aion-context 1.0.0

Cryptographically-signed, versioned business-context file format
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672

// SPDX-License-Identifier: MIT OR Apache-2.0
//! DSSE envelope support — RFC-0023.
//!
//! DSSE (Dead Simple Signing Envelope) is the universal envelope format
//! used across Sigstore, in-toto, SLSA, Kyverno, and every major
//! supply-chain verifier in 2026. This module emits and verifies DSSE
//! envelopes wrapping aion signatures, giving `aion-context` interop
//! with those ecosystems.
//!
//! Signatures are still produced by [`crate::crypto::SigningKey`] —
//! only the wire format changes. DSSE's native multi-signature support
//! maps onto RFC-0021 multi-party attestations.
//!
//! # Example
//!
//! ```
//! use aion_context::dsse::{sign_envelope, verify_envelope, AION_ATTESTATION_TYPE};
//! use aion_context::crypto::SigningKey;
//! use aion_context::key_registry::KeyRegistry;
//! use aion_context::types::AuthorId;
//!
//! let payload = br#"{"_type":"https://aion-context.dev/attestation/v1"}"#;
//! let signer = AuthorId::new(50001);
//! let master = SigningKey::generate();
//! let key = SigningKey::generate();
//! let mut registry = KeyRegistry::new();
//! registry
//!     .register_author(signer, master.verifying_key(), key.verifying_key(), 0)
//!     .unwrap();
//!
//! let envelope = sign_envelope(payload, AION_ATTESTATION_TYPE, signer, &key);
//! let verified = verify_envelope(&envelope, &registry, 1).unwrap();
//! assert_eq!(verified, vec!["aion:author:50001".to_string()]);
//! ```

use base64::engine::general_purpose::STANDARD_NO_PAD;
use serde::{Deserialize, Deserializer, Serialize, Serializer};

use crate::crypto::{SigningKey, VerifyingKey};
use crate::manifest::ArtifactManifest;
use crate::serializer::VersionEntry;
use crate::types::AuthorId;
use crate::{AionError, Result};

/// DSSE protocol preamble — signed into every PAE.
pub const DSSE_PREAMBLE: &str = "DSSEv1";

/// `payloadType` for aion version attestations (RFC-0021 carried via DSSE).
pub const AION_ATTESTATION_TYPE: &str = "application/vnd.aion.attestation.v1+json";

/// `payloadType` for aion external-artifact manifests (RFC-0022).
pub const AION_MANIFEST_TYPE: &str = "application/vnd.aion.manifest.v1+json";

/// Keyid prefix for aion signatures. Full form: `aion:author:<decimal_id>`.
pub const AION_KEYID_PREFIX: &str = "aion:author:";

/// Build the canonical keyid string for an [`AuthorId`].
#[must_use]
pub fn keyid_for(author: AuthorId) -> String {
    format!("{AION_KEYID_PREFIX}{}", author.as_u64())
}

/// Parse a keyid back to an [`AuthorId`].
///
/// # Errors
///
/// Returns `Err` for keyids that do not start with [`AION_KEYID_PREFIX`]
/// or whose suffix is not a valid `u64`.
pub fn author_from_keyid(keyid: &str) -> Result<AuthorId> {
    let suffix = keyid
        .strip_prefix(AION_KEYID_PREFIX)
        .ok_or_else(|| AionError::InvalidFormat {
            reason: format!("keyid does not start with '{AION_KEYID_PREFIX}': {keyid}"),
        })?;
    let id = suffix
        .parse::<u64>()
        .map_err(|_| AionError::InvalidFormat {
            reason: format!("keyid suffix is not a u64: {suffix}"),
        })?;
    Ok(AuthorId::new(id))
}

