using System.ComponentModel.DataAnnotations; namespace StellaOps.Signer.Keyless; ///

/// Configuration options for keyless signing. ///

public sealed class SignerKeylessOptions { ///

/// Configuration section name. ///

public const string SectionName = "Signer:Keyless"; ///

/// Whether keyless signing is enabled. ///

public bool Enabled { get; set; } ///

/// Fulcio CA configuration. ///

public FulcioOptions Fulcio { get; set; } = new(); ///

/// OIDC configuration for token acquisition. ///

public OidcOptions Oidc { get; set; } = new(); ///

/// Algorithm configuration. ///

public AlgorithmOptions Algorithms { get; set; } = new(); ///

/// Certificate validation configuration. ///

public CertificateOptions Certificate { get; set; } = new(); ///

/// Identity verification configuration. ///

public IdentityOptions Identity { get; set; } = new(); } ///

/// Fulcio CA configuration options. ///

public sealed class FulcioOptions { ///

/// The Fulcio CA URL. ///

[Required] public string Url { get; set; } = "https://fulcio.sigstore.dev"; ///

/// Request timeout. ///

public TimeSpan Timeout { get; set; } = TimeSpan.FromSeconds(30); ///

/// Number of retry attempts. ///

public int Retries { get; set; } = 3; ///

/// Base duration for exponential backoff. ///

public TimeSpan BackoffBase { get; set; } = TimeSpan.FromSeconds(1); ///

/// Maximum backoff duration. ///

public TimeSpan BackoffMax { get; set; } = TimeSpan.FromSeconds(30); } ///

/// OIDC configuration for token acquisition. ///

public sealed class OidcOptions { ///

/// The OIDC issuer URL. ///

public string? Issuer { get; set; } ///

/// The OAuth2 client ID. ///

public string? ClientId { get; set; } ///

/// Reference to the client secret (e.g., "env:SIGNER_OIDC_CLIENT_SECRET"). ///

public string? ClientSecretRef { get; set; } ///

/// Use ambient OIDC token from CI runner. ///

public bool UseAmbientToken { get; set; } ///

/// Path to ambient OIDC token file. ///

public string? AmbientTokenPath { get; set; } = "/var/run/secrets/tokens/oidc"; ///

/// Token refresh interval before expiry. ///

public TimeSpan RefreshBefore { get; set; } = TimeSpan.FromMinutes(1); } ///

/// Algorithm configuration options. ///

public sealed class AlgorithmOptions { ///

/// Preferred algorithm for new signings. ///

public string Preferred { get; set; } = KeylessAlgorithms.EcdsaP256; ///

/// Allowed algorithms for signing. ///

public List Allowed { get; set; } = [KeylessAlgorithms.EcdsaP256, KeylessAlgorithms.Ed25519]; } ///

/// Certificate validation configuration options. ///

public sealed class CertificateOptions { ///

/// Path to Fulcio root CA bundle. ///

public string? RootBundlePath { get; set; } ///

/// Additional trusted root certificates (PEM format). ///

public List AdditionalRoots { get; set; } = []; ///

/// Whether to validate the certificate chain. ///

public bool ValidateChain { get; set; } = true; ///

/// Whether to require Signed Certificate Timestamp (SCT). ///

public bool RequireSct { get; set; } = true; } ///

/// Identity verification configuration options. ///

public sealed class IdentityOptions { ///

/// Expected OIDC issuers for verification. ///

public List ExpectedIssuers { get; set; } = []; ///

/// Expected subject patterns (regex) for SAN verification. ///

public List ExpectedSubjectPatterns { get; set; } = []; }