newton-core 0.4.19

newton protocol core sdk
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
//! Encrypted keystore for threshold key material.
//!
//! Provides AES-256-GCM-SIV encryption with scrypt KDF for persisting
//! threshold key shares (FROST KeyPackages and ThresholdDecryptionContexts).
//! Mirrors the EIP-2335 BLS keystore pattern used by Ethereum validators.
//!
//! # Security properties
//!
//! - scrypt (log_n=18, r=8, p=1) for memory-hard password stretching
//! - AES-256-GCM-SIV provides nonce-misuse resistance
//! - Random 32-byte salt and 12-byte nonce per write
//! - `ceremony_id` bound into stored metadata for provenance tracking
//!
//! # File format
//!
//! JSON with fields: `version`, `ceremony_id`, `created_at`, `encryption`.
//! The `encryption` sub-object holds KDF params and hex-encoded `salt`,
//! `nonce`, `ciphertext`.

use std::path::{Path, PathBuf};

use aes_gcm_siv::{
    aead::{Aead, KeyInit},
    Aes256GcmSiv, Key, Nonce,
};
use rand_core::{OsRng, RngCore};
use serde::{Deserialize, Serialize};
use std::{fs::OpenOptions, io::Write};
use zeroize::Zeroizing;

#[cfg(unix)]
use std::os::unix::fs::OpenOptionsExt;

use crate::crypto::error::CryptoError;

/// Version constant for the keystore file format.
const KEYSTORE_VERSION: u32 = 1;

/// scrypt parameters for key derivation.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ScryptParams {
    /// log2 of the work factor N (cost parameter).
    pub log_n: u8,
    /// Block size parameter.
    pub r: u32,
    /// Parallelization parameter.
    pub p: u32,
}

impl Default for ScryptParams {
    fn default() -> Self {
        Self { log_n: 18, r: 8, p: 1 }
    }
}

/// Encryption metadata stored alongside the ciphertext.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct KeystoreEncryption {
    /// KDF algorithm identifier.
    pub kdf: String,
    /// scrypt parameters.
    pub params: ScryptParams,
    /// Hex-encoded 32-byte random salt.
    pub salt: String,
    /// Hex-encoded 12-byte random nonce (AES-GCM-SIV).
    pub nonce: String,
    /// Hex-encoded AES-256-GCM-SIV ciphertext + tag.
    pub ciphertext: String,
}

/// On-disk keystore file structure.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ThresholdKeystore {
    /// Format version — must be 1.
    pub version: u32,
    /// DKG ceremony identifier this share belongs to.
    pub ceremony_id: String,
    /// RFC 3339 timestamp of when the keystore was written.
    pub created_at: String,
    /// Encryption envelope.
    pub encryption: KeystoreEncryption,
}

/// Derive a 32-byte AES key from `password` + `salt` using scrypt.
///
/// Returns a [`Zeroizing`] wrapper that automatically overwrites the key
/// material with zeros when dropped, preventing it from lingering on the stack.
fn derive_key(password: &[u8], salt: &[u8], params: &ScryptParams) -> Result<Zeroizing<[u8; 32]>, CryptoError> {
    let log_n = params.log_n;
    let r = params.r;
    let p = params.p;

    let scrypt_params = scrypt::Params::new(log_n, r, p, 32)
        .map_err(|e| CryptoError::KeystoreEncrypt(format!("invalid scrypt params: {e}")))?;

    let mut key = Zeroizing::new([0u8; 32]);
    scrypt::scrypt(password, salt, &scrypt_params, &mut *key)
        .map_err(|e| CryptoError::KeystoreEncrypt(format!("scrypt KDF failed: {e}")))?;
    Ok(key)
}

/// Encrypt `plaintext` with AES-256-GCM-SIV using the given `key` and `nonce`.
fn aes_encrypt(key: &[u8; 32], nonce_bytes: &[u8; 12], plaintext: &[u8]) -> Result<Vec<u8>, CryptoError> {
    let cipher = Aes256GcmSiv::new(Key::<Aes256GcmSiv>::from_slice(key));
    let nonce = Nonce::from_slice(nonce_bytes);
    cipher
        .encrypt(nonce, plaintext)
        .map_err(|e| CryptoError::KeystoreEncrypt(format!("AES-GCM-SIV encrypt failed: {e}")))
}

