// Licensed to StellaOps under the BUSL-1.1 license.
using System.Collections.Immutable;
using StellaOps.ReachGraph.Schema;
namespace StellaOps.ReachGraph.Signing;
///
/// Service for signing and verifying reachability graphs using DSSE envelopes.
///
public interface IReachGraphSignerService
{
///
/// Sign a reachability graph using DSSE envelope format.
///
/// The graph to sign.
/// The key identifier to use for signing.
/// Cancellation token.
/// The graph with signature attached.
Task SignAsync(
ReachGraphMinimal graph,
string keyId,
CancellationToken cancellationToken = default);
///
/// Verify signatures on a reachability graph.
///
/// The graph to verify.
/// Cancellation token.
/// Verification result with valid/invalid key IDs.
Task VerifyAsync(
ReachGraphMinimal graph,
CancellationToken cancellationToken = default);
///
/// Create a DSSE envelope for a reachability graph.
///
/// The graph to envelope.
/// The key identifier to use for signing.
/// Cancellation token.
/// Serialized DSSE envelope bytes.
Task CreateDsseEnvelopeAsync(
ReachGraphMinimal graph,
string keyId,
CancellationToken cancellationToken = default);
}
///
/// Result of reachability graph signature verification.
///
public sealed record ReachGraphVerificationResult
{
///
/// Gets whether all signatures are valid.
///
public required bool IsValid { get; init; }
///
/// Gets the key IDs with valid signatures.
///
public required ImmutableArray ValidKeyIds { get; init; }
///
/// Gets the key IDs with invalid signatures.
///
public required ImmutableArray InvalidKeyIds { get; init; }
///
/// Gets the error message if verification failed.
///
public string? Error { get; init; }
///
/// Creates a successful verification result.
///
public static ReachGraphVerificationResult Success(ImmutableArray validKeyIds) =>
new()
{
IsValid = true,
ValidKeyIds = validKeyIds,
InvalidKeyIds = []
};
///
/// Creates a failed verification result.
///
public static ReachGraphVerificationResult Failure(
ImmutableArray validKeyIds,
ImmutableArray invalidKeyIds,
string? error = null) =>
new()
{
IsValid = false,
ValidKeyIds = validKeyIds,
InvalidKeyIds = invalidKeyIds,
Error = error
};
}