namespace StellaOps.Cryptography.Kms;

/// <summary>
/// Represents a FIDO2 authenticator capable of producing signatures over digests.
/// </summary>
public interface IFido2Authenticator
{
    /// <summary>
    /// Performs a high-assurance signing operation using the configured FIDO2 credential.
    /// </summary>
    /// <param name="credentialId">Credential identifier as configured in the relying party.</param>
    /// <param name="digest">Digest of the payload (typically SHA-256) to sign.</param>
    /// <param name="cancellationToken">Cancellation token.</param>
    /// <returns>Signature bytes.</returns>
    Task<byte[]> SignAsync(string credentialId, ReadOnlyMemory<byte> digest, CancellationToken cancellationToken = default);
}