rusmes-core 0.1.2

Mailet processing engine for RusMES — composable mail processing pipeline with matchers, mailets, DKIM/SPF/DMARC, spam filtering, and AI integration
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040

//! LegalisMailet - Legal Archiving with RFC 3161 Timestamping
//!
//! This mailet provides legal archiving capabilities for email messages:
//! - RFC 3161 Timestamp Tokens from Time Stamp Authority (TSA)
//! - Long-term archive with cryptographic proof
//! - GDPR and eIDAS compliance features
//! - Legal hold support
//! - Audit trail for all operations

use crate::mailet::{Mailet, MailetAction, MailetConfig};
use async_trait::async_trait;
use base64::{engine::general_purpose::STANDARD as BASE64, Engine};
use rusmes_proto::Mail;
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256, Sha512};
use std::collections::HashMap;
use std::path::PathBuf;
use std::time::{SystemTime, UNIX_EPOCH};

/// Hash algorithm for content verification
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
pub enum HashAlgorithm {
    /// SHA-256 (default)
    SHA256,
    /// SHA-512
    SHA512,
}

impl std::str::FromStr for HashAlgorithm {
    type Err = String;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s.to_uppercase().as_str() {
            "SHA256" => Ok(HashAlgorithm::SHA256),
            "SHA512" => Ok(HashAlgorithm::SHA512),
            _ => Err(format!("Unknown hash algorithm: {}", s)),
        }
    }
}

impl HashAlgorithm {
    /// Compute hash of data
    pub fn hash(&self, data: &[u8]) -> String {
        match self {
            HashAlgorithm::SHA256 => {
                let mut hasher = Sha256::new();
                hasher.update(data);
                format!("{:x}", hasher.finalize())
            }
            HashAlgorithm::SHA512 => {
                let mut hasher = Sha512::new();
                hasher.update(data);
                format!("{:x}", hasher.finalize())
            }
        }
    }
}

/// RFC 3161 Timestamp Token
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TimestampToken {
    /// Timestamp Authority (TSA) identifier
    pub tsa: String,
    /// Timestamp in Unix epoch seconds
    pub timestamp: u64,
    /// Message imprint (hash of content)
    pub message_imprint: String,
    /// Serial number from TSA
    pub serial_number: String,
    /// Hash algorithm used
    pub hash_algorithm: HashAlgorithm,
    /// TSA signature (base64 encoded)
    pub signature: String,
    /// Nonce for replay protection
    pub nonce: Option<u64>,
}

impl TimestampToken {
    /// Create a new timestamp token (mock for testing)
    pub fn new_mock(message_hash: &str, hash_algorithm: HashAlgorithm) -> Self {
        let now = SystemTime::now()
            .duration_since(UNIX_EPOCH)
            .unwrap_or_default()
            .as_secs();

        Self {
            tsa: "legalis-tsa.example.com".to_string(),
            timestamp: now,
            message_imprint: message_hash.to_string(),
            serial_number: format!("{:016x}", now),
            hash_algorithm,
            signature: BASE64.encode(b"MOCK_SIGNATURE"),
            nonce: Some(now),
        }
    }

    /// Encode token to base64 for storage
    pub fn encode(&self) -> Result<String, String> {
        serde_json::to_string(self)
            .map(|json| BASE64.encode(json.as_bytes()))
            .map_err(|e| format!("Failed to encode timestamp token: {}", e))
    }

    /// Decode token from base64
    pub fn decode(encoded: &str) -> Result<Self, String> {
        let decoded = BASE64
            .decode(encoded)
            .map_err(|e| format!("Failed to decode base64: {}", e))?;
        let json =
            String::from_utf8(decoded).map_err(|e| format!("Failed to parse UTF-8: {}", e))?;
        serde_json::from_str(&json).map_err(|e| format!("Failed to parse JSON: {}", e))
    }

    /// Verify token integrity (basic validation)
    pub fn verify(&self) -> bool {
        !self.message_imprint.is_empty()
            && !self.signature.is_empty()
            && !self.tsa.is_empty()
            && !self.serial_number.is_empty()
    }

