aca491ba42
ADDED: - encryption_bridge.rs: Service integration layer - encryption_contract_parser.rs: Nickel contract parsing - encryption_integration.rs: Integration tests (+442 lines) - docs/ENCRYPTION-*.md: Quick start, setup, architecture - examples/08-encryption: Usage examples - scripts/encryption-test-setup.sh: Provisioning MODIFIED: - helpers.rs: +570 lines utility functions - nickel/: Enhanced contract parsing & serialization - form_parser.rs: Constraint interpolation improvements - config/mod.rs: New configuration (+24 lines) - typedialog/src/main.rs: CLI updates (+83 lines) - Cargo.toml: encryption_bridge dependency - Cargo.lock, SBOMs: Updated AFFECTED BACKENDS: cli, tui, web (core-level changes)
139 lines
4.1 KiB
TOML
139 lines
4.1 KiB
TOML
# Encryption Demo Form
|
|
#
|
|
# This form demonstrates the encryption and redaction pipeline in typedialog.
|
|
# Fields marked as "sensitive" will be:
|
|
# - Redacted to [REDACTED] with --redact flag
|
|
# - Encrypted with --encrypt flag (requires Age, SOPS, SecretumVault, or KMS backend)
|
|
#
|
|
# Usage:
|
|
# # Redaction mode (no encryption service needed)
|
|
# typedialog form examples/08-encryption/credentials.toml --redact --format json
|
|
#
|
|
# # Age encryption (local, requires ~/.age/key.txt)
|
|
# typedialog form examples/08-encryption/credentials.toml \
|
|
# --encrypt --backend age --key-file ~/.age/key.txt --format json
|
|
#
|
|
# # SOPS encryption (supports AWS/GCP/Azure KMS via .sops.yaml)
|
|
# export AWS_REGION=us-east-1
|
|
# typedialog form examples/08-encryption/credentials.toml \
|
|
# --encrypt --backend sops --format json
|
|
#
|
|
# # SecretumVault encryption (post-quantum cryptography ready)
|
|
# export VAULT_ADDR=https://vault.internal:8200
|
|
# export VAULT_TOKEN=hvs.CAAA...
|
|
# typedialog form examples/08-encryption/credentials.toml \
|
|
# --encrypt --backend secretumvault --format json
|
|
|
|
name = "user_credentials"
|
|
description = "User credentials with encryption support"
|
|
display_mode = "complete"
|
|
|
|
# ============================================================================
|
|
# Non-sensitive fields (will be output as plaintext)
|
|
# ============================================================================
|
|
|
|
[[fields]]
|
|
name = "username"
|
|
type = "text"
|
|
prompt = "Username"
|
|
required = true
|
|
sensitive = false
|
|
|
|
[[fields]]
|
|
name = "email"
|
|
type = "text"
|
|
prompt = "Email address"
|
|
required = true
|
|
sensitive = false
|
|
|
|
[[fields]]
|
|
name = "company"
|
|
type = "text"
|
|
prompt = "Company (optional)"
|
|
required = false
|
|
sensitive = false
|
|
|
|
# ============================================================================
|
|
# Sensitive fields - Auto-detected (FieldType::Password = sensitive by default)
|
|
# ============================================================================
|
|
|
|
[[fields]]
|
|
name = "password"
|
|
type = "password"
|
|
prompt = "Password"
|
|
required = true
|
|
# sensitive not specified - auto-detected as true from FieldType::Password
|
|
|
|
[[fields]]
|
|
name = "confirm_password"
|
|
type = "password"
|
|
prompt = "Confirm password"
|
|
required = true
|
|
|
|
# ============================================================================
|
|
# Sensitive fields - Explicit (sensitive = true)
|
|
# These are non-password fields but marked sensitive
|
|
# ============================================================================
|
|
|
|
[[fields]]
|
|
name = "api_token"
|
|
type = "text"
|
|
prompt = "API Token"
|
|
required = false
|
|
sensitive = true
|
|
encryption_backend = "age"
|
|
|
|
[[fields]]
|
|
name = "ssh_key"
|
|
type = "editor"
|
|
prompt = "SSH Private Key (multiline)"
|
|
required = false
|
|
sensitive = true
|
|
|
|
[[fields]]
|
|
name = "database_url"
|
|
type = "text"
|
|
prompt = "Database Connection String"
|
|
required = false
|
|
sensitive = true
|
|
|
|
# ============================================================================
|
|
# Encryption configuration per field (optional)
|
|
# If not specified, uses CLI --backend flag or global default
|
|
# ============================================================================
|
|
|
|
[[fields]]
|
|
name = "vault_token"
|
|
type = "text"
|
|
prompt = "Vault Token (encrypted with SOPS)"
|
|
required = false
|
|
sensitive = true
|
|
encryption_backend = "sops"
|
|
# Note: SOPS reads configuration from .sops.yaml in current directory or parent
|
|
# No additional config needed - SOPS uses .sops.yaml for KMS setup
|
|
|
|
[[fields]]
|
|
name = "kms_key_id"
|
|
type = "text"
|
|
prompt = "AWS KMS Key ID (encrypted with AWS KMS)"
|
|
required = false
|
|
sensitive = true
|
|
encryption_backend = "awskms"
|
|
|
|
[fields.encryption_config]
|
|
region = "us-east-1"
|
|
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
|
|
|
|
# ============================================================================
|
|
# Non-sensitive field (explicit override)
|
|
# Note: This field is type=password but marked as NOT sensitive
|
|
# Will be output as plaintext (useful for test/demo passwords)
|
|
# ============================================================================
|
|
|
|
[[fields]]
|
|
name = "demo_password"
|
|
type = "password"
|
|
prompt = "Demo password (shown in plaintext)"
|
|
required = false
|
|
sensitive = false
|