# Configuration Workflow: TypeDialog → Nickel → TOML → Rust\n\nComplete documentation of the configuration pipeline that transforms interactive user input into production Rust service configurations.\n\n## Overview\n\nThe provisioning platform uses a **four-stage configuration workflow** that leverages TypeDialog for interactive configuration,\nNickel for type-safe composition, and TOML for service consumption:\n\n```\n┌─────────────────────────────────────────────────────────────────┐\n│ Stage 1: User Interaction (TypeDialog)                          │\n│  - Can use Nickel configuration as default values               │\n│    if use provisioning/platform/config/ it will be updated      │\n│  - Interactive form (web/tui/cli)                               │\n│  - Real-time constraint validation                              │\n│  - Generates Nickel configuration                               │\n└────────────────┬────────────────────────────────────────────────┘\n                 │\n                 ▼\n┌─────────────────────────────────────────────────────────────────┐\n│ Stage 2: Composition (Nickel)                                   │\n│  - Base defaults imported                                       │\n│  - Mode overlay applied                                         │\n│  - Validators enforce business rules                            │\n│  - Produces Nickel config file                                  │\n└────────────────┬────────────────────────────────────────────────┘\n                 │\n                 ▼\n┌─────────────────────────────────────────────────────────────────┐\n│ Stage 3: Export (Nickel → TOML)                                 │\n│  - Nickel config evaluated                                      │\n│  - Exported to TOML format                                      │\n│  - Saved to provisioning/platform/config/                       │\n└────────────────┬────────────────────────────────────────────────┘\n                 │\n                 ▼\n┌─────────────────────────────────────────────────────────────────┐\n│ Stage 4: Runtime (Rust Services)                                │\n│  - Services load TOML configuration                             │\n│  - Environment variables override specific values               │\n│  - Start services with final configuration                      │\n└─────────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## Stage 1: User Interaction (TypeDialog)\n\n### Purpose\n\nCollect configuration from users through an interactive, constraint-aware interface.\n\n### Workflow\n\n```\n# Launch interactive configuration wizard\nnu scripts/configure.nu orchestrator solo --backend web\n```\n\n### What Happens\n\n1. **Form Loads**\n   - TypeDialog reads `forms/orchestrator-form.toml`\n   - Form displays configuration sections\n   - Constraints from `constraints.toml` enforce min/max values\n   - Environment variables populate initial defaults\n\n2. **User Interaction**\n   - User fills in form fields (workspace name, server port, etc.)\n   - Real-time validation on each field\n   - Constraint interpolation shows valid ranges:\n     - `${constraint.orchestrator.workers.min}` → `1`\n     - `${constraint.orchestrator.workers.max}` → `32`\n\n3. **Configuration Submission**\n   - User submits form\n   - TypeDialog validates all fields against schemas\n   - Generates Nickel configuration output\n\n4. **Output Generation**\n   - Nickel config saved to `values/{service}.{mode}.ncl`\n   - Example: `values/orchestrator.solo.ncl`\n   - File becomes source of truth for user customizations\n\n### Form Structure Example\n\n```\n# forms/orchestrator-form.toml\nname = "orchestrator_configuration"\ndescription = "Configure orchestrator service"\n\n[[items]]\nname = "workspace_group"\ntype = "group"\nincludes = ["fragments/workspace-section.toml"]\n\n[[items]]\nname = "server_group"\ntype = "group"\nincludes = ["fragments/server-section.toml"]\n\n[[items]]\nname = "queue_group"\ntype = "group"\nincludes = ["fragments/orchestrator/queue-section.toml"]\n```\n\n### Fragment with Constraint Interpolation\n\n```\n# forms/fragments/orchestrator/queue-section.toml\n[[elements]]\nname = "max_concurrent_tasks"\ntype = "number"\nprompt = "Maximum Concurrent Tasks"\ndefault = 5\nmin = "${constraint.orchestrator.queue.concurrent_tasks.min}"\nmax = "${constraint.orchestrator.queue.concurrent_tasks.max}"\nrequired = true\nhelp = "Range: ${constraint.orchestrator.queue.concurrent_tasks.min}-${constraint.orchestrator.queue.concurrent_tasks.max}"\nnickel_path = ["orchestrator", "queue", "max_concurrent_tasks"]\n```\n\n### Generated Nickel Output (from TypeDialog)\n\nTypeDialog's `nickel-roundtrip` pattern generates:\n\n```\n# values/orchestrator.solo.ncl\n# Auto-generated by TypeDialog\n{\n  orchestrator = {\n    workspace = {\n      name = "dev-workspace",\n      path = "/home/developer/provisioning/data/orchestrator",\n      enabled = true,\n    },\n    server = {\n      host = "127.0.0.1",\n      port = 9090,\n      workers = 2,\n    },\n    queue = {\n      max_concurrent_tasks = 3,\n      retry_attempts = 2,\n      retry_delay = 1000,\n    },\n  },\n}\n```\n\n---\n\n## Stage 2: Composition (Nickel)\n\n### Purpose\n\nCompose the user input with defaults, validators, and schemas to create a complete, validated configuration.\n\n### Workflow\n\n```\n# The nickel typecheck command validates the composition\nnickel typecheck values/orchestrator.solo.ncl\n```\n\n### Composition Layers\n\nThe final configuration is built by merging layers in priority order:\n\n#### Layer 1: Schema Import\n\n```\n# Ensures type safety and required fields\nlet schemas = import "../schemas/orchestrator.ncl" in\n```\n\n#### Layer 2: Base Defaults\n\n```\n# Default values for all orchestrator configurations\nlet defaults = import "../defaults/orchestrator-defaults.ncl" in\n```\n\n#### Layer 3: Mode Overlay\n\n```\n# Solo-specific overrides and adjustments\nlet solo_defaults = import "../defaults/deployment/solo-defaults.ncl" in\n```\n\n#### Layer 4: Validators Import\n\n```\n# Business rule validation (ranges, uniqueness, dependencies)\nlet validators = import "../validators/orchestrator-validator.ncl" in\n```\n\n#### Layer 5: User Values\n\n```\n# User input from TypeDialog (values/orchestrator.solo.ncl)\n# Loaded and merged with defaults\n```\n\n### Composition Example\n\n```\n# configs/orchestrator.solo.ncl (generated composition)\n\nlet schemas = import "../schemas/orchestrator.ncl" in\nlet defaults = import "../defaults/orchestrator-defaults.ncl" in\nlet solo_defaults = import "../defaults/deployment/solo-defaults.ncl" in\nlet validators = import "../validators/orchestrator-validator.ncl" in\n\n# Composition: Base defaults + mode overlay + user input\n{\n  orchestrator = defaults.orchestrator & {\n    # User input from TypeDialog values/orchestrator.solo.ncl\n    workspace = {\n      name = "dev-workspace",\n      path = "/home/developer/provisioning/data/orchestrator",\n    },\n\n    # Solo mode overrides\n    server = {\n      workers = validators.ValidWorkers 2,\n      max_connections = 128,\n    },\n\n    queue = {\n      max_concurrent_tasks = validators.ValidConcurrentTasks 3,\n    },\n\n    # Fallback to defaults for unspecified fields\n  },\n} | schemas.OrchestratorConfig  # Validate against schema\n```\n\n### Validation During Composition\n\nEach field is validated through multiple validation layers:\n\n```\n# validators/orchestrator-validator.ncl\nlet constraints = import "../constraints/constraints.toml" in\n\n{\n  # Validate workers within allowed range\n  ValidWorkers = fun workers =>\n    if workers < constraints.orchestrator.workers.min then\n      error "Workers below minimum"\n    else if workers > constraints.orchestrator.workers.max then\n      error "Workers above maximum"\n    else\n      workers,\n\n  # Validate concurrent tasks\n  ValidConcurrentTasks = fun tasks =>\n    if tasks < constraints.orchestrator.queue.concurrent_tasks.min then\n      error "Tasks below minimum"\n    else if tasks > constraints.orchestrator.queue.concurrent_tasks.max then\n      error "Tasks above maximum"\n    else\n      tasks,\n}\n```\n\n### Constraints: Single Source of Truth\n\n```\n# constraints/constraints.toml\n[orchestrator.workers]\nmin = 1\nmax = 32\n\n[orchestrator.queue.concurrent_tasks]\nmin = 1\nmax = 100\n\n[common.server.port]\nmin = 1024\nmax = 65535\n```\n\nThese values are referenced in:\n- Form constraints (constraint interpolation)\n- Validators (ValidWorkers, ValidConcurrentTasks)\n- Default values (appropriate for each mode)\n\n---\n\n## Stage 3: Export (Nickel → TOML)\n\n### Purpose\n\nConvert validated Nickel configuration to TOML format for consumption by Rust services.