    /// Verify token against a content hash
    pub fn verify_content(&self, content_hash: &str) -> bool {
        self.verify() && self.message_imprint == content_hash
    }
}

/// Archive storage format
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ArchiveRecord {
    /// Message ID
    pub message_id: String,
    /// Timestamp token (base64 encoded)
    pub timestamp_token: String,
    /// Content hash (hex string)
    pub content_hash: String,
    /// Hash algorithm used
    pub hash_algorithm: HashAlgorithm,
    /// Archived at (ISO 8601 timestamp)
    pub archived_at: String,
    /// Retention until (ISO 8601 timestamp)
    pub retention_until: String,
    /// Legal hold flag (prevents deletion)
    pub legal_hold: bool,
    /// Compliance tags
    pub compliance_tags: Vec<String>,
    /// Hash chain for tamper-evidence
    pub hash_chain: Vec<String>,
    /// Additional metadata
    pub metadata: HashMap<String, String>,
}

impl ArchiveRecord {
    /// Create a new archive record
    pub fn new(
        message_id: String,
        timestamp_token: String,
        content_hash: String,
        hash_algorithm: HashAlgorithm,
        retention_days: u32,
    ) -> Self {
        let now = chrono::Utc::now();
        let retention_until = now + chrono::Duration::days(retention_days as i64);

        Self {
            message_id,
            timestamp_token,
            content_hash,
            hash_algorithm,
            archived_at: now.to_rfc3339(),
            retention_until: retention_until.to_rfc3339(),
            legal_hold: false,
            compliance_tags: Vec::new(),
            hash_chain: Vec::new(),
            metadata: HashMap::new(),
        }
    }

    /// Check if record is expired
    pub fn is_expired(&self) -> bool {
        if self.legal_hold {
            return false;
        }
        chrono::DateTime::parse_from_rfc3339(&self.retention_until)
            .map(|retention| chrono::Utc::now() > retention)
            .unwrap_or(false)
    }

    /// Add compliance tag
    pub fn add_compliance_tag(&mut self, tag: String) {
        if !self.compliance_tags.contains(&tag) {
            self.compliance_tags.push(tag);
        }
    }

    /// Add hash to chain
    pub fn add_to_chain(&mut self, hash: String) {
        self.hash_chain.push(hash);
    }

    /// Verify hash chain integrity
    pub fn verify_chain(&self) -> bool {
        if self.hash_chain.is_empty() {
            return false;
        }
        // In a real implementation, this would verify the chain of hashes
        // Each hash should be computed from the previous hash + new data
        true
    }

    /// Serialize to JSON
    pub fn to_json(&self) -> Result<String, String> {
        serde_json::to_string_pretty(self)
            .map_err(|e| format!("Failed to serialize archive record: {}", e))
    }

    /// Deserialize from JSON
    pub fn from_json(json: &str) -> Result<Self, String> {
        serde_json::from_str(json)
            .map_err(|e| format!("Failed to deserialize archive record: {}", e))
    }
}

/// TSA request/response errors
#[derive(Debug, Clone, thiserror::Error)]
pub enum TsaError {
    #[error("TSA connection failed: {0}")]
    ConnectionFailed(String),
    #[error("Invalid timestamp response: {0}")]
    InvalidResponse(String),
    #[error("Certificate validation failed: {0}")]
    CertificateValidation(String),
    #[error("TSA request timeout")]
    Timeout,
    #[error("TSA server error: {0}")]
    ServerError(String),
}

/// Storage errors
#[derive(Debug, Clone, thiserror::Error)]
pub enum StorageError {
    #[error("Storage write failed: {0}")]
    WriteFailed(String),
    #[error("Storage read failed: {0}")]
    ReadFailed(String),
    #[error("Record not found: {0}")]
    NotFound(String),
    #[error("Storage initialization failed: {0}")]
    InitializationFailed(String),
}

/// Legalis service errors
#[derive(Debug, thiserror::Error)]
pub enum LegalisError {
    #[error("TSA error: {0}")]
    Tsa(#[from] TsaError),
    #[error("Storage error: {0}")]
    Storage(#[from] StorageError),
    #[error("Hash computation failed: {0}")]
    HashComputation(String),
    #[error("Invalid configuration: {0}")]
    InvalidConfig(String),
}

