using StellaOps.Replay.Core;

namespace StellaOps.Scanner.ProofSpine;

/// <summary>
/// Represents a complete verifiable decision chain from SBOM to VEX verdict.
/// </summary>
/// <param name="SpineId">Content-addressed ID of this proof spine.</param>
/// <param name="ArtifactId">The artifact (container image, package) this spine evaluates.</param>
/// <param name="VulnerabilityId">The vulnerability ID being evaluated.</param>
/// <param name="PolicyProfileId">The policy profile used for evaluation.</param>
/// <param name="Segments">Ordered list of evidence segments in the proof chain.</param>
/// <param name="Verdict">Final verdict (affected, not_affected, fixed, under_investigation).</param>
/// <param name="VerdictReason">Human-readable explanation of the verdict.</param>
/// <param name="RootHash">Merkle root hash of all segment hashes.</param>
/// <param name="ScanRunId">ID of the scan run that produced this spine.</param>
/// <param name="CreatedAt">When this spine was created.</param>
/// <param name="SupersededBySpineId">If superseded, the ID of the newer spine.</param>
/// <param name="GraphRootAttestationId">Optional: Content-addressed ID of the graph root attestation.</param>
/// <param name="GraphRootEnvelope">Optional: DSSE envelope containing the graph root attestation.</param>
public sealed record ProofSpine(
    string SpineId,
    string ArtifactId,
    string VulnerabilityId,
    string PolicyProfileId,
    IReadOnlyList<ProofSegment> Segments,
    string Verdict,
    string VerdictReason,
    string RootHash,
    string ScanRunId,
    DateTimeOffset CreatedAt,
    string? SupersededBySpineId,
    string? GraphRootAttestationId = null,
    DsseEnvelope? GraphRootEnvelope = null);

/// <summary>
/// A single evidence segment in the proof chain.
/// </summary>
public sealed record ProofSegment(
    string SegmentId,
    ProofSegmentType SegmentType,
    int Index,
    string InputHash,
    string ResultHash,
    string? PrevSegmentHash,
    DsseEnvelope Envelope,
    string ToolId,
    string ToolVersion,
    ProofSegmentStatus Status,
    DateTimeOffset CreatedAt);

public sealed record GuardCondition(
    string Name,
    string Type,
    string Value,
    bool Passed);

/// <summary>
/// Segment types in execution order.
/// </summary>
public enum ProofSegmentType
{
    SbomSlice = 1,
    Match = 2,
    Reachability = 3,
    GuardAnalysis = 4,
    RuntimeObservation = 5,
    PolicyEval = 6
}

/// <summary>
/// Verification status of a segment.
/// </summary>
public enum ProofSegmentStatus
{
    Pending = 0,
    Verified = 1,
    Partial = 2,
    Invalid = 3,
    Untrusted = 4
}