/// Decrypt `ciphertext` with AES-256-GCM-SIV using the given `key` and `nonce`.
fn aes_decrypt(key: &[u8; 32], nonce_bytes: &[u8; 12], ciphertext: &[u8]) -> Result<Vec<u8>, CryptoError> {
    let cipher = Aes256GcmSiv::new(Key::<Aes256GcmSiv>::from_slice(key));
    let nonce = Nonce::from_slice(nonce_bytes);
    cipher.decrypt(nonce, ciphertext).map_err(|_| {
        CryptoError::KeystoreDecrypt("AES-GCM-SIV decryption failed (wrong password or corrupted data)".into())
    })
}

/// Write an encrypted keystore to `path`.
///
/// Generates a fresh random salt and nonce on every call. The `plaintext`
/// is typically a serialized [`frost_ristretto255::keys::KeyPackage`] or
/// [`crate::dkg::types::ThresholdDecryptionContext`].
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreEncrypt`] if scrypt or AES-GCM-SIV fail,
/// or if the file cannot be written.
pub fn write_keystore(path: &Path, ceremony_id: &str, plaintext: &[u8], password: &[u8]) -> Result<(), CryptoError> {
    let mut salt = [0u8; 32];
    OsRng.fill_bytes(&mut salt);

    let mut nonce_bytes = [0u8; 12];
    OsRng.fill_bytes(&mut nonce_bytes);

    let params = ScryptParams::default();
    let key = derive_key(password, &salt, &params)?;
    let ciphertext = aes_encrypt(&key, &nonce_bytes, plaintext)?;

    let salt_hex = hex::encode(salt);
    let nonce_hex = hex::encode(nonce_bytes);
    let ciphertext_hex = hex::encode(&ciphertext);
    let created_at = chrono::Utc::now().to_rfc3339();

    let keystore = ThresholdKeystore {
        version: KEYSTORE_VERSION,
        ceremony_id: ceremony_id.to_string(),
        created_at,
        encryption: KeystoreEncryption {
            kdf: "scrypt".to_string(),
            params,
            salt: salt_hex,
            nonce: nonce_hex,
            ciphertext: ciphertext_hex,
        },
    };

    let json = serde_json::to_string_pretty(&keystore)
        .map_err(|e| CryptoError::KeystoreEncrypt(format!("JSON serialization failed: {e}")))?;

    // Crash-safe write: serialize to a temp file (owner-only 0600 on Unix), fsync
    // it, then atomically rename over the target. A refresh-apply persists the new
    // share here *before* recording the replay-guard marker, so this write must be
    // durable — a torn or empty keystore from a create+truncate mid-write would
    // leave the marker guarding a share that was never persisted. Readers see
    // either the old or the new file, never a partial one.
    let tmp_path = match path.file_name().and_then(|n| n.to_str()) {
        Some(name) => path.with_file_name(format!("{name}.tmp")),
        None => {
            return Err(CryptoError::KeystoreEncrypt(format!(
                "invalid keystore path (no file name): {}",
                path.display()
            )))
        }
    };

    {
        let mut opts = OpenOptions::new();
        opts.write(true).create(true).truncate(true);

        // Restrict to owner-only (0600) on Unix — keystore contains encrypted key material
        #[cfg(unix)]
        opts.mode(0o600);

        let mut file = opts.open(&tmp_path).map_err(|e| {
            CryptoError::KeystoreEncrypt(format!(
                "failed to open keystore temp file at {}: {e}",
                tmp_path.display()
            ))
        })?;

        file.write_all(json.as_bytes()).map_err(|e| {
            CryptoError::KeystoreEncrypt(format!(
                "failed to write keystore temp file at {}: {e}",
                tmp_path.display()
            ))
        })?;
        file.sync_all().map_err(|e| {
            CryptoError::KeystoreEncrypt(format!(
                "failed to fsync keystore temp file at {}: {e}",
                tmp_path.display()
            ))
        })?;
    }

    std::fs::rename(&tmp_path, path).map_err(|e| {
        CryptoError::KeystoreEncrypt(format!(
            "failed to atomically replace keystore at {}: {e}",
            path.display()
        ))
    })?;

