// -----------------------------------------------------------------------------
// IDsseSigningAdapter.cs
// Sprint: SPRINT_1227_0001_0001_LB_binary_vex_generator
// Task: T5 - DSSE signing integration
// -----------------------------------------------------------------------------

namespace StellaOps.BinaryIndex.VexBridge;

/// <summary>
/// Adapter interface for DSSE signing operations.
/// Abstracts the Attestor signing service for VexBridge use.
/// </summary>
public interface IDsseSigningAdapter
{
    /// <summary>
    /// Sign a payload and return a DSSE envelope.
    /// </summary>
    /// <param name="payload">The payload bytes to sign.</param>
    /// <param name="payloadType">The DSSE payload type URI.</param>
    /// <param name="ct">Cancellation token.</param>
    /// <returns>DSSE envelope as JSON bytes.</returns>
    Task<byte[]> SignAsync(byte[] payload, string payloadType, CancellationToken ct = default);

    /// <summary>
    /// Verify a DSSE envelope signature.
    /// </summary>
    /// <param name="envelope">The DSSE envelope bytes.</param>
    /// <param name="ct">Cancellation token.</param>
    /// <returns>True if signature is valid.</returns>
    Task<bool> VerifyAsync(byte[] envelope, CancellationToken ct = default);

    /// <summary>
    /// Get the key ID used for signing.
    /// </summary>
    string SigningKeyId { get; }

    /// <summary>
    /// Check if signing is available.
    /// </summary>
    bool IsAvailable { get; }
}

/// <summary>
/// DSSE envelope result with metadata.
/// </summary>
public sealed record DsseEnvelopeResult
{
    /// <summary>The DSSE envelope as JSON string.</summary>
    public required string Envelope { get; init; }

    /// <summary>The signing key ID used.</summary>
    public required string KeyId { get; init; }

    /// <summary>SHA-256 hash of the envelope.</summary>
    public required string EnvelopeHash { get; init; }

    /// <summary>Timestamp when signed.</summary>
    public required DateTimeOffset SignedAt { get; init; }
}