using StellaOps.Attestor.Envelope;

namespace StellaOps.Scanner.Reachability.Witnesses;

/// <summary>
/// Service for creating and verifying DSSE-signed suppression witness envelopes.
/// Sprint: SPRINT_20260106_001_002 (SUP-014)
/// </summary>
public interface ISuppressionDsseSigner
{
    /// <summary>
    /// Signs a suppression witness and wraps it in a DSSE envelope.
    /// </summary>
    /// <param name="witness">The suppression witness to sign.</param>
    /// <param name="signingKey">The key to sign with.</param>
    /// <param name="cancellationToken">Cancellation token.</param>
    /// <returns>Result containing the signed DSSE envelope.</returns>
    SuppressionDsseResult SignWitness(
        SuppressionWitness witness,
        EnvelopeKey signingKey,
        CancellationToken cancellationToken = default);

    /// <summary>
    /// Verifies a DSSE-signed suppression witness envelope.
    /// </summary>
    /// <param name="envelope">The DSSE envelope to verify.</param>
    /// <param name="publicKey">The public key to verify with.</param>
    /// <param name="cancellationToken">Cancellation token.</param>
    /// <returns>Result containing the verified witness.</returns>
    SuppressionVerifyResult VerifyWitness(
        DsseEnvelope envelope,
        EnvelopeKey publicKey,
        CancellationToken cancellationToken = default);
}