#TransformSecret is currently used as such:

repoPassword: engine.#TransformSecret & {
	input: inputs.secrets.sops.contents
	// output signature after tranformation
	// output: #Secret | {[string]: output}

	#function: {
		input:  _
		output: yaml.Unmarshal(input)
	}
}

• I think it's pretty cool but IMHO hard to grasp for the average person as it's using super advanced concepts (CUE callback as a definition with back and forth between the runtime).
• Using it is not reserved to advanced users -- anyone interacting with sops or any other structured secrets (json/yaml) will need this
• Even though the callback makes it generic and powerful, only CUE built-ins can be applied.
• I think the only realistic uses cases for this are yaml.Unmarshal() and json.Unmarshal().

If we're limited to json/yaml unmarshaling, I think the following alternative would be simpler:

#UnmarshalSecret: {
	// The original secret
	input: #Secret

	// Secret format
	format: "json" | "yaml"

	// A new secret or (map of secrets) with the transformation applied
	output: #Secret | {[string]: output}
}

The drawback is there's things #TransformSecret can do that #UnmarshalSecret just can't. For instance, you could apply a strings.Replace transformation, etc.

But at what point are those common?

Keep in mind you can always write an action to manipulate a secret however you want (e.g. strings.Replace can be achieved with bash.#Script + sed + engine.#NewSecret).

The reason we need this is to manipulate structured secrets (e.g. "expanding" from one secret to a map of secret, which you cannot do otherwise), so wouldn't UnmarshalSecret fit the bill?

/cc @talentedmrjones @shykes @jlongtine