\n\n### Workflow\n\n```\n# Export Nickel to TOML\nnu scripts/generate-configs.nu orchestrator solo\n```\n\n### Command Chain\n\n```\n# What happens internally:\n\n# 1. Typecheck the Nickel config (catch errors early)\nnickel typecheck provisioning/.typedialog/provisioning/platform/configs/orchestrator.solo.ncl\n\n# 2. Export to TOML format\nnickel export --format toml provisioning/.typedialog/provisioning/platform/configs/orchestrator.solo.ncl\n\n# 3. Save to output location\n# → provisioning/platform/config/orchestrator.solo.toml\n```\n\n### Input: Nickel Configuration\n\n```\n# From: configs/orchestrator.solo.ncl\n{\n  orchestrator = {\n    workspace = {\n      name = "dev-workspace",\n      path = "/home/developer/provisioning/data/orchestrator",\n      enabled = true,\n      multi_workspace = false,\n    },\n    server = {\n      host = "127.0.0.1",\n      port = 9090,\n      workers = 2,\n      keep_alive = 75,\n      max_connections = 128,\n    },\n    storage = {\n      backend = "filesystem",\n      path = "/home/developer/provisioning/data/orchestrator",\n    },\n    queue = {\n      max_concurrent_tasks = 3,\n      retry_attempts = 2,\n      retry_delay = 1000,\n      task_timeout = 1800000,\n    },\n    monitoring = {\n      enabled = true,\n      metrics = {\n        enabled = false,\n      },\n      health_check = {\n        enabled = true,\n        interval = 60,\n      },\n    },\n    logging = {\n      level = "debug",\n      format = "text",\n      outputs = [\n        {\n          destination = "stdout",\n          level = "debug",\n        },\n      ],\n    },\n  },\n}\n```\n\n### Output: TOML Configuration\n\n```\n# To: provisioning/platform/config/orchestrator.solo.toml\n[orchestrator.workspace]\nname = "dev-workspace"\npath = "/home/developer/provisioning/data/orchestrator"\nenabled = true\nmulti_workspace = false\n\n[orchestrator.server]\nhost = "127.0.0.1"\nport = 9090\nworkers = 2\nkeep_alive = 75\nmax_connections = 128\n\n[orchestrator.storage]\nbackend = "filesystem"\npath = "/home/developer/provisioning/data/orchestrator"\n\n[orchestrator.queue]\nmax_concurrent_tasks = 3\nretry_attempts = 2\nretry_delay = 1000\ntask_timeout = 1800000\n\n[orchestrator.monitoring]\nenabled = true\n\n[orchestrator.monitoring.metrics]\nenabled = false\n\n[orchestrator.monitoring.health_check]\nenabled = true\ninterval = 60\n\n[orchestrator.logging]\nlevel = "debug"\nformat = "text"\n\n[[orchestrator.logging.outputs]]\ndestination = "stdout"\nlevel = "debug"\n```\n\n### Output Location\n\n```\nprovisioning/platform/config/\n├── orchestrator.solo.toml          # Exported from configs/orchestrator.solo.ncl\n├── orchestrator.multiuser.toml     # Exported from configs/orchestrator.multiuser.ncl\n├── orchestrator.cicd.toml          # Exported from configs/orchestrator.cicd.ncl\n├── orchestrator.enterprise.toml    # Exported from configs/orchestrator.enterprise.ncl\n├── control-center.solo.toml        # Similar structure for each service\n├── control-center.multiuser.toml\n├── mcp-server.solo.toml\n└── mcp-server.enterprise.toml\n```\n\n### Validation During Export\n\nThe `generate-configs.nu` script:\n\n1. **Typechecks** - Ensures Nickel is syntactically valid\n2. **Evaluates** - Computes final values\n3. **Exports** - Converts to TOML format\n4. **Saves** - Writes to `provisioning/platform/config/`\n\n---\n\n## Stage 4: Runtime (Rust Services)\n\n### Purpose\n\nLoad TOML configuration and start Rust services with validated settings.