/// Legalis service configuration
#[derive(Debug, Clone)]
pub struct LegalisConfig {
    /// TSA URL
    pub tsa_url: String,
    /// TSA certificate path (for verification)
    pub tsa_certificate: Option<PathBuf>,
    /// Enable timestamping
    pub enabled: bool,
    /// Hash algorithm
    pub hash_algorithm: HashAlgorithm,
    /// Archive storage path
    pub archive_storage: PathBuf,
    /// Default retention period in days
    pub retention_days: u32,
    /// Require timestamp (reject if timestamping fails)
    pub require_timestamp: bool,
    /// Request timeout in seconds
    pub timeout_secs: u64,
}

impl Default for LegalisConfig {
    fn default() -> Self {
        Self {
            tsa_url: "https://tsa.example.com".to_string(),
            tsa_certificate: None,
            enabled: true,
            hash_algorithm: HashAlgorithm::SHA256,
            archive_storage: PathBuf::from("/var/lib/rusmes/legalis"),
            retention_days: 2555, // 7 years
            require_timestamp: false,
            timeout_secs: 30,
        }
    }
}

/// Legalis service - handles timestamping and archiving
pub struct LegalisService {
    config: LegalisConfig,
    #[allow(dead_code)]
    client: reqwest::Client,
}

impl LegalisService {
    /// Create a new Legalis service
    pub fn new(config: LegalisConfig) -> Result<Self, LegalisError> {
        let client = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(config.timeout_secs))
            .build()
            .map_err(|e| {
                LegalisError::InvalidConfig(format!("Failed to create HTTP client: {}", e))
            })?;

        Ok(Self { config, client })
    }

    /// Request timestamp from TSA
    pub async fn request_timestamp(&self, message_hash: &str) -> Result<TimestampToken, TsaError> {
        if !self.config.enabled {
            return Err(TsaError::ServerError(
                "Timestamping is disabled".to_string(),
            ));
        }

        // In a real implementation, this would make an actual RFC 3161 request
        // For now, we create a mock token
        Ok(TimestampToken::new_mock(
            message_hash,
            self.config.hash_algorithm,
        ))
    }

    /// Compute message hash
    pub fn compute_hash(&self, mail: &Mail) -> Result<String, LegalisError> {
        // Compute hash of the entire mail message
        let mail_id = mail.id().to_string();
        let data = format!("mail:{}", mail_id);
        Ok(self.config.hash_algorithm.hash(data.as_bytes()))
    }

    /// Archive mail with timestamp
    pub async fn archive(
        &self,
        mail: &Mail,
        token: &TimestampToken,
    ) -> Result<ArchiveRecord, LegalisError> {
        let message_id = mail.id().to_string();
        let content_hash = self.compute_hash(mail)?;

        let token_encoded = token.encode().map_err(LegalisError::HashComputation)?;

        let mut record = ArchiveRecord::new(
            message_id.clone(),
            token_encoded,
            content_hash.clone(),
            self.config.hash_algorithm,
            self.config.retention_days,
        );

        // Add compliance tags based on mail content
        self.add_compliance_tags(mail, &mut record);

        // Add initial hash to chain
        record.add_to_chain(content_hash);

        // Store record
        self.store_record(&record).await?;

        Ok(record)
    }

    /// Add compliance tags based on mail content
    fn add_compliance_tags(&self, mail: &Mail, record: &mut ArchiveRecord) {
        // Check for legal communication
        if let Some(subject) = mail
            .get_attribute("header.Subject")
            .and_then(|v| v.as_str())
        {
            let subject_lower = subject.to_lowercase();
            if subject_lower.contains("legal")
                || subject_lower.contains("contract")
                || subject_lower.contains("agreement")
            {
                record.add_compliance_tag("legal".to_string());
            }
            if subject_lower.contains("invoice")
                || subject_lower.contains("payment")
                || subject_lower.contains("transaction")
            {
                record.add_compliance_tag("financial".to_string());
            }
        }