/// Pre-Authentication Encoding — the exact bytes signed/verified.
///
/// ```text
/// PAE(type, body) = "DSSEv1" SP LEN(type) SP type SP LEN(body) SP body
/// ```
#[must_use]
pub fn pae(payload_type: &str, payload: &[u8]) -> Vec<u8> {
    let type_len = payload_type.len().to_string();
    let body_len = payload.len().to_string();
    let mut out = Vec::with_capacity(
        DSSE_PREAMBLE
            .len()
            .saturating_add(3)
            .saturating_add(type_len.len())
            .saturating_add(payload_type.len())
            .saturating_add(body_len.len())
            .saturating_add(payload.len()),
    );
    out.extend_from_slice(DSSE_PREAMBLE.as_bytes());
    out.push(b' ');
    out.extend_from_slice(type_len.as_bytes());
    out.push(b' ');
    out.extend_from_slice(payload_type.as_bytes());
    out.push(b' ');
    out.extend_from_slice(body_len.as_bytes());
    out.push(b' ');
    out.extend_from_slice(payload);
    out
}

/// A DSSE envelope. Serialises to the canonical DSSE JSON form on the wire:
/// `payload` and `sig` fields are base64-standard-no-padding when encoded,
/// raw bytes when in memory.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct DsseEnvelope {
    /// Media type URI describing `payload`.
    #[serde(rename = "payloadType")]
    pub payload_type: String,
    /// Raw payload bytes; JSON encodes/decodes as base64.
    #[serde(with = "base64_bytes")]
    pub payload: Vec<u8>,
    /// All signatures bound to the (`payload_type`, payload) tuple.
    pub signatures: Vec<DsseSignature>,
}

/// One signature entry inside a [`DsseEnvelope`].
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct DsseSignature {
    /// Opaque key identifier. aion uses `aion:author:<decimal>`.
    pub keyid: String,
    /// Raw 64-byte Ed25519 signature; JSON encodes/decodes as base64.
    #[serde(with = "base64_bytes")]
    pub sig: Vec<u8>,
}

/// Serde adapter: `Vec<u8>` ⇄ base64-standard-no-padding string.
mod base64_bytes {
    use super::{Deserializer, Serializer, STANDARD_NO_PAD};
    use base64::Engine;
    use serde::{Deserialize, Serialize};

    pub fn serialize<S: Serializer>(bytes: &[u8], serializer: S) -> Result<S::Ok, S::Error> {
        let encoded = STANDARD_NO_PAD.encode(bytes);
        encoded.serialize(serializer)
    }

    pub fn deserialize<'de, D: Deserializer<'de>>(deserializer: D) -> Result<Vec<u8>, D::Error> {
        let raw = String::deserialize(deserializer)?;
        STANDARD_NO_PAD
            .decode(raw.as_bytes())
            .map_err(serde::de::Error::custom)
    }
}

/// Produce a single-signature envelope for `payload` under `payload_type`.
#[must_use]
pub fn sign_envelope(
    payload: &[u8],
    payload_type: &str,
    signer: AuthorId,
    key: &SigningKey,
) -> DsseEnvelope {
    let message = pae(payload_type, payload);
    let signature_bytes = key.sign(&message);
    DsseEnvelope {
        payload_type: payload_type.to_string(),
        payload: payload.to_vec(),
        signatures: vec![DsseSignature {
            keyid: keyid_for(signer),
            sig: signature_bytes.to_vec(),
        }],
    }
}

/// Append an additional signature to an existing envelope.
///
/// Used to build up a multi-signature envelope for RFC-0021
/// multi-party attestations. Infallible — Ed25519 signing over
/// fixed-size inputs cannot fail.
pub fn add_signature(envelope: &mut DsseEnvelope, signer: AuthorId, key: &SigningKey) {
    let message = pae(&envelope.payload_type, &envelope.payload);
    let signature_bytes = key.sign(&message);
    envelope.signatures.push(DsseSignature {
        keyid: keyid_for(signer),
        sig: signature_bytes.to_vec(),
    });
}

