syntax = "proto3";

package arbiter;

import "auth.proto";
import "google/protobuf/empty.proto";

message UnsealStart {
  bytes client_pubkey = 1;
}

message UnsealStartResponse {
  bytes server_pubkey = 1;
}
message UnsealEncryptedKey {
  bytes nonce = 1;
  bytes ciphertext = 2;
  bytes associated_data = 3;
}

enum UnsealResult {
  UNSEAL_RESULT_UNSPECIFIED = 0;
  UNSEAL_RESULT_SUCCESS = 1;
  UNSEAL_RESULT_INVALID_KEY = 2;
  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
}

enum VaultState {
  VAULT_STATE_UNSPECIFIED = 0;
  VAULT_STATE_UNBOOTSTRAPPED = 1;
  VAULT_STATE_SEALED = 2;
  VAULT_STATE_UNSEALED = 3;
  VAULT_STATE_ERROR = 4;
}

message UserAgentRequest {
  oneof payload {
    arbiter.auth.ClientMessage auth_message = 1;
    UnsealStart unseal_start = 2;
    UnsealEncryptedKey unseal_encrypted_key = 3;
    google.protobuf.Empty query_vault_state = 4;
  }
}
message UserAgentResponse {
  oneof payload {
    arbiter.auth.ServerMessage auth_message = 1;
    UnsealStartResponse unseal_start_response = 2;
    UnsealResult unseal_result = 3;
    VaultState vault_state = 4;
  }
}