syntax = "proto3";

package substrate.attestation.v2;

// ─── Layer 4: Session Claim ─────────────────────────────────────────
//
// Per-session attestation binding actor identity to platform, software,
// and governance state. Posture is verifier-computed, not self-asserted.

message SessionClaim {
    uint32 layer = 1;                     // MUST be 4
    string session_id = 2;               // UUIDv7
    ActorContext actor = 3;
    PostureEvidence posture_evidence = 4;
    PostureLevel posture_level = 5;
    string timestamp = 6;                // ISO 8601
    bytes nonce = 7;
    bytes platform_claim_hash = 8;
    bytes software_claim_hash = 9;
    bytes governance_claim_hash = 10;
    bytes claim_hash = 11;
}

message ActorContext {
    string actor_id = 1;                  // OIDC sub or SPIFFE ID
    string actor_type = 2;               // "human" | "agent" | "system" | "node"
    string auth_method = 3;             // "oidc" | "oidc+entra" | "spiffe" | "service_account"
    optional string delegated_by = 4;
    optional string delegation_id = 5;
}

message PostureEvidence {
    bool platform_attested = 1;
    string platform_method = 2;
    bool software_verified = 3;
    string software_method = 4;
    bool governance_bound = 5;
    string governance_method = 6;
    bool identity_verified = 7;
    string identity_method = 8;
}

enum PostureLevel {
    POSTURE_LEVEL_UNSPECIFIED = 0;
    POSTURE_LEVEL_NONE = 1;
    POSTURE_LEVEL_LOCAL = 2;
    POSTURE_LEVEL_VERIFIED = 3;
    POSTURE_LEVEL_GOVERNED = 4;
    POSTURE_LEVEL_ATTESTED = 5;
}