/// Verify every envelope signature against the pinned registry — RFC-0023 / RFC-0034.
///
/// Each signature is checked against its signer's active epoch in
/// [`KeyRegistry`](crate::key_registry::KeyRegistry) at
/// `at_version`. Returns the distinct keyids of verified signatures
/// in envelope order.
///
/// For each distinct keyid the signer is resolved via
/// [`author_from_keyid`] and cross-checked against the active
/// epoch in `registry`. A signer whose keyid does not parse as a
/// well-formed aion keyid, or who has no active epoch at
/// `at_version`, causes the whole envelope to fail.
///
/// A given `keyid` contributes to the returned vector **at most
/// once** even if the envelope carries multiple signature entries
/// under the same keyid (RFC-0033 C6).
///
/// # Errors
///
/// Returns `Err` if the envelope has zero signatures, if any keyid
/// parses as a non-aion form, if any signer has no active epoch
/// at `at_version`, or if any signature fails Ed25519 verification
/// under the pinned key.
pub fn verify_envelope(
    envelope: &DsseEnvelope,
    registry: &crate::key_registry::KeyRegistry,
    at_version: u64,
) -> Result<Vec<String>> {
    if envelope.signatures.is_empty() {
        return Err(AionError::InvalidFormat {
            reason: "DSSE envelope has zero signatures".to_string(),
        });
    }
    let message = pae(&envelope.payload_type, &envelope.payload);
    let mut verified = Vec::with_capacity(envelope.signatures.len());
    let mut seen: std::collections::HashSet<&str> = std::collections::HashSet::new();
    for sig_entry in &envelope.signatures {
        if !seen.insert(sig_entry.keyid.as_str()) {
            continue;
        }
        let author = author_from_keyid(&sig_entry.keyid).map_err(|_| AionError::InvalidFormat {
            reason: format!("non-aion keyid cannot be resolved: {}", sig_entry.keyid),
        })?;
        let epoch = registry
            .active_epoch_at(author, at_version)
            .ok_or_else(|| AionError::InvalidFormat {
                reason: format!(
                    "no active epoch at version {at_version} for keyid: {}",
                    sig_entry.keyid
                ),
            })?;
        let verifying_key = VerifyingKey::from_bytes(&epoch.public_key)?;
        let sig_bytes =
            sig_entry
                .sig
                .as_slice()
                .try_into()
                .map_err(|_| AionError::InvalidFormat {
                    reason: format!(
                        "DSSE signature for {} has length {} (expected 64)",
                        sig_entry.keyid,
                        sig_entry.sig.len()
                    ),
                })?;
        verifying_key.verify(&message, sig_bytes)?;
        verified.push(sig_entry.keyid.clone());
    }
    Ok(verified)
}

impl DsseEnvelope {
    /// Serialise to canonical DSSE JSON.
    ///
    /// # Errors
    ///
    /// Propagates `serde_json` errors (should not occur for
    /// well-constructed envelopes).
    pub fn to_json(&self) -> Result<String> {
        serde_json::to_string(self).map_err(|e| AionError::InvalidFormat {
            reason: format!("DSSE JSON serialization failed: {e}"),
        })
    }

    /// Parse a DSSE envelope from JSON.
    ///
    /// # Errors
    ///
    /// Returns `Err` for malformed JSON or invalid base64 in the
    /// `payload` / `sig` fields.
    pub fn from_json(s: &str) -> Result<Self> {
        serde_json::from_str(s).map_err(|e| AionError::InvalidFormat {
            reason: format!("DSSE JSON deserialization failed: {e}"),
        })
    }
}

// ---------------------------------------------------------------------------
// Aion-native payload builders.
// ---------------------------------------------------------------------------

/// Hex-encode a fixed-size hash to lowercase.
fn hex32(bytes: &[u8; 32]) -> String {
    hex::encode(bytes)
}