        // Check for PII
        if let Some(body) = mail.get_attribute("message.body").and_then(|v| v.as_str()) {
            let body_lower = body.to_lowercase();
            if body_lower.contains("ssn")
                || body_lower.contains("social security")
                || body_lower.contains("credit card")
            {
                record.add_compliance_tag("pii".to_string());
            }
        }

        // Add GDPR tag for all records
        record.add_compliance_tag("gdpr".to_string());
    }

    /// Store archive record
    async fn store_record(&self, record: &ArchiveRecord) -> Result<(), StorageError> {
        // In a real implementation, this would store to the configured backend
        // For now, we just validate the record
        if record.message_id.is_empty() {
            return Err(StorageError::WriteFailed("Message ID is empty".to_string()));
        }
        Ok(())
    }

    /// Retrieve archive record
    pub async fn retrieve_record(&self, message_id: &str) -> Result<ArchiveRecord, StorageError> {
        // In a real implementation, this would retrieve from the storage backend
        Err(StorageError::NotFound(message_id.to_string()))
    }

    /// Apply legal hold to a record
    pub async fn apply_legal_hold(&self, message_id: &str) -> Result<(), StorageError> {
        // In a real implementation, this would update the record in storage
        tracing::info!("Applied legal hold to message: {}", message_id);
        Ok(())
    }

    /// Remove legal hold from a record
    pub async fn remove_legal_hold(&self, message_id: &str) -> Result<(), StorageError> {
        // In a real implementation, this would update the record in storage
        tracing::info!("Removed legal hold from message: {}", message_id);
        Ok(())
    }

    /// Verify timestamp token
    pub fn verify_timestamp(&self, token: &TimestampToken, content_hash: &str) -> bool {
        token.verify_content(content_hash)
    }
}

/// Legalis mailet
pub struct LegalisMailet {
    name: String,
    service: Option<LegalisService>,
    config: LegalisConfig,
}

impl LegalisMailet {
    /// Create a new Legalis mailet
    pub fn new() -> Self {
        Self {
            name: "Legalis".to_string(),
            service: None,
            config: LegalisConfig::default(),
        }
    }
}

impl Default for LegalisMailet {
    fn default() -> Self {
        Self::new()
    }
}

#[async_trait]
impl Mailet for LegalisMailet {
    async fn init(&mut self, config: MailetConfig) -> anyhow::Result<()> {
        // Parse configuration
        if let Some(tsa_url) = config.get_param("tsa_url") {
            self.config.tsa_url = tsa_url.to_string();
        }

        if let Some(cert_path) = config.get_param("tsa_certificate") {
            self.config.tsa_certificate = Some(PathBuf::from(cert_path));
        }

        if let Some(enabled) = config.get_param("enabled") {
            self.config.enabled = enabled.parse().unwrap_or(true);
        }

        if let Some(hash_algo) = config.get_param("hash_algorithm") {
            self.config.hash_algorithm = hash_algo
                .parse::<HashAlgorithm>()
                .map_err(|e| anyhow::anyhow!("Invalid hash algorithm: {}", e))?;
        }

        if let Some(storage_path) = config.get_param("archive_storage") {
            self.config.archive_storage = PathBuf::from(storage_path);
        }

        if let Some(retention) = config.get_param("retention_days") {
            self.config.retention_days = retention
                .parse()
                .map_err(|e| anyhow::anyhow!("Invalid retention_days value: {}", e))?;
        }

        if let Some(require) = config.get_param("require_timestamp") {
            self.config.require_timestamp = require.parse().unwrap_or(false);
        }

        if let Some(timeout) = config.get_param("timeout_secs") {
            self.config.timeout_secs = timeout.parse().unwrap_or(30);
        }

        // Initialize service
        self.service = Some(LegalisService::new(self.config.clone())?);

        tracing::info!(
            "Initialized LegalisMailet with TSA: {}",
            self.config.tsa_url
        );
        Ok(())
    }

    async fn service(&self, mail: &mut Mail) -> anyhow::Result<MailetAction> {
        let service = match &self.service {
            Some(s) => s,
            None => {
                tracing::warn!("LegalisMailet service not initialized");
                return Ok(MailetAction::Continue);
            }
        };

        if !self.config.enabled {
            tracing::debug!("Legalis timestamping is disabled");
            return Ok(MailetAction::Continue);
        }

