using StellaOps.Replay.Core;

namespace StellaOps.Scanner.ProofSpine;

/// <summary>
/// Service for DSSE (Dead Simple Signing Envelope) signing operations.
/// </summary>
public interface IDsseSigningService
{
    /// <summary>
    /// Signs a payload and returns a DSSE envelope.
    /// </summary>
    Task<DsseEnvelope> SignAsync(
        object payload,
        string payloadType,
        ICryptoProfile cryptoProfile,
        CancellationToken cancellationToken = default);

    /// <summary>
    /// Verifies a DSSE envelope signature.
    /// </summary>
    Task<DsseVerificationOutcome> VerifyAsync(
        DsseEnvelope envelope,
        CancellationToken cancellationToken = default);
}

/// <summary>
/// Cryptographic profile for signing operations.
/// </summary>
public interface ICryptoProfile
{
    /// <summary>
    /// Key identifier.
    /// </summary>
    string KeyId { get; }

    /// <summary>
    /// Signing algorithm identifier (e.g., "hs256", "ed25519").
    /// </summary>
    string Algorithm { get; }
}

public sealed record DsseVerificationOutcome(
    bool IsValid,
    bool IsTrusted,
    string? FailureReason);