# Nickel Schema with SOPS Backend Focus
#
# This demonstrates encryption in Nickel using SOPS (Mozilla SOPS)
# which supports multiple KMS providers via .sops.yaml configuration.
#
# SOPS Benefits:
# - Team collaboration with key management
# - Git-friendly (diffs show plaintext)
# - Multi-KMS support (AWS, GCP, Azure)
# - File-based encryption (YAML, JSON, TOML)
#
# Usage:
#   1. Create .sops.yaml configuration:
#      cat > .sops.yaml << 'EOF'
#      creation_rules:
#        - path_regex: .*
#          kms: arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID
#      EOF
#
#   2. Convert to form and encrypt:
#      nickel query sops-example.ncl inputs > sops-form.toml
#      export AWS_REGION=us-east-1
#      typedialog form sops-form.toml --encrypt --backend sops --format json
#

{
  # ===================================================================
  # Application Metadata (plaintext)
  # ===================================================================
  app_name | String = "",
  app_version | String = "",

  # ===================================================================
  # SOPS Encrypted Fields
  # All these fields use SOPS backend (AWS KMS via .sops.yaml)
  # ===================================================================

  # Database credentials
  db_password | Sensitive Backend="sops" = "",
  db_connection_string | Sensitive Backend="sops" = "",

  # API credentials (multiple services)
  stripe_api_key | Sensitive Backend="sops" = "",
  slack_bot_token | Sensitive Backend="sops" = "",
  github_token | Sensitive Backend="sops" = "",

  # Infrastructure secrets
  registry_password | Sensitive Backend="sops" = "",
  container_registry_url | Sensitive Backend="sops" = "",

  # Vault and secrets management
  vault_addr | String = "https://vault.internal:8200",
  vault_token | Sensitive Backend="sops" = "",
  vault_namespace | String = "",

  # TLS/SSL
  tls_cert_path | String = "",
  tls_key | Sensitive Backend="sops" = "",

  # SSH and authentication
  ssh_private_key | Sensitive Backend="sops" = "",
  ssh_known_hosts | Sensitive Backend="sops" = "",

  # Cloud provider credentials
  aws_access_key | Sensitive Backend="sops" = "",
  aws_secret_key | Sensitive Backend="sops" = "",
  gcp_service_account | Sensitive Backend="sops" = "",

  # Application secrets
  jwt_secret | Sensitive Backend="sops" = "",
  session_secret | Sensitive Backend="sops" = "",
  encryption_key | Sensitive Backend="sops" = "",

  # Optional fields
  feature_flags | String? = null,
  custom_config | String? = null,
}