TheSafe: config ability to encrypt values using macros and vars

[itadapter]

For example:

section
{
  pwd=$(/myvars/$var::decipher) //using var reference
  pwd_inplace=$(::decipher value="base64obfuscatedcipheredvalue") //password in place
}

We need to add process-wide secret, whihc is NOT "seen" in config context, probably use USER ENV var SKY_MACHINE_SECRET by default.
The algorithm must NOT rely on Azos.App.SecMan.Cryptography because it needs to configure secman, intead it should be a sinple AES256-based algorithm specifically designed for conf vars protection.

We need to add option to phash to cipher config values using a password phrase, e.g.:

$ ./sky phash protect -value "something to cipher" -key "use this AES key"
Value "something....." was protected into:
  hhfihsfTIUTy36753hjjhjhhhbase64Stringfshdufhshfusdf78787

[itadapter]

This works, as-is, meaning macro does not need a path to be called:

Console.WriteLine("$(::as-string value=\"123456789\" key=\"dodik\"), the value is $(/dont-exist::as-int dflt=\"-456\") OK?".EvaluateVars());
//123456789, the value is -456 OK?

we can add decrypt macro that will decipher value.
Consideration needs to be given to prevent un-inteded disclosure, for example via a an "eval" cmdlet.

Maybe add a "SecurityFlowScope" assertion to check for "AllowEncodedVariables".
Set this scope ONLY in -password reading code in Crypto algorithms.
In other places the scope is not set, and an attempt to read such variable results in SecurityException - AccessDenied

[itadapter]

[itadapter]

[itadapter]

NEED UNIT TESTS!!!!!!!!

[itadapter]

::decipher should Throw if it cant get a value unless noerror=false is passed
because we had invalid key name and did not even know about it
this does not work : $(::decipher algo='dev.gen') becacuse algo is set to 'dev.gen' with single quotes (macro parser does not understand single quote)

[itadapter]

DEPLOYED everywhere in G8