namespace StellaOps.AuditPack.Services;

/// <summary>
/// Request for creating an audit bundle.
/// </summary>
public sealed record AuditBundleWriteRequest
{
    /// <summary>
    /// Output path for the bundle (will add .tar.gz if not present).
    /// </summary>
    public required string OutputPath { get; init; }

    /// <summary>
    /// Unique bundle identifier (auto-generated if not provided).
    /// </summary>
    public string? BundleId { get; init; }

    /// <summary>
    /// Human-readable name for the bundle.
    /// </summary>
    public string? Name { get; init; }

    /// <summary>
    /// Scan ID this bundle was created from.
    /// </summary>
    public required string ScanId { get; init; }
    /// <summary>
    /// Image reference that was scanned.
    /// </summary>
    public required string ImageRef { get; init; }
    /// <summary>
    /// Image digest (sha256:...).
    /// </summary>
    public required string ImageDigest { get; init; }

    /// <summary>
    /// Decision from the verdict (pass, warn, block).
    /// </summary>
    public required string Decision { get; init; }

    /// <summary>
    /// SBOM document bytes (CycloneDX or SPDX JSON).
    /// </summary>
    public required byte[] Sbom { get; init; }

    /// <summary>
    /// Advisory feeds snapshot (NDJSON format).
    /// </summary>
    public required byte[] FeedsSnapshot { get; init; }

    /// <summary>
    /// Policy bundle (OPA tar.gz).
    /// </summary>
    public required byte[] PolicyBundle { get; init; }

    /// <summary>
    /// Verdict document bytes.
    /// </summary>
    public required byte[] Verdict { get; init; }

    /// <summary>
    /// VEX statements (OpenVEX JSON, optional).
    /// </summary>
    public byte[]? VexStatements { get; init; }

    /// <summary>
    /// Proof bundle bytes (optional).
    /// </summary>
    public byte[]? ProofBundle { get; init; }

    /// <summary>
    /// Trust roots document (optional).
    /// </summary>
    public byte[]? TrustRoots { get; init; }

    /// <summary>
    /// Scoring rules (optional).
    /// </summary>
    public byte[]? ScoringRules { get; init; }

    /// <summary>
    /// Triage-suppress predicates and source DSSEs (optional).
    /// Sprint: SPRINT_20260219_012 (MWS-03)
    /// </summary>
    public byte[]? TriageSuppressEvidence { get; init; }

    /// <summary>
    /// Execution evidence predicates (DSSE envelope, optional).
    /// Sprint: SPRINT_20260219_013 (SEE-04)
    /// </summary>
    public byte[]? ExecutionEvidence { get; init; }

    /// <summary>
    /// Beacon attestation predicates (DSSE envelope, optional).
    /// Sprint: SPRINT_20260219_014 (BEA-04)
    /// </summary>
    public byte[]? BeaconAttestation { get; init; }

    /// <summary>
    /// Time anchor for replay context (optional).
    /// </summary>
    public TimeAnchorInput? TimeAnchor { get; init; }

    /// <summary>
    /// Whether to sign the manifest.
    /// </summary>
    public bool Sign { get; init; } = true;

    /// <summary>
    /// Path to signing key file (PEM format).
    /// </summary>
    public string? SigningKeyPath { get; init; }

    /// <summary>
    /// Password for encrypted signing key.
    /// </summary>
    public string? SigningKeyPassword { get; init; }
}