version: '3'

vars:
  # Public variable
  APP_NAME: myapp

  # Secret variable with value
  API_KEY:
    value: "secret-api-key-123"
    secret: true

  # Secret variable from shell command
  PASSWORD:
    sh: "echo 'my-super-secret-password'"
    secret: true

  # Non-secret variable
  PUBLIC_URL: https://example.com

tasks:
  test-secret-masking:
    desc: Test that secret variables are masked in logs
    cmds:
      - echo "Deploying {{.APP_NAME}} to {{.PUBLIC_URL}}"
      - echo "Using API key {{.API_KEY}}"
      - echo "Password is {{.PASSWORD}}"
      - echo "Public app name is {{.APP_NAME}}"

  test-multiple-secrets:
    desc: Test multiple secrets in one command
    cmds:
      - echo "API={{.API_KEY}} PWD={{.PASSWORD}}"

  test-mixed:
    desc: Test mix of secret and public vars
    vars:
      LOCAL_SECRET:
        value: "task-level-secret"
        secret: true
    cmds:
      - echo "App={{.APP_NAME}} Secret={{.LOCAL_SECRET}} URL={{.PUBLIC_URL}}"

  test-deferred-secret:
    desc: Test that deferred commands mask secrets
    vars:
      DEFERRED_SECRET:
        value: "deferred-secret-value"
        secret: true
    cmds:
      - echo "Starting task"
      - defer: echo "Cleanup with secret={{.DEFERRED_SECRET}} and app={{.APP_NAME}}"
      - echo "Main command executed"

  test-env-secret-limitation:
    desc: Test showing that env vars with secret flag are NOT masked (limitation)
    env:
      SECRET_TOKEN:
        value: "env-secret-token-123"
      PUBLIC_ENV: "public-value"
    cmds:
      # Templates {{.VAR}} don't work with env - they're empty
      - echo "Token via template is {{.SECRET_TOKEN}}"
      # Shell $VAR works but is NOT masked (env vars not in template system)
      - echo "Token via shell is $SECRET_TOKEN"
      - echo "Public env is {{.PUBLIC_ENV}}"