    Ok(())
}

/// Read and decrypt a keystore from `path`.
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreDecrypt`] if the file is missing, the JSON
/// is malformed, the version is unsupported, the hex encoding is invalid, or
/// the AES-GCM-SIV decryption fails (wrong password or corrupted data).
pub fn read_keystore(path: &Path, password: &[u8]) -> Result<Vec<u8>, CryptoError> {
    let json = std::fs::read_to_string(path)
        .map_err(|e| CryptoError::KeystoreDecrypt(format!("failed to read keystore from {}: {e}", path.display())))?;

    let keystore: ThresholdKeystore =
        serde_json::from_str(&json).map_err(|e| CryptoError::KeystoreDecrypt(format!("invalid keystore JSON: {e}")))?;

    decrypt_keystore(&keystore, password)
}

/// Decrypt a parsed keystore.
pub fn decrypt_keystore(keystore: &ThresholdKeystore, password: &[u8]) -> Result<Vec<u8>, CryptoError> {
    if keystore.version != KEYSTORE_VERSION {
        return Err(CryptoError::KeystoreDecrypt(format!(
            "unsupported keystore version {} (expected {})",
            keystore.version, KEYSTORE_VERSION
        )));
    }

    if keystore.encryption.kdf != "scrypt" {
        return Err(CryptoError::KeystoreDecrypt(format!(
            "unsupported KDF: {} (expected scrypt)",
            keystore.encryption.kdf
        )));
    }

    let salt = hex::decode(&keystore.encryption.salt)
        .map_err(|e| CryptoError::KeystoreDecrypt(format!("invalid salt hex: {e}")))?;
    let salt: [u8; 32] = salt
        .try_into()
        .map_err(|_| CryptoError::KeystoreDecrypt("salt must be 32 bytes".into()))?;

    let nonce_bytes = hex::decode(&keystore.encryption.nonce)
        .map_err(|e| CryptoError::KeystoreDecrypt(format!("invalid nonce hex: {e}")))?;
    let nonce_bytes: [u8; 12] = nonce_bytes
        .try_into()
        .map_err(|_| CryptoError::KeystoreDecrypt("nonce must be 12 bytes".into()))?;

    let ciphertext = hex::decode(&keystore.encryption.ciphertext)
        .map_err(|e| CryptoError::KeystoreDecrypt(format!("invalid ciphertext hex: {e}")))?;

    let key = derive_key(password, &salt, &keystore.encryption.params)
        .map_err(|e| CryptoError::KeystoreDecrypt(format!("KDF failed: {e}")))?;

    aes_decrypt(&key, &nonce_bytes, &ciphertext)
}

/// Filename prefix for epoch-specific keystore files.
///
/// The full pattern is `threshold_keystore_chain_{chain_id}_epoch_{epoch_id}.json`.
/// The `chain_id` is part of the filename so that a multichain `frost-dkg`
/// operator sharing one keystore directory does not collide chain A's and chain
/// B's epoch keystores (they would otherwise both be `epoch_{id}.json` and one
/// file would load into both chains' contexts — cross-chain share confusion).
/// This mirrors the `chain_id` field already carried by [`AppliedCeremony`].
const EPOCH_KEYSTORE_PREFIX: &str = "threshold_keystore_chain_";

/// Build the epoch keystore filename for a `(chain_id, epoch_id)` pair.
fn epoch_keystore_filename(chain_id: u64, epoch_id: u64) -> String {
    format!("{EPOCH_KEYSTORE_PREFIX}{chain_id}_epoch_{epoch_id}.json")
}