\n\n### Configuration Loading Hierarchy\n\nRust services load configuration in this priority order:\n\n#### 1. Runtime Arguments (Highest Priority)\n\n```\nORCHESTRATOR_CONFIG=/path/to/config.toml cargo run --bin orchestrator\n```\n\n#### 2. Environment Variables\n\n```\n# Environment variable overrides specific TOML values\nexport ORCHESTRATOR_SERVER_PORT=9999\nexport ORCHESTRATOR_LOG_LEVEL=debug\n\nORCHESTRATOR_CONFIG=orchestrator.solo.toml cargo run --bin orchestrator\n```\n\nEnvironment variable format: `ORCHESTRATOR_{SECTION}_{KEY}=value`\n\nExample mappings:\n- `ORCHESTRATOR_SERVER_PORT=9999` → `orchestrator.server.port = 9999`\n- `ORCHESTRATOR_LOG_LEVEL=debug` → `orchestrator.logging.level = "debug"`\n- `ORCHESTRATOR_QUEUE_MAX_CONCURRENT_TASKS=10` → `orchestrator.queue.max_concurrent_tasks = 10`\n\n#### 3. TOML Configuration File\n\n```\n# Load from TOML (medium priority)\nORCHESTRATOR_CONFIG=orchestrator.solo.toml cargo run --bin orchestrator\n```\n\n#### 4. Compiled Defaults (Lowest Priority)\n\n```\n// In Rust code - fallback for unspecified values\nlet config = Config::from_file(config_path)\n    .unwrap_or_else(|_| Config::default());\n```\n\n### Example: Solo Mode Startup\n\n```\n# Step 1: User generates config through TypeDialog\nnu scripts/configure.nu orchestrator solo --backend web\n\n# Step 2: Export to TOML\nnu scripts/generate-configs.nu orchestrator solo\n\n# Step 3: Set environment variables for environment-specific overrides\nexport ORCHESTRATOR_SERVER_PORT=9090\nexport ORCHESTRATOR_LOG_LEVEL=debug\n\n# Step 4: Start the Rust service\nORCHESTRATOR_CONFIG=provisioning/platform/config/orchestrator.solo.toml cargo run --bin orchestrator\n```\n\n### Rust Service Configuration Loading\n\n```\n// In orchestrator/src/config.rs\n\nuse config::{Config, ConfigError, Environment, File};\nuse serde::Deserialize;\n\n#[derive(Debug, Deserialize)]\npub struct OrchestratorConfig {\n    pub orchestrator: OrchestratorService,\n}\n\n#[derive(Debug, Deserialize)]\npub struct OrchestratorService {\n    pub workspace: Workspace,\n    pub server: Server,\n    pub storage: Storage,\n    pub queue: Queue,\n}\n\nimpl OrchestratorConfig {\n    pub fn load(config_path: Option<&str>) -> Result<Self, ConfigError> {\n        let mut builder = Config::builder();\n\n        // 1. Load TOML file if provided\n        if let Some(path) = config_path {\n            builder = builder.add_source(File::from(Path::new(path)));\n        } else {\n            // Fallback to defaults\n            builder = builder.add_source(File::with_name("config/orchestrator.defaults.toml"));\n        }\n\n        // 2. Apply environment variable overrides\n        builder = builder.add_source(\n            Environment::with_prefix("ORCHESTRATOR")\n                .separator("_")\n        );\n\n        let config = builder.build()?;\n        config.try_deserialize()\n    }\n}\n```\n\n### Configuration Validation in Rust\n\n```\nimpl OrchestratorConfig {\n    pub fn validate(&self) -> Result<(), ConfigError> {\n        // Validate server configuration\n        if self.orchestrator.server.port < 1024 || self.orchestrator.server.port > 65535 {\n            return Err(ConfigError::Message(\n                "Server port must be between 1024 and 65535".to_string()\n            ));\n        }\n\n        // Validate queue configuration\n        if self.orchestrator.queue.max_concurrent_tasks == 0 {\n            return Err(ConfigError::Message(\n                "max_concurrent_tasks must be > 0".to_string()\n            ));\n        }\n\n        // Validate storage configuration\n        match self.orchestrator.storage.backend.as_str() {\n            "filesystem" | "surrealdb" | "rocksdb" => {\n                // Valid backend\n            },\n            backend => {\n                return Err(ConfigError::Message(\n                    format!