/// Build the canonical JSON body for an aion version attestation.
///
/// Shape matches the RFC-0023 §"Aion payload types" table.
#[must_use]
pub fn version_attestation_payload(version: &VersionEntry, signer: AuthorId) -> Vec<u8> {
    let json = serde_json::json!({
        "_type": "https://aion-context.dev/attestation/v1",
        "version": {
            "version_number": version.version_number,
            "parent_hash": hex32(&version.parent_hash),
            "rules_hash": hex32(&version.rules_hash),
            "author_id": version.author_id,
            "timestamp": version.timestamp,
            "message_offset": version.message_offset,
            "message_length": version.message_length,
        },
        "signer": signer.as_u64(),
    });
    // Safety: serde_json::to_vec on a Value cannot fail for finite data.
    serde_json::to_vec(&json).unwrap_or_else(|_| std::process::abort())
}

/// Build the canonical JSON body for an aion artifact manifest.
#[must_use]
pub fn manifest_payload(manifest: &ArtifactManifest) -> Vec<u8> {
    let entries: Vec<serde_json::Value> = manifest
        .entries()
        .iter()
        .map(|entry| {
            let name = manifest
                .name_of(entry)
                .unwrap_or("<invalid-utf8>")
                .to_string();
            serde_json::json!({
                "name": name,
                "size": entry.size,
                "hash_algorithm": "BLAKE3-256",
                "hash": hex32(&entry.hash),
            })
        })
        .collect();
    let json = serde_json::json!({
        "_type": "https://aion-context.dev/manifest/v1",
        "manifest_id": hex32(manifest.manifest_id()),
        "entries": entries,
    });
    serde_json::to_vec(&json).unwrap_or_else(|_| std::process::abort())
}

/// Wrap a version attestation into a DSSE envelope signed by `signer`.
#[must_use]
pub fn wrap_version_attestation(
    version: &VersionEntry,
    signer: AuthorId,
    key: &SigningKey,
) -> DsseEnvelope {
    let payload = version_attestation_payload(version, signer);
    sign_envelope(&payload, AION_ATTESTATION_TYPE, signer, key)
}

/// Wrap an artifact manifest into a DSSE envelope signed by `signer`.
#[must_use]
pub fn wrap_manifest(
    manifest: &ArtifactManifest,
    signer: AuthorId,
    key: &SigningKey,
) -> DsseEnvelope {
    let payload = manifest_payload(manifest);
    sign_envelope(&payload, AION_MANIFEST_TYPE, signer, key)
}

#[cfg(test)]
#[allow(clippy::unwrap_used, clippy::indexing_slicing)]
mod tests {
    use super::*;
    use crate::key_registry::KeyRegistry;

    /// Build a registry pinning one signer at epoch 0 with `key` as its
    /// operational pubkey. Master key is throwaway.
    fn reg_pinning(signer: AuthorId, key: &SigningKey) -> KeyRegistry {
        let mut reg = KeyRegistry::new();
        let master = SigningKey::generate();
        reg.register_author(signer, master.verifying_key(), key.verifying_key(), 0)
            .unwrap_or_else(|_| std::process::abort());
        reg
    }

    /// Build a registry pinning every `(signer, key)` pair at epoch 0.
    fn reg_pinning_multi(pairs: &[(AuthorId, SigningKey)]) -> KeyRegistry {
        let mut reg = KeyRegistry::new();
        for (signer, key) in pairs {
            let master = SigningKey::generate();
            reg.register_author(*signer, master.verifying_key(), key.verifying_key(), 0)
                .unwrap_or_else(|_| std::process::abort());
        }
        reg
    }

    /// RFC-0023 Appendix vector: PAE("test", "hello").
    #[test]
    fn pae_matches_spec_vector() {
        let out = pae("test", b"hello");
        assert_eq!(out.as_slice(), b"DSSEv1 4 test 5 hello");
    }

    #[test]
    fn pae_empty_body_is_well_formed() {
        let out = pae("x", b"");
        assert_eq!(out.as_slice(), b"DSSEv1 1 x 0 ");
    }

    #[test]
    fn keyid_round_trip() {
        let a = AuthorId::new(12345);
        let k = keyid_for(a);
        assert_eq!(k, "aion:author:12345");
        let parsed = author_from_keyid(&k).unwrap();
        assert_eq!(parsed, a);
    }