/// Write an encrypted keystore for a specific `(chain_id, epoch_id)`.
///
/// The file is written to
/// `dir/threshold_keystore_chain_{chain_id}_epoch_{epoch_id}.json`. Each epoch
/// produces an independent keystore so operators can hold key material for the
/// current and previous epochs during grace periods, and the `chain_id` in the
/// path keeps multichain operators sharing one directory from colliding.
///
/// Because [`write_keystore`] persists via a single atomic rename, this file
/// appears on disk exactly when the new share becomes durable — which is what
/// lets [`epoch_keystore_exists`] serve as an atomic replay guard.
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreEncrypt`] on encryption or I/O failure.
pub fn write_epoch_keystore(
    dir: &Path,
    chain_id: u64,
    epoch_id: u64,
    ceremony_id: &str,
    plaintext: &[u8],
    password: &[u8],
) -> Result<PathBuf, CryptoError> {
    let path = dir.join(epoch_keystore_filename(chain_id, epoch_id));
    write_keystore(&path, ceremony_id, plaintext, password)?;
    Ok(path)
}

/// List all epoch keystore files for `chain_id` in `dir`, sorted by epoch ID
/// descending.
///
/// Scans for files matching
/// `threshold_keystore_chain_{chain_id}_epoch_{N}.json` and returns
/// `(epoch_id, path)` pairs. Files for other chains and non-matching files are
/// silently ignored.
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreDecrypt`] if the directory cannot be read.
pub fn list_epoch_keystores(dir: &Path, chain_id: u64) -> Result<Vec<(u64, PathBuf)>, CryptoError> {
    let entries = std::fs::read_dir(dir).map_err(|e| {
        CryptoError::KeystoreDecrypt(format!("failed to read keystore directory {}: {e}", dir.display()))
    })?;

    let mut keystores: Vec<(u64, PathBuf)> = Vec::new();

    for entry in entries {
        let entry = entry.map_err(|e| {
            CryptoError::KeystoreDecrypt(format!("failed to read directory entry in {}: {e}", dir.display()))
        })?;

        let path = entry.path();
        // Only surface keystores for the requested chain; a shared directory may
        // hold other chains' epoch keystores under the same prefix.
        if let Some((file_chain_id, epoch_id)) = parse_epoch_keystore_path(&path) {
            if file_chain_id == chain_id {
                keystores.push((epoch_id, path));
            }
        }
    }

    // Sort descending by epoch ID so the latest epoch comes first
    keystores.sort_by_key(|k| std::cmp::Reverse(k.0));
    Ok(keystores)
}

/// Read and decrypt the keystore with the highest epoch ID for `chain_id` in `dir`.
///
/// Returns `Ok(None)` if no epoch keystore files exist for that chain.
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreDecrypt`] if the directory cannot be read
/// or the highest-epoch keystore cannot be decrypted.
pub fn read_latest_epoch_keystore(
    dir: &Path,
    chain_id: u64,
    password: &[u8],
) -> Result<Option<(u64, Vec<u8>)>, CryptoError> {
    let keystores = list_epoch_keystores(dir, chain_id)?;

    match keystores.first() {
        Some((epoch_id, path)) => {
            let plaintext = read_keystore(path, password)?;
            Ok(Some((*epoch_id, plaintext)))
        }
        None => Ok(None),
    }
}

/// Returns true if an epoch keystore for `(chain_id, epoch_id)` already exists.
///
/// This is the atomic half of the refresh-apply replay guard: because the share
/// is persisted via a single atomic rename (see [`write_epoch_keystore`]), the
/// file exists exactly when the new share is durable. A replayed
/// `newt_dkgRefreshApply` that crashed after persisting the share but before
/// recording the [`AppliedCeremony`] marker is therefore still rejected here —
/// the keystore file is present even though the marker is not, closing the
/// double-apply window a marker-only guard would leave open.
pub fn epoch_keystore_exists(dir: &Path, chain_id: u64, epoch_id: u64) -> bool {
    dir.join(epoch_keystore_filename(chain_id, epoch_id)).exists()
}

/// Delete the epoch keystore file for `(chain_id, epoch_id)` in `dir`.
///
/// Returns `Ok(())` if the file was removed or did not exist (idempotent).
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreDecrypt`] if the file exists but cannot be removed.
pub fn delete_epoch_keystore(dir: &Path, chain_id: u64, epoch_id: u64) -> Result<(), CryptoError> {
    let path = dir.join(epoch_keystore_filename(chain_id, epoch_id));
    match std::fs::remove_file(&path) {
        Ok(()) => Ok(()),
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(()),
        Err(e) => Err(CryptoError::KeystoreDecrypt(format!(
            "failed to delete epoch keystore at {}: {e}",
            path.display()
        ))),
    }
}

