================================================================
  # AWS KMS (Direct integration)
  # =====================================================================
  aws_secret | Sensitive Backend="awskms" Region="us-east-1" KeyId="arn:aws:kms:..." = "",

  # Sensitive fields without explicit backend
  # Will use CLI --backend flag or global default (Age)
  backup_key | Sensitive = "",

  # Nested structure with mixed backends
  server | {
    host | String = "localhost",
    port | Number = 8080,
    # Age backend
    admin_token | Sensitive Backend="age" = "",
    # SOPS backend
    db_password | Sensitive Backend="sops" = "",
  } = {},

  # Optional sensitive field (Age)
  ssh_public_key | String? = null,
}