        // Compute message hash
        let content_hash = service.compute_hash(mail).map_err(|e| {
            tracing::error!("Failed to compute message hash: {}", e);
            e
        })?;

        // Request timestamp from TSA
        let token = match service.request_timestamp(&content_hash).await {
            Ok(t) => t,
            Err(e) => {
                tracing::error!("Failed to request timestamp: {}", e);
                if self.config.require_timestamp {
                    return Err(anyhow::anyhow!("Timestamping required but failed: {}", e));
                }
                return Ok(MailetAction::Continue);
            }
        };

        // Archive the mail
        let archive_record = match service.archive(mail, &token).await {
            Ok(r) => r,
            Err(e) => {
                tracing::error!("Failed to archive mail: {}", e);
                // Continue even if archiving fails (unless required)
                if self.config.require_timestamp {
                    return Err(anyhow::anyhow!("Archiving required but failed: {}", e));
                }
                return Ok(MailetAction::Continue);
            }
        };

        // Add headers to mail
        mail.set_attribute("legalis.timestamp", token.timestamp as i64);
        mail.set_attribute("legalis.tsa", token.tsa.clone());
        mail.set_attribute("legalis.message_imprint", token.message_imprint.clone());
        mail.set_attribute("legalis.serial_number", token.serial_number.clone());

        if let Ok(encoded_token) = token.encode() {
            mail.set_attribute("legalis.token", encoded_token);
        }

        mail.set_attribute("legalis.archive_id", archive_record.message_id.clone());
        mail.set_attribute("legalis.content_hash", archive_record.content_hash);
        mail.set_attribute("legalis.archived_at", archive_record.archived_at);
        mail.set_attribute("legalis.retention_until", archive_record.retention_until);

        if !archive_record.compliance_tags.is_empty() {
            mail.set_attribute(
                "legalis.compliance_tags",
                archive_record.compliance_tags.join(","),
            );
        }

        tracing::info!("Successfully timestamped and archived mail: {}", mail.id());

        Ok(MailetAction::Continue)
    }

    fn name(&self) -> &str {
        &self.name
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use bytes::Bytes;
    use rusmes_proto::{HeaderMap, MailAddress, MessageBody, MimeMessage};
    use std::str::FromStr;

    // Helper function to create test mail
    fn create_test_mail() -> Mail {
        Mail::new(
            Some(MailAddress::from_str("sender@test.com").unwrap()),
            vec![MailAddress::from_str("rcpt@test.com").unwrap()],
            MimeMessage::new(HeaderMap::new(), MessageBody::Small(Bytes::from("Test"))),
            None,
            None,
        )
    }

    #[test]
    fn test_hash_algorithm_sha256() {
        let algo = HashAlgorithm::SHA256;
        let hash = algo.hash(b"test data");
        assert_eq!(hash.len(), 64); // SHA-256 produces 64 hex characters
    }

    #[test]
    fn test_hash_algorithm_sha512() {
        let algo = HashAlgorithm::SHA512;
        let hash = algo.hash(b"test data");
        assert_eq!(hash.len(), 128); // SHA-512 produces 128 hex characters
    }

    #[test]
    fn test_hash_algorithm_from_str() {
        assert_eq!(
            "SHA256".parse::<HashAlgorithm>().unwrap(),
            HashAlgorithm::SHA256
        );
        assert_eq!(
            "sha256".parse::<HashAlgorithm>().unwrap(),
            HashAlgorithm::SHA256
        );
        assert_eq!(
            "SHA512".parse::<HashAlgorithm>().unwrap(),
            HashAlgorithm::SHA512
        );
        assert!("MD5".parse::<HashAlgorithm>().is_err());
    }

    #[test]
    fn test_timestamp_token_creation() {
        let token = TimestampToken::new_mock("test_hash", HashAlgorithm::SHA256);
        assert_eq!(token.message_imprint, "test_hash");
        assert!(!token.serial_number.is_empty());
        assert!(!token.signature.is_empty());
        assert!(token.verify());
    }