/// Extract the `(chain_id, epoch_id)` from a keystore filename, if it matches
/// the expected `threshold_keystore_chain_{chain_id}_epoch_{epoch_id}.json`
/// pattern.
fn parse_epoch_keystore_path(path: &Path) -> Option<(u64, u64)> {
    let filename = path.file_name()?.to_str()?;
    let stem = filename.strip_prefix(EPOCH_KEYSTORE_PREFIX)?.strip_suffix(".json")?;
    let (chain_str, epoch_str) = stem.split_once("_epoch_")?;
    let chain_id = chain_str.parse::<u64>().ok()?;
    let epoch_id = epoch_str.parse::<u64>().ok()?;
    Some((chain_id, epoch_id))
}

/// Filename for the applied-refresh-ceremony ledger within a keystore directory.
const APPLIED_CEREMONIES_FILE: &str = "applied_refresh_ceremonies.json";

/// One recorded PSS refresh/reshare apply, keyed by the tuple that uniquely
/// identifies a ceremony's apply step. Used as a persisted replay guard so a
/// captured `newt_dkgRefreshApply` request cannot be re-applied — refresh-mode
/// apply mutates the share additively (`new = current + Σδ`), so a double-apply
/// would drift the share off the sharing polynomial and desync the operator.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct AppliedCeremony {
    /// Chain ID the refresh targeted.
    pub chain_id: u64,
    /// Epoch the refresh produced.
    pub epoch_id: u64,
    /// Ceremony identifier.
    pub ceremony_id: String,
    /// Operation mode ("refresh" or "reshare").
    pub mode: String,
}

/// On-disk ledger of applied refresh ceremonies.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct AppliedCeremonyLedger {
    /// All ceremonies whose apply step has already run on this operator.
    pub entries: Vec<AppliedCeremony>,
}

/// Read the applied-ceremony ledger from `dir`, returning an empty ledger if
/// the file does not yet exist.
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreDecrypt`] if the file exists but cannot be
/// read or parsed — surfacing corruption loudly rather than silently treating
/// every ceremony as un-applied (which would re-open the replay window).
pub fn read_applied_ceremonies(dir: &Path) -> Result<AppliedCeremonyLedger, CryptoError> {
    let path = dir.join(APPLIED_CEREMONIES_FILE);
    match std::fs::read_to_string(&path) {
        Ok(json) => serde_json::from_str(&json).map_err(|e| {
            CryptoError::KeystoreDecrypt(format!("invalid applied-ceremony ledger at {}: {e}", path.display()))
        }),
        Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(AppliedCeremonyLedger::default()),
        Err(e) => Err(CryptoError::KeystoreDecrypt(format!(
            "failed to read applied-ceremony ledger at {}: {e}",
            path.display()
        ))),
    }
}

/// Returns true if a ceremony matching `entry` has already been applied.
pub fn is_ceremony_applied(dir: &Path, entry: &AppliedCeremony) -> Result<bool, CryptoError> {
    Ok(read_applied_ceremonies(dir)?.entries.iter().any(|e| e == entry))
}

/// Record `entry` in the applied-ceremony ledger, creating the file if needed.
///
/// Idempotent: recording an already-present entry is a no-op.
///
/// A read failure is propagated rather than swallowed — silently starting from
/// an empty ledger on a transient read error would drop every prior entry and
/// re-open the replay window for all previously-applied ceremonies.
///
/// The write is crash-safe: the new ledger is written to a temp file (owner-only
/// 0600 on Unix) and atomically renamed over the target, so a crash mid-write
/// cannot leave a torn/empty ledger — readers see either the old or the new
/// file, never a partial one.
///
/// # Errors
///
/// Returns [`CryptoError::KeystoreEncrypt`] on serialization or I/O failure, or
/// [`CryptoError::KeystoreDecrypt`] if the existing ledger cannot be read.
pub fn record_applied_ceremony(dir: &Path, entry: AppliedCeremony) -> Result<(), CryptoError> {
    let mut ledger = read_applied_ceremonies(dir)?;
    if ledger.entries.contains(&entry) {
        return Ok(());
    }
    ledger.entries.push(entry);

    let json = serde_json::to_string_pretty(&ledger)
        .map_err(|e| CryptoError::KeystoreEncrypt(format!("failed to serialize applied-ceremony ledger: {e}")))?;

    let path = dir.join(APPLIED_CEREMONIES_FILE);
    let tmp_path = dir.join(format!("{APPLIED_CEREMONIES_FILE}.tmp"));