("Unknown storage backend: {}", backend)\n                ));\n            }\n        }\n\n        Ok(())\n    }\n}\n```\n\n### Runtime Startup Sequence\n\n```\n#[tokio::main]\nasync fn main() -> Result<()> {\n    // Load configuration\n    let config = OrchestratorConfig::load(\n        std::env::var("ORCHESTRATOR_CONFIG").ok().as_deref()\n    )?;\n\n    // Validate configuration\n    config.validate()?;\n\n    // Initialize logging\n    init_logging(&config.orchestrator.logging)?;\n\n    // Start HTTP server\n    let server = Server::new(\n        config.orchestrator.server.host.clone(),\n        config.orchestrator.server.port,\n    );\n\n    // Initialize storage backend\n    let storage = Storage::new(&config.orchestrator.storage)?;\n\n    // Start the service\n    server.start(storage).await?;\n\n    Ok(())\n}\n```\n\n---\n\n## Complete Example: Solo Mode End-to-End\n\n### Step 1: Interactive Configuration\n\n```\n$ nu scripts/configure.nu orchestrator solo --backend web\n\n# TypeDialog launches web interface\n# User fills in form:\n# - Workspace name: "dev-workspace"\n# - Server host: "127.0.0.1"\n# - Server port: 9090\n# - Storage backend: "filesystem"\n# - Storage path: "/home/developer/provisioning/data/orchestrator"\n# - Max concurrent tasks: 3\n# - Log level: "debug"\n\n# Saves to: values/orchestrator.solo.ncl\n```\n\n### Step 2: Generated Nickel Configuration\n\n```\n# values/orchestrator.solo.ncl\n{\n  orchestrator = {\n    workspace = {\n      name = "dev-workspace",\n      path = "/home/developer/provisioning/data/orchestrator",\n      enabled = true,\n      multi_workspace = false,\n    },\n    server = {\n      host = "127.0.0.1",\n      port = 9090,\n      workers = 2,\n      keep_alive = 75,\n      max_connections = 128,\n    },\n    storage = {\n      backend = "filesystem",\n      path = "/home/developer/provisioning/data/orchestrator",\n    },\n    queue = {\n      max_concurrent_tasks = 3,\n      retry_attempts = 2,\n      retry_delay = 1000,\n      task_timeout = 1800000,\n    },\n    logging = {\n      level = "debug",\n      format = "text",\n      outputs = [{\n        destination = "stdout",\n        level = "debug",\n      }],\n    },\n  },\n}\n```\n\n### Step 3: Composition and Validation\n\n```\n$ nickel typecheck provisioning/.typedialog/provisioning/platform/configs/orchestrator.solo.ncl\n\n# Validation passes:\n# - Workspace name: valid string ✓\n# - Port 9090: within range 1024-65535 ✓\n# - Max concurrent tasks 3: within range 1-100 ✓\n# - Log level: recognized level ✓\n```\n\n### Step 4: Export to TOML\n\n```\n$ nu scripts/generate-configs.nu orchestrator solo\n\n# Generates: provisioning/platform/config/orchestrator.solo.toml\n```\n\n### Step 5: TOML File Created\n\n```\n# provisioning/platform/config/orchestrator.solo.toml\n[orchestrator.workspace]\nname = "dev-workspace"\npath = "/home/developer/provisioning/data/orchestrator"\nenabled = true\nmulti_workspace = false\n\n[orchestrator.server]\nhost = "127.0.0.1"\nport = 9090\nworkers = 2\nkeep_alive = 75\nmax_connections = 128\n\n[orchestrator.storage]\nbackend = "filesystem"\npath = "/home/developer/provisioning/data/orchestrator"\n\n[orchestrator.queue]\nmax_concurrent_tasks = 3\nretry_attempts = 2\nretry_delay = 1000\ntask_timeout = 1800000\n\n[orchestrator.logging]\nlevel = "debug"\nformat = "text"\n\n[[orchestrator.logging.outputs]]\ndestination = "stdout"\nlevel = "debug"\n```\n\n### Step 6: Runtime Startup\n\n```\n$ export ORCHESTRATOR_LOG_LEVEL=debug\n$ ORCHESTRATOR_CONFIG=provisioning/platform/config/orchestrator.solo.toml cargo run --bin orchestrator\n\n# Service loads orchestrator.solo.toml\n# Environment variable overrides ORCHESTRATOR_LOG_LEVEL to "debug"\n# Service starts and begins accepting requests on 127.0.0.1:9090\n```\n\n---\n\n## Configuration Modification Workflow\n\n### Scenario: User Wants to Change Port\n\n#### Option A: Modify TypeDialog Form and Regenerate\n\n```\n# 1. Re-run interactive configuration\nnu scripts/configure.nu orchestrator solo --backend web\n\n# 2. User changes port to 9999 in form\n# 3. TypeDialog generates new values/orchestrator.solo.ncl\n\n# 4. Export updated config\nnu scripts/generate-configs.nu orchestrator solo\n\n# 5. New TOML created with port: 9999\n# 6. Restart service\nORCHESTRATOR_CONFIG=provisioning/platform/config/orchestrator.solo.toml cargo run --bin orchestrator\n```\n\n#### Option B: Direct TOML Edit\n\n```\n# 1. Edit TOML directly\nvi provisioning/platform/config/orchestrator.solo.toml\n# Change: port = 9999\n\n# 2. Restart service (no Nickel re-export needed)\nORCHESTRATOR_CONFIG=provisioning/platform/config/orchestrator.solo.toml