    #[test]
    fn keyid_rejects_wrong_prefix() {
        assert!(author_from_keyid("not-aion:42").is_err());
        assert!(author_from_keyid("aion:author:xyz").is_err());
    }

    #[test]
    fn sign_verify_roundtrip() {
        let key = SigningKey::generate();
        let signer = AuthorId::new(7);
        let envelope = sign_envelope(b"hello world", "text/plain", signer, &key);
        let reg = reg_pinning(signer, &key);
        let verified = verify_envelope(&envelope, &reg, 1).unwrap();
        assert_eq!(verified, vec![keyid_for(signer)]);
    }

    #[test]
    fn tampered_payload_fails_verification() {
        let key = SigningKey::generate();
        let signer = AuthorId::new(7);
        let mut envelope = sign_envelope(b"hello", "text/plain", signer, &key);
        envelope.payload[0] ^= 0x01;
        let reg = reg_pinning(signer, &key);
        assert!(verify_envelope(&envelope, &reg, 1).is_err());
    }

    #[test]
    fn multi_signature_all_verify() {
        let k1 = SigningKey::generate();
        let k2 = SigningKey::generate();
        let s1 = AuthorId::new(1);
        let s2 = AuthorId::new(2);
        let mut env = sign_envelope(b"payload", "text/plain", s1, &k1);
        add_signature(&mut env, s2, &k2);
        let reg = reg_pinning_multi(&[(s1, k1), (s2, k2)]);
        let verified = verify_envelope(&env, &reg, 1).unwrap();
        assert_eq!(verified.len(), 2);
    }

    #[test]
    fn verify_rejects_empty_signatures() {
        let env = DsseEnvelope {
            payload_type: "text/plain".to_string(),
            payload: b"x".to_vec(),
            signatures: Vec::new(),
        };
        let reg = KeyRegistry::new();
        assert!(verify_envelope(&env, &reg, 1).is_err());
    }

    #[test]
    fn json_roundtrip_preserves_envelope() {
        let key = SigningKey::generate();
        let signer = AuthorId::new(3);
        let env = sign_envelope(b"abc", "text/plain", signer, &key);
        let json = env.to_json().unwrap();
        let parsed = DsseEnvelope::from_json(&json).unwrap();
        assert_eq!(parsed, env);
    }

    #[test]
    fn json_payload_field_uses_base64() {
        let key = SigningKey::generate();
        let signer = AuthorId::new(3);
        let env = sign_envelope(b"\xff\x00\x7f", "text/plain", signer, &key);
        let json = env.to_json().unwrap();
        // Expect base64-standard-no-padding of [0xff, 0x00, 0x7f] = "/wB/"
        assert!(json.contains("\"payload\":\"/wB/\""));
    }

    mod properties {
        use super::*;
        use hegel::generators as gs;

        #[hegel::test]
        fn prop_dsse_sign_verify_roundtrip(tc: hegel::TestCase) {
            let payload = tc.draw(gs::binary().max_size(1024));
            let ptype = tc.draw(gs::text().min_size(1).max_size(64));
            let signer = AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1)));
            let key = SigningKey::generate();
            let env = sign_envelope(&payload, &ptype, signer, &key);
            let reg = reg_pinning(signer, &key);
            let verified = verify_envelope(&env, &reg, 1).unwrap_or_else(|_| std::process::abort());
            assert_eq!(verified.len(), 1);
        }

        #[hegel::test]
        fn prop_dsse_tampered_payload_rejects(tc: hegel::TestCase) {
            let payload = tc.draw(gs::binary().min_size(1).max_size(1024));
            let ptype = tc.draw(gs::text().min_size(1).max_size(64));
            let signer = AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1)));
            let key = SigningKey::generate();
            let mut env = sign_envelope(&payload, &ptype, signer, &key);
            let max_idx = env.payload.len().saturating_sub(1);
            let idx = tc.draw(gs::integers::<usize>().max_value(max_idx));
            if let Some(byte) = env.payload.get_mut(idx) {
                *byte ^= 0x01;
            }
            let reg = reg_pinning(signer, &key);
            assert!(verify_envelope(&env, &reg, 1).is_err());
        }

