# Create a policy
BrainzLab::Vault.create_policy(
  name: "stripe-access",
  paths: ["stripe/*"],
  permissions: [:read, :write],
  environments: [:development, :staging]
)

# Assign policy to a team member
BrainzLab::Vault.assign_policy("stripe-access", user: "[email protected]")

# Full access to database secrets
BrainzLab::Vault.create_policy(
  name: "database-admin",
  paths: ["database/*"],
  permissions: [:read, :write, :delete]
)

# Read-only access to API keys
BrainzLab::Vault.create_policy(
  name: "api-reader",
  paths: ["api/*"],
  permissions: [:read]
)

# Create team
BrainzLab::Vault.create_team("payments-team",
  members: ["[email protected]", "[email protected]"]
)

# Assign policy to team
BrainzLab::Vault.assign_policy("stripe-access", team: "payments-team")

# Create service account
service = BrainzLab::Vault.create_service_account(
  name: "web-app",
  policies: ["database-read", "cache-read"]
)

# Get the access token
puts service.access_token

# Generate token with limited scope
token = BrainzLab::Vault.generate_token(
  policies: ["stripe-access"],
  ttl: 1.hour,
  max_uses: 100
)

# Use the token
BrainzLab::Vault.with_token(token) do
  api_key = BrainzLab::Vault.get("stripe/api_key")
end

BrainzLab::Vault.create_approval_policy(
  name: "production-write",
  paths: ["*"],
  environments: [:production],
  permissions: [:write, :delete],
  approvers: [:admin],
  min_approvers: 1
)

# Check if current user can access
if BrainzLab::Vault.can_access?("stripe/api_key", permission: :read)
  api_key = BrainzLab::Vault.get("stripe/api_key")
end

# List accessible secrets
accessible = BrainzLab::Vault.list_accessible(permission: :read)

# List users with access to a secret
users = BrainzLab::Vault.who_can_access("stripe/api_key")

# List what a user can access
secrets = BrainzLab::Vault.user_access("[email protected]")