    {
        let mut opts = OpenOptions::new();
        opts.write(true).create(true).truncate(true);

        #[cfg(unix)]
        opts.mode(0o600);

        let mut file = opts.open(&tmp_path).map_err(|e| {
            CryptoError::KeystoreEncrypt(format!(
                "failed to open applied-ceremony ledger temp file at {}: {e}",
                tmp_path.display()
            ))
        })?;
        file.write_all(json.as_bytes()).map_err(|e| {
            CryptoError::KeystoreEncrypt(format!(
                "failed to write applied-ceremony ledger temp file at {}: {e}",
                tmp_path.display()
            ))
        })?;
        file.sync_all().map_err(|e| {
            CryptoError::KeystoreEncrypt(format!(
                "failed to fsync applied-ceremony ledger temp file at {}: {e}",
                tmp_path.display()
            ))
        })?;
    }

    std::fs::rename(&tmp_path, &path).map_err(|e| {
        CryptoError::KeystoreEncrypt(format!(
            "failed to atomically replace applied-ceremony ledger at {}: {e}",
            path.display()
        ))
    })?;

    Ok(())
}

#[cfg(test)]
mod tests {
    use tempfile::NamedTempFile;

    use super::*;

    // -- Epoch keystore tests --

    // A representative chain ID reused across the epoch keystore tests.
    const TEST_CHAIN_ID: u64 = 31337;

    #[test]
    fn epoch_keystore_write_read_roundtrip() {
        let dir = tempfile::tempdir().expect("tempdir");
        let plaintext = b"epoch-0-key-share-data";
        let password = b"test-password";

        let path = write_epoch_keystore(dir.path(), TEST_CHAIN_ID, 0, "ceremony-epoch-0", plaintext, password)
            .expect("write_epoch_keystore");
        assert!(path.exists());

        let result = read_latest_epoch_keystore(dir.path(), TEST_CHAIN_ID, password).expect("read_latest");
        let (epoch_id, recovered) = result.expect("expected Some");
        assert_eq!(epoch_id, 0);
        assert_eq!(recovered, plaintext);
    }

    #[test]
    fn list_epoch_keystores_sorted_descending() {
        let dir = tempfile::tempdir().expect("tempdir");
        let password = b"test-password";

        // Write epochs out of order: 0, 2, 1
        write_epoch_keystore(dir.path(), TEST_CHAIN_ID, 0, "c0", b"data-0", password).expect("write 0");
        write_epoch_keystore(dir.path(), TEST_CHAIN_ID, 2, "c2", b"data-2", password).expect("write 2");
        write_epoch_keystore(dir.path(), TEST_CHAIN_ID, 1, "c1", b"data-1", password).expect("write 1");

        let keystores = list_epoch_keystores(dir.path(), TEST_CHAIN_ID).expect("list");
        let epoch_ids: Vec<u64> = keystores.iter().map(|(id, _)| *id).collect();
        assert_eq!(epoch_ids, vec![2, 1, 0]);
    }

    #[test]
    fn delete_epoch_keystore_removes_file() {
        let dir = tempfile::tempdir().expect("tempdir");
        let password = b"test-password";

        write_epoch_keystore(dir.path(), TEST_CHAIN_ID, 5, "c5", b"data-5", password).expect("write 5");
        let keystores = list_epoch_keystores(dir.path(), TEST_CHAIN_ID).expect("list before delete");
        assert_eq!(keystores.len(), 1);

        delete_epoch_keystore(dir.path(), TEST_CHAIN_ID, 5).expect("delete");
        let keystores = list_epoch_keystores(dir.path(), TEST_CHAIN_ID).expect("list after delete");
        assert!(keystores.is_empty());
    }