        #[hegel::test]
        fn prop_dsse_tampered_payload_type_rejects(tc: hegel::TestCase) {
            let payload = tc.draw(gs::binary().max_size(1024));
            let ptype = tc.draw(gs::text().min_size(1).max_size(64));
            let signer = AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1)));
            let key = SigningKey::generate();
            let mut env = sign_envelope(&payload, &ptype, signer, &key);
            env.payload_type.push('!');
            let reg = reg_pinning(signer, &key);
            assert!(verify_envelope(&env, &reg, 1).is_err());
        }

        #[hegel::test]
        fn prop_dsse_wrong_key_rejects(tc: hegel::TestCase) {
            let payload = tc.draw(gs::binary().max_size(1024));
            let ptype = tc.draw(gs::text().min_size(1).max_size(64));
            let signer = AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1)));
            let real_key = SigningKey::generate();
            let fake_key = SigningKey::generate();
            let env = sign_envelope(&payload, &ptype, signer, &real_key);
            // Pin the WRONG key for the signer — registry check rejects.
            let reg = reg_pinning(signer, &fake_key);
            assert!(verify_envelope(&env, &reg, 1).is_err());
        }

        #[hegel::test]
        fn prop_dsse_json_roundtrip(tc: hegel::TestCase) {
            let payload = tc.draw(gs::binary().max_size(1024));
            let ptype = tc.draw(gs::text().min_size(1).max_size(64));
            let signer = AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1)));
            let key = SigningKey::generate();
            let env = sign_envelope(&payload, &ptype, signer, &key);
            let json = env.to_json().unwrap_or_else(|_| std::process::abort());
            let parsed = DsseEnvelope::from_json(&json).unwrap_or_else(|_| std::process::abort());
            assert_eq!(parsed, env);
        }

        #[hegel::test]
        fn prop_dsse_multi_signature_all_verify(tc: hegel::TestCase) {
            let n = tc.draw(gs::integers::<u32>().min_value(2).max_value(6));
            let payload = tc.draw(gs::binary().max_size(512));
            let ptype = tc.draw(gs::text().min_size(1).max_size(32));
            // Build N distinct (author, key) pairs.
            let signers: Vec<(AuthorId, SigningKey)> = (0..n)
                .map(|i| (AuthorId::new(1_000 + u64::from(i)), SigningKey::generate()))
                .collect();
            // Start an envelope with signer 0, then add 1..n.
            let first = signers.first().unwrap_or_else(|| std::process::abort());
            let mut env = sign_envelope(&payload, &ptype, first.0, &first.1);
            for (who, key) in signers.iter().skip(1) {
                add_signature(&mut env, *who, key);
            }
            let reg = reg_pinning_multi(&signers);
            let verified = verify_envelope(&env, &reg, 1).unwrap_or_else(|_| std::process::abort());
            assert_eq!(verified.len(), n as usize);
        }

        #[hegel::test]
        fn prop_dsse_verify_dedups_repeated_keyid(tc: hegel::TestCase) {
            // RFC-0033 C6: an envelope with N entries under the same
            // keyid must yield exactly one element in `verified`.
            let payload = tc.draw(gs::binary().max_size(256));
            let ptype = tc.draw(gs::text().min_size(1).max_size(32));
            let signer = AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1)));
            let extra = tc.draw(gs::integers::<usize>().min_value(1).max_value(4));
            let key = SigningKey::generate();
            let mut env = sign_envelope(&payload, &ptype, signer, &key);
            for _ in 0..extra {
                add_signature(&mut env, signer, &key);
            }
            let reg = reg_pinning(signer, &key);
            let verified = verify_envelope(&env, &reg, 1).unwrap_or_else(|_| std::process::abort());
            assert_eq!(verified.len(), 1);
        }

