syntax = "proto3";

package arbiter.user_agent;

import "google/protobuf/empty.proto";
import "evm.proto";

enum KeyType {
  KEY_TYPE_UNSPECIFIED = 0;
  KEY_TYPE_ED25519 = 1;
  KEY_TYPE_ECDSA_SECP256K1 = 2;
  KEY_TYPE_RSA = 3;
}

// --- SDK client management ---

enum SdkClientError {
  SDK_CLIENT_ERROR_UNSPECIFIED = 0;
  SDK_CLIENT_ERROR_ALREADY_EXISTS = 1;
  SDK_CLIENT_ERROR_NOT_FOUND = 2;
  SDK_CLIENT_ERROR_HAS_RELATED_DATA = 3; // hard-delete blocked by FK (client has grants or transaction logs)
  SDK_CLIENT_ERROR_INTERNAL = 4;
}

message SdkClientApproveRequest {
  bytes pubkey = 1; // 32-byte ed25519 public key
}

message SdkClientRevokeRequest {
  int32 client_id = 1;
}

message SdkClientEntry {
  int32 id = 1;
  bytes pubkey = 2;
  int32 created_at = 3;
}

message SdkClientList {
  repeated SdkClientEntry clients = 1;
}

message SdkClientApproveResponse {
  oneof result {
    SdkClientEntry client = 1;
    SdkClientError error = 2;
  }
}

message SdkClientRevokeResponse {
  oneof result {
    google.protobuf.Empty ok = 1;
    SdkClientError error = 2;
  }
}

message SdkClientListResponse {
  oneof result {
    SdkClientList clients = 1;
    SdkClientError error = 2;
  }
}

message AuthChallengeRequest {
  bytes pubkey = 1;
  optional string bootstrap_token = 2;
  KeyType key_type = 3;
}

message AuthChallenge {
  bytes pubkey = 1;
  int32 nonce = 2;
}

message AuthChallengeSolution {
  bytes signature = 1;
}

message AuthOk {}

message UnsealStart {
  bytes client_pubkey = 1;
}

message UnsealStartResponse {
  bytes server_pubkey = 1;
}
message UnsealEncryptedKey {
  bytes nonce = 1;
  bytes ciphertext = 2;
  bytes associated_data = 3;
}

enum UnsealResult {
  UNSEAL_RESULT_UNSPECIFIED = 0;
  UNSEAL_RESULT_SUCCESS = 1;
  UNSEAL_RESULT_INVALID_KEY = 2;
  UNSEAL_RESULT_UNBOOTSTRAPPED = 3;
}

enum VaultState {
  VAULT_STATE_UNSPECIFIED = 0;
  VAULT_STATE_UNBOOTSTRAPPED = 1;
  VAULT_STATE_SEALED = 2;
  VAULT_STATE_UNSEALED = 3;
  VAULT_STATE_ERROR = 4;
}

message SdkClientConnectionRequest {
  bytes pubkey = 1;
}

message SdkClientConnectionResponse {
  bool approved = 1;
}

message SdkClientConnectionCancel {}

message UserAgentRequest {
  oneof payload {
    AuthChallengeRequest auth_challenge_request = 1;
    AuthChallengeSolution auth_challenge_solution = 2;
    UnsealStart unseal_start = 3;
    UnsealEncryptedKey unseal_encrypted_key = 4;
    google.protobuf.Empty query_vault_state = 5;
    google.protobuf.Empty evm_wallet_create = 6;
    google.protobuf.Empty evm_wallet_list = 7;
    arbiter.evm.EvmGrantCreateRequest evm_grant_create = 8;
    arbiter.evm.EvmGrantDeleteRequest evm_grant_delete = 9;
    arbiter.evm.EvmGrantListRequest evm_grant_list = 10;
    SdkClientConnectionResponse sdk_client_connection_response = 11;
    SdkClientApproveRequest sdk_client_approve = 12;
    SdkClientRevokeRequest sdk_client_revoke = 13;
    google.protobuf.Empty sdk_client_list = 14;
  }
}
message UserAgentResponse {
  oneof payload {
    AuthChallenge auth_challenge = 1;
    AuthOk auth_ok = 2;
    UnsealStartResponse unseal_start_response = 3;
    UnsealResult unseal_result = 4;
    VaultState vault_state = 5;
    arbiter.evm.WalletCreateResponse evm_wallet_create = 6;
    arbiter.evm.WalletListResponse evm_wallet_list = 7;
    arbiter.evm.EvmGrantCreateResponse evm_grant_create = 8;
    arbiter.evm.EvmGrantDeleteResponse evm_grant_delete = 9;
    arbiter.evm.EvmGrantListResponse evm_grant_list = 10;
    SdkClientConnectionRequest sdk_client_connection_request = 11;
    SdkClientConnectionCancel sdk_client_connection_cancel = 12;
    SdkClientApproveResponse sdk_client_approve = 13;
    SdkClientRevokeResponse sdk_client_revoke = 14;
    SdkClientListResponse sdk_client_list = 15;
  }
}