syntax = "proto3";

package quartermaster.v1;

import "google/protobuf/timestamp.proto";

// Governance service for intent lifecycle and SAT issuance.
service GovernanceService {
    // Create a MutationIntent — called by application at user-request time.
    rpc CreateIntent(CreateIntentRequest) returns (CreateIntentResponse);

    // Redeem a MutationIntent — called by worker at execution time.
    rpc RedeemIntent(RedeemIntentRequest) returns (RedeemIntentResponse);

    // Revoke a MutationIntent — called to cancel pending authorization.
    rpc RevokeIntent(RevokeIntentRequest) returns (RevokeIntentResponse);

    // Query intents for a tenant (admin/audit use).
    rpc ListIntents(ListIntentsRequest) returns (ListIntentsResponse);
}

message CreateIntentRequest {
    string registry_type = 1;
    string verb = 2;
    string artifact_scope = 3;
    string tenant_id = 4;

    // Identity claim — one of these should be set.
    oneof identity_claim {
        string oidc_token = 5;
        ExternalEventClaim external_event = 6;
    }

    uint32 ttl_seconds = 7;
    uint32 max_redemptions = 8;
    string idempotency_key = 9;
}

message ExternalEventClaim {
    string source = 1;
    string event_id = 2;
    string event_type = 3;
    string verification = 4;
}

message CreateIntentResponse {
    string intent_id = 1;
    google.protobuf.Timestamp expires_at = 2;
    bytes intent_hash = 3;
    string error = 4;
    bool denied = 5;
    string denial_reason = 6;
    // If a governance ceremony is required, this field contains the
    // ceremony ID. The intent status is "ceremony_pending" and cannot
    // be redeemed until the ceremony resolves.
    string ceremony_id = 7;
}

message RedeemIntentRequest {
    string intent_id = 1;
}

message RedeemIntentResponse {
    bool success = 1;
    SatToken sat = 2;
    int32 remaining_redemptions = 3;
    string status = 4;
    string error = 5;
}

message SatToken {
    bytes sat_hash = 1;
    string bearer_svid = 2;
    repeated SatScopeMsg scopes = 3;
    google.protobuf.Timestamp issued_at = 4;
    google.protobuf.Timestamp expires_at = 5;
    bytes signature = 6;
    bytes sat_bytes = 7;
}

message SatScopeMsg {
    string registry_type = 1;
    repeated string verbs = 2;
    string resource_pattern = 3;
}

message RevokeIntentRequest {
    string intent_id = 1;
}

message RevokeIntentResponse {
    bool success = 1;
    string error = 2;
}

message ListIntentsRequest {
    string tenant_id = 1;
    string status_filter = 2;
    int32 limit = 3;
}

message ListIntentsResponse {
    repeated IntentSummary intents = 1;
}

message IntentSummary {
    string intent_id = 1;
    string registry_type = 2;
    string verb = 3;
    string artifact_scope = 4;
    string tenant_id = 5;
    string claim_type = 6;
    string claim_subject = 7;
    string status = 8;
    int32 max_redemptions = 9;
    int32 redeemed_count = 10;
    google.protobuf.Timestamp authorized_at = 11;
    google.protobuf.Timestamp expires_at = 12;
}