using System.Security.Cryptography;
namespace StellaOps.Scanner.Evidence;
///
/// Creates deterministic idempotency keys for DSSE attestation payloads.
///
public static class AttestationIdempotencyKey
{
///
/// Computes a stable SHA-256 idempotency key for a DSSE envelope.
///
public static string FromDsseEnvelope(ReadOnlySpan dsseEnvelopeBytes)
{
if (dsseEnvelopeBytes.IsEmpty)
{
throw new ArgumentException("DSSE envelope bytes cannot be empty.", nameof(dsseEnvelopeBytes));
}
var hash = SHA256.HashData(dsseEnvelopeBytes);
return $"sha256:{Convert.ToHexStringLower(hash)}";
}
///
/// Converts an idempotency key into a stable OCI-safe tag.
///
public static string ToOciTag(string idempotencyKey, string prefix = "verdict")
{
ArgumentException.ThrowIfNullOrWhiteSpace(idempotencyKey);
var normalized = idempotencyKey.StartsWith("sha256:", StringComparison.OrdinalIgnoreCase)
? idempotencyKey[7..]
: idempotencyKey;
var compact = normalized.Trim().ToLowerInvariant();
if (compact.Length > 48)
{
compact = compact[..48];
}
return $"{prefix}-{compact}";
}
}