# SOPS Configuration Schema - Type contracts and validation

{
  SopsRule = {
    # Regex pattern to match file paths for encryption
    path_regex | std.string | doc "File path regex pattern (e.g., '\\.prod\\.yaml$')"
      | optional,
    # Age public key for encryption
    age | std.string | doc "Age public key (x25519 format: age1...)"
      | required,
    # Regex to match fields that should be encrypted within matched files
    encrypted_regex | std.string | doc "Field name regex for encryption (e.g., '^(password|token)$')"
      | optional,
    # Key version for tracking key rotation
    key_version | std.number | doc "Version number for key rotation tracking"
      | optional,
  },

  SopsConfig = {
    # Creation rules define which Age key encrypts which files
    creation_rules | std.array SopsRule | doc "Array of encryption rules, evaluated sequentially"
      | required,
    # Decryption rules (optional, for post-rotation compatibility)
    key_groups | std.array (std.array SopsRule) | doc "Array of key groups for backward compatibility with rotated keys"
      | optional,
  },

  SopsEnvironmentConfig = {
    # Dev environment configuration
    dev | SopsConfig | doc "Development environment SOPS rules" | optional,
    # Staging environment configuration
    staging | SopsConfig | doc "Staging environment SOPS rules" | optional,
    # Production environment configuration
    prod | SopsConfig | doc "Production environment SOPS rules" | optional,
  },
}