        #[hegel::test]
        fn prop_dsse_pae_injective_on_body(tc: hegel::TestCase) {
            // Two payloads that differ in any byte must produce
            // different PAE output for the same payload_type.
            let ptype = tc.draw(gs::text().min_size(1).max_size(32));
            let mut body_a = tc.draw(gs::binary().min_size(1).max_size(512));
            let idx = tc.draw(gs::integers::<usize>().max_value(body_a.len().saturating_sub(1)));
            let mut body_b = body_a.clone();
            if let Some(b) = body_b.get_mut(idx) {
                *b ^= 0x01;
            }
            // make them definitely differ even if idx was out-of-range
            body_a.push(0);
            body_b.push(1);
            assert_ne!(pae(&ptype, &body_a), pae(&ptype, &body_b));
        }

        #[hegel::test]
        fn prop_dsse_registry_verify_accepts_pinned_signer(tc: hegel::TestCase) {
            use crate::key_registry::KeyRegistry;
            let payload = tc.draw(gs::binary().max_size(512));
            let ptype = tc.draw(gs::text().min_size(1).max_size(32));
            let signer =
                AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1).max_value(1 << 32)));
            let master = SigningKey::generate();
            let op = SigningKey::generate();
            let mut reg = KeyRegistry::new();
            reg.register_author(signer, master.verifying_key(), op.verifying_key(), 0)
                .unwrap_or_else(|_| std::process::abort());
            let env = sign_envelope(&payload, &ptype, signer, &op);
            let at = tc.draw(gs::integers::<u64>().min_value(1).max_value(1 << 20));
            let verified =
                verify_envelope(&env, &reg, at).unwrap_or_else(|_| std::process::abort());
            assert_eq!(verified.len(), 1);
            assert_eq!(verified[0], keyid_for(signer));
        }

        #[hegel::test]
        fn prop_dsse_registry_verify_rejects_unknown_signer(tc: hegel::TestCase) {
            use crate::key_registry::KeyRegistry;
            let payload = tc.draw(gs::binary().max_size(256));
            let ptype = tc.draw(gs::text().min_size(1).max_size(32));
            let signer =
                AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1).max_value(1 << 32)));
            let op = SigningKey::generate();
            // Registry is empty — `signer` is not registered.
            let reg = KeyRegistry::new();
            let env = sign_envelope(&payload, &ptype, signer, &op);
            let at = tc.draw(gs::integers::<u64>().min_value(1).max_value(1 << 20));
            assert!(verify_envelope(&env, &reg, at).is_err());
        }

        #[hegel::test]
        fn prop_dsse_registry_verify_rejects_revoked_signer(tc: hegel::TestCase) {
            use crate::key_registry::{sign_revocation_record, KeyRegistry, RevocationReason};
            let payload = tc.draw(gs::binary().max_size(256));
            let ptype = tc.draw(gs::text().min_size(1).max_size(32));
            let signer =
                AuthorId::new(tc.draw(gs::integers::<u64>().min_value(1).max_value(1 << 32)));
            let master = SigningKey::generate();
            let op = SigningKey::generate();
            let mut reg = KeyRegistry::new();
            reg.register_author(signer, master.verifying_key(), op.verifying_key(), 0)
                .unwrap_or_else(|_| std::process::abort());
            let effective = tc.draw(gs::integers::<u64>().min_value(1).max_value(1 << 20));
            let revocation = sign_revocation_record(
                signer,
                0,
                RevocationReason::Compromised,
                effective,
                &master,
            );
            reg.apply_revocation(&revocation)
                .unwrap_or_else(|_| std::process::abort());
            let env = sign_envelope(&payload, &ptype, signer, &op);
            let v_after = effective.saturating_add(1);
            assert!(verify_envelope(&env, &reg, v_after).is_err());
        }
    }
}