namespace StellaOps.AirGap.Bundle.Services;

public sealed partial class SnapshotBundleReader
{
    private async Task<SnapshotBundleReadResult> ApplySignatureVerificationAsync(
        SnapshotBundleReadRequest request,
        string tempDir,
        ManifestReadResult manifestResult,
        SnapshotBundleReadResult result,
        CancellationToken cancellationToken)
    {
        if (!request.VerifySignature)
        {
            return result;
        }

        var signaturePath = Path.Combine(tempDir, "manifest.sig");
        if (!File.Exists(signaturePath))
        {
            if (request.RequireValidSignature)
            {
                return result with
                {
                    Success = false,
                    Error = "Signature file not found but signature is required"
                };
            }

            return result;
        }

        if (manifestResult.ManifestBytes is null)
        {
            return result with
            {
                Success = false,
                Error = "Manifest payload missing for signature verification"
            };
        }

        var signatureBytes = await File.ReadAllBytesAsync(signaturePath, cancellationToken).ConfigureAwait(false);
        var signatureResult = await VerifySignatureAsync(
                manifestResult.ManifestBytes,
                signatureBytes,
                request.PublicKey,
                cancellationToken)
            .ConfigureAwait(false);

        result = result with
        {
            SignatureVerified = signatureResult.Verified,
            SignatureKeyId = signatureResult.KeyId,
            SignatureError = signatureResult.Error
        };

        if (!signatureResult.Verified && request.RequireValidSignature)
        {
            return result with
            {
                Success = false,
                Error = $"Signature verification failed: {signatureResult.Error}"
            };
        }

        return result;
    }
}