cargo run --bin orchestrator\n```\n\n#### Option C: Environment Variable Override\n\n```\n# 1. No file changes needed\n# 2. Just override environment variable\nexport ORCHESTRATOR_SERVER_PORT=9999\n\n# 3. Restart service\nORCHESTRATOR_CONFIG=provisioning/platform/config/orchestrator.solo.toml cargo run --bin orchestrator\n```\n\n---\n\n## Architecture Relationships\n\n### Component Interactions\n\n```\nTypeDialog Forms              Nickel Schemas\n(forms/*.toml)    ←shares→   (schemas/*.ncl)\n       │                            │\n       │ user input                 │ type definitions\n       │                            │\n       ▼                            ▼\nvalues/*.ncl  ←─ constraint validation ─→  constraints.toml\n       │                                      (single source of truth)\n       │                                            │\n       │                                            │\n       ├──→ imported into composition ────────────┤\n       │     (configs/*.ncl)                       │\n       │                                            │\n       │     base defaults ───→ defaults/*.ncl     │\n       │     mode overlay ─────→ deployment/*.ncl  │\n       │     validators ──────→ validators/*.ncl   │\n       │                                            │\n       └──→ typecheck + export ──────────────→─────┘\n             nickel export --format toml\n             │\n             ▼\n      provisioning/platform/config/\n      *.toml files\n             │\n             │ loaded by Rust services\n             │ at runtime\n             ▼\n      Running Service\n      (orchestrator, control-center, mcp-server)\n```\n\n---\n\n## Best Practices\n\n### 1. Always Validate Before Deploying\n\n```\n# Typecheck Nickel before export\nnickel typecheck provisioning/.typedialog/provisioning/platform/configs/orchestrator.solo.ncl\n\n# Validate TOML before loading in Rust\ncargo run --bin orchestrator -- --validate-config orchestrator.solo.toml\n```\n\n### 2. Use Version Control for TOML Configs\n\n```\n# Commit generated TOML files\ngit add provisioning/platform/config/orchestrator.solo.toml\ngit commit -m "Update orchestrator solo configuration"\n\n# But NOT the values/*.ncl files\necho "values/*.ncl" >> provisioning/.typedialog/provisioning/platform/.gitignore\n```\n\n### 3. Document Configuration Changes\n\n```\n# In TypeDialog form, add comments\n[[items]]\nname = "max_concurrent_tasks"\ntype = "number"\nprompt = "Max concurrent tasks (3 for dev, 50+ for production)"\nhelp = "Increased from 3 to 10 for higher throughput testing"\n```\n\n### 4. Environment Variables for Sensitive Data\n\nNever hardcode secrets in TOML:\n\n```\n# Instead of:\n# [orchestrator.security]\n# jwt_secret = "hardcoded-secret"\n\n# Use environment variable:\nexport ORCHESTRATOR_SECURITY_JWT_SECRET="actual-secret"\n\n# TOML can reference it:\n# [orchestrator.security]\n# jwt_secret = "${JWT_SECRET}"\n```\n\n### 5. Test Configuration Changes in Staging First\n\n```\n# Generate staging config\nnu scripts/configure.nu orchestrator multiuser --backend web\n\n# Export to staging TOML\nnu scripts/generate-configs.nu orchestrator multiuser\n\n# Test in staging environment\nORCHESTRATOR_CONFIG=orchestrator.multiuser.toml cargo run --bin orchestrator\n# Monitor logs and verify behavior\n\n# Then deploy to production\n```\n\n---\n\n## Summary\n\nThe four-stage workflow provides:\n\n1. **User-Friendly Interface**: TypeDialog forms with real-time validation\n2. **Type Safety**: Nickel schemas and validators catch configuration errors early\n3. **Flexibility**: TOML format can be edited manually or generated programmatically\n4. **Runtime Configurability**: Environment variables allow deployment-time overrides\n5. **Single Source of Truth**: Constraints, schemas, and validators all reference shared definitions\n\nThis layered approach ensures that:\n- Invalid configurations are caught before deployment\n- Users can modify configuration safely\n- Different deployment modes have appropriate defaults\n- Configuration changes can be version-controlled\n- Services can be reconfigured without code changes