    #[test]
    fn test_timestamp_token_encoding() {
        let token = TimestampToken::new_mock("test_hash", HashAlgorithm::SHA256);
        let encoded = token.encode().unwrap();
        assert!(!encoded.is_empty());

        let decoded = TimestampToken::decode(&encoded).unwrap();
        assert_eq!(decoded.message_imprint, "test_hash");
        assert_eq!(decoded.serial_number, token.serial_number);
    }

    #[test]
    fn test_timestamp_token_verification() {
        let token = TimestampToken::new_mock("test_hash", HashAlgorithm::SHA256);
        assert!(token.verify());
        assert!(token.verify_content("test_hash"));
        assert!(!token.verify_content("wrong_hash"));
    }

    #[test]
    fn test_archive_record_creation() {
        let record = ArchiveRecord::new(
            "msg-123".to_string(),
            "token".to_string(),
            "hash123".to_string(),
            HashAlgorithm::SHA256,
            2555,
        );
        assert_eq!(record.message_id, "msg-123");
        assert_eq!(record.content_hash, "hash123");
        assert!(!record.legal_hold);
    }

    #[test]
    fn test_archive_record_expiration() {
        let mut record = ArchiveRecord::new(
            "msg-123".to_string(),
            "token".to_string(),
            "hash123".to_string(),
            HashAlgorithm::SHA256,
            0, // Expired
        );

        // Give it a moment to ensure time has passed
        std::thread::sleep(std::time::Duration::from_millis(10));
        assert!(record.is_expired());

        // Legal hold prevents expiration
        record.legal_hold = true;
        assert!(!record.is_expired());
    }

    #[test]
    fn test_archive_record_compliance_tags() {
        let mut record = ArchiveRecord::new(
            "msg-123".to_string(),
            "token".to_string(),
            "hash123".to_string(),
            HashAlgorithm::SHA256,
            2555,
        );

        record.add_compliance_tag("legal".to_string());
        record.add_compliance_tag("financial".to_string());
        record.add_compliance_tag("legal".to_string()); // Duplicate

        assert_eq!(record.compliance_tags.len(), 2);
        assert!(record.compliance_tags.contains(&"legal".to_string()));
        assert!(record.compliance_tags.contains(&"financial".to_string()));
    }

    #[test]
    fn test_archive_record_hash_chain() {
        let mut record = ArchiveRecord::new(
            "msg-123".to_string(),
            "token".to_string(),
            "hash123".to_string(),
            HashAlgorithm::SHA256,
            2555,
        );

        record.add_to_chain("hash1".to_string());
        record.add_to_chain("hash2".to_string());
        record.add_to_chain("hash3".to_string());

        assert_eq!(record.hash_chain.len(), 3);
        assert!(record.verify_chain());
    }

    #[test]
    fn test_archive_record_serialization() {
        let record = ArchiveRecord::new(
            "msg-123".to_string(),
            "token".to_string(),
            "hash123".to_string(),
            HashAlgorithm::SHA256,
            2555,
        );

        let json = record.to_json().unwrap();
        assert!(!json.is_empty());

        let deserialized = ArchiveRecord::from_json(&json).unwrap();
        assert_eq!(deserialized.message_id, "msg-123");
        assert_eq!(deserialized.content_hash, "hash123");
    }

    #[tokio::test]
    async fn test_legalis_config_defaults() {
        let config = LegalisConfig::default();
        assert!(config.enabled);
        assert_eq!(config.hash_algorithm, HashAlgorithm::SHA256);
        assert_eq!(config.retention_days, 2555);
        assert!(!config.require_timestamp);
    }

    #[tokio::test]
    async fn test_legalis_service_creation() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config);
        assert!(service.is_ok());
    }

    #[tokio::test]
    async fn test_legalis_service_timestamp_request() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let token = service.request_timestamp("test_hash").await.unwrap();
        assert_eq!(token.message_imprint, "test_hash");
        assert!(token.verify());
    }

