{
  name = "user_credentials",
  description = "User credentials with encryption support",
  display_mode = "complete",
  elements = [
    # Non-sensitive fields (will be output as plaintext)
    { type = "text", name = "username", prompt = "Username", required = true, sensitive = false },
    { type = "text", name = "email", prompt = "Email address", required = true, sensitive = false },
    { type = "text", name = "company", prompt = "Company (optional)", required = false, sensitive = false },

    # Sensitive fields - Auto-detected (FieldType::Password = sensitive by default)
    { type = "password", name = "password", prompt = "Password", required = true },
    { type = "password", name = "confirm_password", prompt = "Confirm password", required = true },

    # Sensitive fields - Explicit (sensitive = true)
    { type = "text", name = "api_token", prompt = "API Token", required = false, sensitive = true, encryption_backend = "age" },
    { type = "editor", name = "ssh_key", prompt = "SSH Private Key (multiline)", required = false, sensitive = true },
    { type = "text", name = "database_url", prompt = "Database Connection String", required = false, sensitive = true },
    { type = "text", name = "vault_token", prompt = "Vault Token (encrypted with SOPS)", required = false, sensitive = true, encryption_backend = "sops" },
    { type = "text", name = "kms_key_id", prompt = "AWS KMS Key ID (encrypted with AWS KMS)", required = false, sensitive = true, encryption_backend = "awskms", encryption_config = { key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012", region = "us-east-1" } },

    # Non-sensitive field (explicit override)
    { type = "password", name = "demo_password", prompt = "Demo password (shown in plaintext)", required = false, sensitive = false },
  ],
}