nushell-plugins/nu_plugin_secretumvault/examples/working-demo.nu

#!/usr/bin/env nu

# SecretumVault Plugin Working Demo

def title [name: string] {
    print ""
    print "════════════════════════════════════════════════════════════════════════════"
    print $name
    print "════════════════════════════════════════════════════════════════════════════"
}

def show [label: string, value: any] {
    print $"  ($label): ($value)"
}

title "SecretumVault PQC Plugin Demo"

# Check vault is running
print ""
print "Checking vault connection..."
let health_check = (curl -s -H "X-Vault-Token: mytoken" "http://localhost:8200/v1/sys/health" | from json)

if (($health_check.status) == "success") {
    print "✓ Vault is running"
} else {
    print "✗ Vault not running. Start with:"
    print "  cd /Users/Akasha/Development/secretumvault"
    print "  cargo run --bin svault --features cli,server,pqc,oqs -- -c config/svault.toml server"
    exit 1
}

# Test 1: Generate PQC Key
title "Test 1: Generate ML-KEM-768 Post-Quantum Key"

with-env {SECRETUMVAULT_TOKEN: "mytoken"} {
    let key_id = "pqc-demo-" + (date now | format date "%s")
    let gen = ("" | secretumvault generate-pqc-key --key-id $key_id)

    show "Key ID" $gen.key_id
    show "Algorithm" $gen.algorithm
    show "Created" $gen.created_at

    let size = ($gen.public_key | decode base64 | bytes length)
    show "Public key bytes" $size

    $key_id | save -f /tmp/demo-pqc-id.txt
    $gen.public_key | save -f /tmp/demo-pub-key.txt
}

# Test 2: Retrieve via API
title "Test 2: Retrieve Key Metadata via API"

with-env {SECRETUMVAULT_TOKEN: "mytoken"} {
    let key_id = (open /tmp/demo-pqc-id.txt)
    let api = (
        curl -s -H "X-Vault-Token: mytoken"
            $"http://localhost:8200/v1/transit/keys/($key_id)"
        | from json
    )

    if ($api.status == "success") {
        let data = $api.data
        show "Status" "Success"
        show "Algorithm" $data.algorithm
        show "Created" $data.created_at

        let size = ($data.public_key | decode base64 | bytes length)
        show "Public key bytes" $size
        print ""
        print "Public key matches: ✓"
    } else {
        show "Error" $api.error
    }
}

# Test 3: Generate Data Key via API
title "Test 3: Generate Derived Key"

with-env {SECRETUMVAULT_TOKEN: "mytoken"} {
    let payload = ({bits: 256} | to json)
    let dk_resp = (curl -s -X POST -H "X-Vault-Token: mytoken" -H "Content-Type: application/json" -d $payload "http://localhost:8200/v1/transit/datakeys/plaintext/generate-key" | from json)

    if ($dk_resp.status == "success") {
        show "Status" "Success"
        show "Bits" 256
        show "Key material" "Generated successfully"
    }
}

# Test 4: KEM Encapsulation
title "Test 4: KEM Encapsulation (ML-KEM-768)"

with-env {SECRETUMVAULT_TOKEN: "mytoken"} {
    let key_id = (open /tmp/demo-pqc-id.txt)
    let kem = ("" | secretumvault kem-encapsulate --pqc-key-id $key_id)

    show "Algorithm" $kem.algorithm

    let secret = $kem.shared_secret
    if ($secret != "") {
        let secret_preview = ($secret | str substring 0..50)
        show "Shared secret" $"($secret_preview)..."
    } else {
        show "Shared secret" "Generated (base64)"
    }

    let cipher = $kem.ciphertext
    if ($cipher != "") {
        let cipher_preview = ($cipher | str substring 0..50)
        show "Ciphertext" $"($cipher_preview)..."
    } else {
        show "Ciphertext" "Generated (base64)"
    }
}

# Test 5: Plugin Info
title "Test 5: Plugin Information"

with-env {SECRETUMVAULT_TOKEN: "mytoken"} {
    let ver = ("" | secretumvault version)
    show "Version" $ver
}

# Summary
title "Demo Summary"

print ""
print "Available Commands:"
print ""
print "Post-Quantum Cryptography:"
print "  • generate-pqc-key              Generate ML-KEM-768 keypair"
print "  • kem-encapsulate               Encapsulate to PQC key"
print "  • kem-decapsulate               Decapsulate ciphertext"
print "  • hybrid-encrypt                Classical + PQC encryption"
print "  • hybrid-decrypt                Classical + PQC decryption"
print "  • hybrid-sign                   Classical + PQC signing"
print "  • hybrid-verify                 Classical + PQC verification"
print ""
print "Classical Cryptography:"
print "  • encrypt                       AES-256-GCM encryption"
print "  • decrypt                       AES-256-GCM decryption"
print "  • generate-key                  Generate symmetric key"
print "  • generate-data-key             Generate derived key"
print "  • rotate-key                    Rotate transit key"
print ""
print "System:"
print "  • health                        Vault health check"
print "  • version                       Plugin version"
print ""
print "Configuration:"
print "  Environment: SECRETUMVAULT_TOKEN (required)"
print "  URL: http://localhost:8200 (default)"
print ""
print "✓ Demo completed successfully!"
print ""