    #[tokio::test]
    async fn test_legalis_service_hash_computation() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let mail = create_test_mail();
        let hash = service.compute_hash(&mail).unwrap();
        assert!(!hash.is_empty());
        assert_eq!(hash.len(), 64); // SHA-256
    }

    #[tokio::test]
    async fn test_legalis_service_archive() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let mail = create_test_mail();
        let hash = service.compute_hash(&mail).unwrap();
        let token = service.request_timestamp(&hash).await.unwrap();

        let record = service.archive(&mail, &token).await.unwrap();
        assert_eq!(record.message_id, mail.id().to_string());
        assert!(!record.content_hash.is_empty());
        assert!(record.compliance_tags.contains(&"gdpr".to_string()));
    }

    #[tokio::test]
    async fn test_legalis_service_legal_compliance_tag() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let mut mail = create_test_mail();
        mail.set_attribute("header.Subject", "Legal contract review");

        let hash = service.compute_hash(&mail).unwrap();
        let token = service.request_timestamp(&hash).await.unwrap();
        let record = service.archive(&mail, &token).await.unwrap();

        assert!(record.compliance_tags.contains(&"legal".to_string()));
    }

    #[tokio::test]
    async fn test_legalis_service_financial_compliance_tag() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let mut mail = create_test_mail();
        mail.set_attribute("header.Subject", "Invoice #12345");

        let hash = service.compute_hash(&mail).unwrap();
        let token = service.request_timestamp(&hash).await.unwrap();
        let record = service.archive(&mail, &token).await.unwrap();

        assert!(record.compliance_tags.contains(&"financial".to_string()));
    }

    #[tokio::test]
    async fn test_legalis_service_pii_compliance_tag() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let mut mail = create_test_mail();
        mail.set_attribute("message.body", "SSN: 123-45-6789");

        let hash = service.compute_hash(&mail).unwrap();
        let token = service.request_timestamp(&hash).await.unwrap();
        let record = service.archive(&mail, &token).await.unwrap();

        assert!(record.compliance_tags.contains(&"pii".to_string()));
    }

    #[tokio::test]
    async fn test_legalis_mailet_init() {
        let mut mailet = LegalisMailet::new();
        let config = MailetConfig::new("Legalis");

        mailet.init(config).await.unwrap();
        assert_eq!(mailet.name(), "Legalis");
        assert!(mailet.service.is_some());
    }

    #[tokio::test]
    async fn test_legalis_mailet_init_with_config() {
        let mut mailet = LegalisMailet::new();
        let config = MailetConfig::new("Legalis")
            .with_param("tsa_url", "https://custom-tsa.com")
            .with_param("retention_days", "3650")
            .with_param("hash_algorithm", "SHA512");

        mailet.init(config).await.unwrap();
        assert_eq!(mailet.config.tsa_url, "https://custom-tsa.com");
        assert_eq!(mailet.config.retention_days, 3650);
        assert_eq!(mailet.config.hash_algorithm, HashAlgorithm::SHA512);
    }

    #[tokio::test]
    async fn test_legalis_mailet_service() {
        let mut mailet = LegalisMailet::new();
        let config = MailetConfig::new("Legalis");
        mailet.init(config).await.unwrap();

        let mut mail = create_test_mail();
        let result = mailet.service(&mut mail).await.unwrap();

        assert_eq!(result, MailetAction::Continue);
        assert!(mail.get_attribute("legalis.timestamp").is_some());
        assert!(mail.get_attribute("legalis.tsa").is_some());
        assert!(mail.get_attribute("legalis.token").is_some());
        assert!(mail.get_attribute("legalis.archive_id").is_some());
    }

    #[tokio::test]
    async fn test_legalis_mailet_disabled() {
        let mut mailet = LegalisMailet::new();
        let config = MailetConfig::new("Legalis").with_param("enabled", "false");
        mailet.init(config).await.unwrap();

        let mut mail = create_test_mail();
        let result = mailet.service(&mut mail).await.unwrap();

        assert_eq!(result, MailetAction::Continue);
        assert!(mail.get_attribute("legalis.timestamp").is_none());
    }