    #[test]
    fn read_latest_returns_none_for_empty_dir() {
        let dir = tempfile::tempdir().expect("tempdir");
        let result = read_latest_epoch_keystore(dir.path(), TEST_CHAIN_ID, b"any-password").expect("read_latest");
        assert!(result.is_none());
    }

    #[test]
    fn epoch_keystores_are_namespaced_per_chain() {
        let dir = tempfile::tempdir().expect("tempdir");
        let password = b"test-password";
        let chain_a = 1u64;
        let chain_b = 2u64;

        // Same epoch id on two chains sharing one directory must not collide.
        write_epoch_keystore(dir.path(), chain_a, 7, "ca-7", b"chain-a-share", password).expect("write chain a");
        write_epoch_keystore(dir.path(), chain_b, 7, "cb-7", b"chain-b-share", password).expect("write chain b");

        // Each chain lists only its own keystore.
        assert_eq!(list_epoch_keystores(dir.path(), chain_a).expect("list a").len(), 1);
        assert_eq!(list_epoch_keystores(dir.path(), chain_b).expect("list b").len(), 1);

        // And loads its own share, not the other chain's.
        let (_, a_share) = read_latest_epoch_keystore(dir.path(), chain_a, password)
            .expect("read a")
            .expect("some a");
        let (_, b_share) = read_latest_epoch_keystore(dir.path(), chain_b, password)
            .expect("read b")
            .expect("some b");
        assert_eq!(a_share, b"chain-a-share");
        assert_eq!(b_share, b"chain-b-share");

        // Deleting one chain's keystore leaves the other's intact.
        delete_epoch_keystore(dir.path(), chain_a, 7).expect("delete a");
        assert!(list_epoch_keystores(dir.path(), chain_a)
            .expect("list a after delete")
            .is_empty());
        assert_eq!(
            list_epoch_keystores(dir.path(), chain_b)
                .expect("list b after delete")
                .len(),
            1
        );
    }

    #[test]
    fn epoch_keystore_exists_tracks_write() {
        let dir = tempfile::tempdir().expect("tempdir");
        let password = b"test-password";

        assert!(!epoch_keystore_exists(dir.path(), TEST_CHAIN_ID, 9));
        write_epoch_keystore(dir.path(), TEST_CHAIN_ID, 9, "c9", b"data-9", password).expect("write 9");
        assert!(epoch_keystore_exists(dir.path(), TEST_CHAIN_ID, 9));
        // A different chain with the same epoch id is a distinct file.
        assert!(!epoch_keystore_exists(dir.path(), TEST_CHAIN_ID + 1, 9));
    }

    #[test]
    fn applied_ceremony_ledger_records_and_detects() {
        let dir = tempfile::tempdir().expect("tempdir");
        let entry = AppliedCeremony {
            chain_id: 31337,
            epoch_id: 7,
            ceremony_id: "pss-refresh-epoch-7".to_string(),
            mode: "refresh".to_string(),
        };

        // Empty dir → not applied.
        assert!(!is_ceremony_applied(dir.path(), &entry).expect("check"));

        record_applied_ceremony(dir.path(), entry.clone()).expect("record");
        assert!(is_ceremony_applied(dir.path(), &entry).expect("check after record"));

        // Recording again is idempotent (no duplicate entry).
        record_applied_ceremony(dir.path(), entry.clone()).expect("record again");
        let ledger = read_applied_ceremonies(dir.path()).expect("read");
        assert_eq!(ledger.entries.len(), 1);

        // A different mode for the same ceremony is a distinct entry.
        let reshare = AppliedCeremony {
            mode: "reshare".to_string(),
            ..entry.clone()
        };
        assert!(!is_ceremony_applied(dir.path(), &reshare).expect("check reshare"));

        // A second distinct entry accumulates without dropping the first.
        record_applied_ceremony(dir.path(), reshare.clone()).expect("record reshare");
        let ledger = read_applied_ceremonies(dir.path()).expect("read after two");
        assert_eq!(ledger.entries.len(), 2);
        assert!(is_ceremony_applied(dir.path(), &entry).expect("first still present"));

