syntax = "proto3";
package quartermaster.v1;

import "google/protobuf/timestamp.proto";
import "quartermaster/v1/capabilities.proto";

service QuartermasterPipelines {
    // Notarize a completed pipeline run result.
    rpc NotarizePipelineResult (NotarizePipelineResultRequest) returns (NotarizePipelineResultResponse);

    // Get the merkle inclusion proof for a notarized pipeline result.
    rpc GetPipelineProof (GetPipelineProofRequest) returns (GetPipelineProofResponse);

    // Query notarized pipeline results (insurer/auditor API path).
    rpc QueryPipelineAttestations (QueryPipelineAttestationsRequest) returns (QueryPipelineAttestationsResponse);

    // Get the current merkle root for a cluster.
    rpc GetMerkleRoot (GetMerkleRootRequest) returns (GetMerkleRootResponse);
}

// ── NotarizePipelineResult ──

message NotarizePipelineResultRequest {
    string cluster_id = 1;
    string run_id = 2;
    bytes result_canonical = 3;       // RFC 8785 canonical JSON
    bytes result_hash = 4;            // hash_leaf(result_canonical)
    string pipeline_name = 5;
    string commit_hash = 6;
    string status = 7;                // "succeeded", "failed", "error"
    string runner_svid = 8;
    int32 step_count = 9;
    int32 steps_passed = 10;
    int32 steps_failed = 11;
}

message NotarizePipelineResultResponse {
    bool accepted = 1;
    string run_id = 2;
    bool anchored = 3;
    string anchor_id = 4;
    int32 leaf_index = 5;
    bytes merkle_root = 6;
    google.protobuf.Timestamp notarized_at = 7;
}

// ── GetPipelineProof ──

message GetPipelineProofRequest {
    bytes result_hash = 1;            // Look up by hash
    string run_id = 2;               // Or look up by run_id
}

message GetPipelineProofResponse {
    bool verified = 1;
    string anchor_id = 2;
    bytes merkle_root = 3;
    repeated ProofStepMsg proof = 4;  // Reused from capabilities.proto
    string run_id = 5;
    string pipeline_name = 6;
    string commit_hash = 7;
    string status = 8;
    string error = 9;
}

// ── QueryPipelineAttestations ──

message QueryPipelineAttestationsRequest {
    string commit_hash = 1;
    string pipeline_name = 2;
    string status = 3;
    int32 limit = 4;                  // Default: 20
}

message QueryPipelineAttestationsResponse {
    repeated PipelineAttestationSummary attestations = 1;
}

message PipelineAttestationSummary {
    string run_id = 1;
    string pipeline_name = 2;
    string commit_hash = 3;
    string status = 4;
    bytes result_hash = 5;
    bool anchored = 6;
    string anchor_id = 7;
    int32 leaf_index = 8;
    google.protobuf.Timestamp notarized_at = 9;
}

// ── GetMerkleRoot ──

message GetMerkleRootRequest {
    string cluster_id = 1;
}

message GetMerkleRootResponse {
    string anchor_id = 1;
    bytes root_hash = 2;
    int32 leaf_count = 3;
    google.protobuf.Timestamp computed_at = 4;
}