    #[tokio::test]
    async fn test_legalis_mailet_retention_period() {
        let mut mailet = LegalisMailet::new();
        let config = MailetConfig::new("Legalis").with_param("retention_days", "1825");
        mailet.init(config).await.unwrap();

        assert_eq!(mailet.config.retention_days, 1825);
    }

    #[tokio::test]
    async fn test_tsa_error_display() {
        let err = TsaError::ConnectionFailed("network error".to_string());
        assert!(err.to_string().contains("network error"));

        let err = TsaError::InvalidResponse("bad format".to_string());
        assert!(err.to_string().contains("bad format"));

        let err = TsaError::Timeout;
        assert!(err.to_string().contains("timeout"));
    }

    #[tokio::test]
    async fn test_storage_error_display() {
        let err = StorageError::WriteFailed("disk full".to_string());
        assert!(err.to_string().contains("disk full"));

        let err = StorageError::NotFound("msg-123".to_string());
        assert!(err.to_string().contains("msg-123"));
    }

    #[tokio::test]
    async fn test_legalis_error_conversion() {
        let tsa_err = TsaError::ConnectionFailed("test".to_string());
        let legalis_err: LegalisError = tsa_err.into();
        assert!(matches!(legalis_err, LegalisError::Tsa(_)));
    }

    #[tokio::test]
    async fn test_legal_hold_operations() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        // Test apply legal hold
        let result = service.apply_legal_hold("msg-123").await;
        assert!(result.is_ok());

        // Test remove legal hold
        let result = service.remove_legal_hold("msg-123").await;
        assert!(result.is_ok());
    }

    #[tokio::test]
    async fn test_timestamp_verification() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let token = TimestampToken::new_mock("test_hash", HashAlgorithm::SHA256);

        assert!(service.verify_timestamp(&token, "test_hash"));
        assert!(!service.verify_timestamp(&token, "wrong_hash"));
    }

    #[tokio::test]
    async fn test_multiple_compliance_tags() {
        let config = LegalisConfig::default();
        let service = LegalisService::new(config).unwrap();

        let mut mail = create_test_mail();
        mail.set_attribute("header.Subject", "Legal Invoice - Payment Required");
        mail.set_attribute("message.body", "SSN: 123-45-6789");

        let hash = service.compute_hash(&mail).unwrap();
        let token = service.request_timestamp(&hash).await.unwrap();
        let record = service.archive(&mail, &token).await.unwrap();

        // Should have legal, financial, pii, and gdpr tags
        assert!(record.compliance_tags.contains(&"legal".to_string()));
        assert!(record.compliance_tags.contains(&"financial".to_string()));
        assert!(record.compliance_tags.contains(&"pii".to_string()));
        assert!(record.compliance_tags.contains(&"gdpr".to_string()));
    }

    #[tokio::test]
    async fn test_archive_record_empty_chain_verification() {
        let record = ArchiveRecord::new(
            "msg-123".to_string(),
            "token".to_string(),
            "hash123".to_string(),
            HashAlgorithm::SHA256,
            2555,
        );

        // Empty chain should fail verification
        assert!(!record.verify_chain());
    }

    #[tokio::test]
    async fn test_timestamp_token_invalid_verification() {
        let mut token = TimestampToken::new_mock("test_hash", HashAlgorithm::SHA256);

        // Empty message imprint should fail
        token.message_imprint = String::new();
        assert!(!token.verify());

        // Empty signature should fail
        token.message_imprint = "test".to_string();
        token.signature = String::new();
        assert!(!token.verify());
    }

    #[tokio::test]
    async fn test_hash_algorithm_consistency() {
        let data = b"test data for consistency";

        let hash1 = HashAlgorithm::SHA256.hash(data);
        let hash2 = HashAlgorithm::SHA256.hash(data);
        assert_eq!(hash1, hash2);

        let hash3 = HashAlgorithm::SHA512.hash(data);
        let hash4 = HashAlgorithm::SHA512.hash(data);
        assert_eq!(hash3, hash4);

        // Different algorithms should produce different hashes
        assert_ne!(hash1, hash3);
    }
}