        // Atomic write leaves no temp file behind.
        assert!(
            !dir.path().join(format!("{APPLIED_CEREMONIES_FILE}.tmp")).exists(),
            "temp ledger file should be renamed away, not left on disk"
        );
    }

    #[test]
    fn record_applied_ceremony_propagates_corrupt_ledger() {
        let dir = tempfile::tempdir().expect("tempdir");
        std::fs::write(dir.path().join(APPLIED_CEREMONIES_FILE), b"{ not valid json").expect("seed corrupt");

        let entry = AppliedCeremony {
            chain_id: 1,
            epoch_id: 1,
            ceremony_id: "c".to_string(),
            mode: "refresh".to_string(),
        };
        // A corrupt ledger must surface as an error, not be silently overwritten
        // (which would drop prior entries and re-open the replay window).
        assert!(record_applied_ceremony(dir.path(), entry).is_err());
    }

    #[test]
    fn applied_ceremony_ledger_empty_for_missing_file() {
        let dir = tempfile::tempdir().expect("tempdir");
        let ledger = read_applied_ceremonies(dir.path()).expect("read empty");
        assert!(ledger.entries.is_empty());
    }

    #[test]
    fn keystore_write_read_roundtrip() {
        let plaintext = b"this is my secret threshold key share data";
        let password = b"correct-horse-battery-staple";
        let ceremony_id = "test-ceremony-abc123";

        let tmp = NamedTempFile::new().expect("tempfile");
        write_keystore(tmp.path(), ceremony_id, plaintext, password).expect("write_keystore");
        let recovered = read_keystore(tmp.path(), password).expect("read_keystore");

        assert_eq!(recovered, plaintext);
    }

    #[test]
    fn keystore_wrong_password_fails() {
        let plaintext = b"sensitive key material";
        let password = b"correct-password";
        let wrong_password = b"wrong-password";

        let tmp = NamedTempFile::new().expect("tempfile");
        write_keystore(tmp.path(), "ceremony-1", plaintext, password).expect("write_keystore");

        let result = read_keystore(tmp.path(), wrong_password);
        assert!(result.is_err(), "expected decryption to fail with wrong password");
        let err = result.unwrap_err();
        assert!(
            matches!(err, CryptoError::KeystoreDecrypt(_)),
            "expected KeystoreDecrypt, got: {err}"
        );
    }

    #[test]
    fn keystore_file_not_found() {
        let path = Path::new("/tmp/nonexistent-newton-keystore-abc123.json");
        let result = read_keystore(path, b"password");
        assert!(result.is_err(), "expected error for nonexistent file");
        let err = result.unwrap_err();
        assert!(
            matches!(err, CryptoError::KeystoreDecrypt(_)),
            "expected KeystoreDecrypt, got: {err}"
        );
    }

    #[test]
    fn keystore_corrupted_payload() {
        let plaintext = b"key share bytes";
        let password = b"my-password";

        let tmp = NamedTempFile::new().expect("tempfile");
        write_keystore(tmp.path(), "ceremony-2", plaintext, password).expect("write_keystore");

        // Read the file, corrupt the ciphertext hex, write back
        let json = std::fs::read_to_string(tmp.path()).expect("read");
        let mut keystore: ThresholdKeystore = serde_json::from_str(&json).expect("parse");

        // Flip a byte in the ciphertext hex
        let mut ciphertext_bytes = hex::decode(&keystore.encryption.ciphertext).expect("decode");
        ciphertext_bytes[0] ^= 0xff;
        keystore.encryption.ciphertext = hex::encode(&ciphertext_bytes);

        let corrupted_json = serde_json::to_string_pretty(&keystore).expect("serialize");
        std::fs::write(tmp.path(), corrupted_json).expect("write");

        let result = read_keystore(tmp.path(), password);
        assert!(result.is_err(), "expected decryption to fail with corrupted payload");
        let err = result.unwrap_err();
        assert!(
            matches!(err, CryptoError::KeystoreDecrypt(_)),
            "expected KeystoreDecrypt, got: {err}"
        );
    }
}