#!/usr/bin/env nu # SecretumVault Plugin Working Demo def title [name: string] { print "" print "════════════════════════════════════════════════════════════════════════════" print $name print "════════════════════════════════════════════════════════════════════════════" } def show [label: string, value: any] { print $" ($label): ($value)" } title "SecretumVault PQC Plugin Demo" # Check vault is running print "" print "Checking vault connection..." let health_check = (curl -s -H "X-Vault-Token: mytoken" "http://localhost:8200/v1/sys/health" | from json) if (($health_check.status) == "success") { print "✓ Vault is running" } else { print "✗ Vault not running. Start with:" print " cd /Users/Akasha/Development/secretumvault" print " cargo run --bin svault --features cli,server,pqc,oqs -- -c config/svault.toml server" exit 1 } # Test 1: Generate PQC Key title "Test 1: Generate ML-KEM-768 Post-Quantum Key" with-env {SECRETUMVAULT_TOKEN: "mytoken"} { let key_id = "pqc-demo-" + (date now | format date "%s") let gen = ("" | secretumvault generate-pqc-key --key-id $key_id) show "Key ID" $gen.key_id show "Algorithm" $gen.algorithm show "Created" $gen.created_at let size = ($gen.public_key | decode base64 | bytes length) show "Public key bytes" $size $key_id | save -f /tmp/demo-pqc-id.txt $gen.public_key | save -f /tmp/demo-pub-key.txt } # Test 2: Retrieve via API title "Test 2: Retrieve Key Metadata via API" with-env {SECRETUMVAULT_TOKEN: "mytoken"} { let key_id = (open /tmp/demo-pqc-id.txt) let api = ( curl -s -H "X-Vault-Token: mytoken" $"http://localhost:8200/v1/transit/keys/($key_id)" | from json ) if ($api.status == "success") { let data = $api.data show "Status" "Success" show "Algorithm" $data.algorithm show "Created" $data.created_at let size = ($data.public_key | decode base64 | bytes length) show "Public key bytes" $size print "" print "Public key matches: ✓" } else { show "Error" $api.error } } # Test 3: Generate Data Key via API title "Test 3: Generate Derived Key" with-env {SECRETUMVAULT_TOKEN: "mytoken"} { let payload = ({bits: 256} | to json) let dk_resp = (curl -s -X POST -H "X-Vault-Token: mytoken" -H "Content-Type: application/json" -d $payload "http://localhost:8200/v1/transit/datakeys/plaintext/generate-key" | from json) if ($dk_resp.status == "success") { show "Status" "Success" show "Bits" 256 show "Key material" "Generated successfully" } } # Test 4: KEM Encapsulation title "Test 4: KEM Encapsulation (ML-KEM-768)" with-env {SECRETUMVAULT_TOKEN: "mytoken"} { let key_id = (open /tmp/demo-pqc-id.txt) let kem = ("" | secretumvault kem-encapsulate --pqc-key-id $key_id) show "Algorithm" $kem.algorithm let secret = $kem.shared_secret if ($secret != "") { let secret_preview = ($secret | str substring 0..50) show "Shared secret" $"($secret_preview)..." } else { show "Shared secret" "Generated (base64)" } let cipher = $kem.ciphertext if ($cipher != "") { let cipher_preview = ($cipher | str substring 0..50) show "Ciphertext" $"($cipher_preview)..." } else { show "Ciphertext" "Generated (base64)" } } # Test 5: Plugin Info title "Test 5: Plugin Information" with-env {SECRETUMVAULT_TOKEN: "mytoken"} { let ver = ("" | secretumvault version) show "Version" $ver } # Summary title "Demo Summary" print "" print "Available Commands:" print "" print "Post-Quantum Cryptography:" print " • generate-pqc-key Generate ML-KEM-768 keypair" print " • kem-encapsulate Encapsulate to PQC key" print " • kem-decapsulate Decapsulate ciphertext" print " • hybrid-encrypt Classical + PQC encryption" print " • hybrid-decrypt Classical + PQC decryption" print " • hybrid-sign Classical + PQC signing" print " • hybrid-verify Classical + PQC verification" print "" print "Classical Cryptography:" print " • encrypt AES-256-GCM encryption" print " • decrypt AES-256-GCM decryption" print " • generate-key Generate symmetric key" print " • generate-data-key Generate derived key" print " • rotate-key Rotate transit key" print "" print "System:" print " • health Vault health check" print " • version Plugin version" print "" print "Configuration:" print " Environment: SECRETUMVAULT_TOKEN (required)" print " URL: http://localhost:8200 (default)" print "" print "✓ Demo completed successfully!" print ""