hessra_token_authz/

mint.rs

extern crate biscuit_auth as biscuit;

use crate::verify::{biscuit_key_from_string, ServiceNode};

use biscuit::macros::{biscuit, check, rule};
use biscuit::BiscuitBuilder;
use chrono::Utc;
use hessra_token_core::{Biscuit, KeyPair, TokenTimeConfig};
use std::error::Error;
use tracing::info;

/// Builder for creating Hessra authorization tokens with flexible configuration.
///
/// Authorization tokens can be configured with the following capabilities:
/// - **Singleton Capability**: Simple authorization with subject, resource, and operation (default)
/// - **Latent Capability**: Broader authorization with latent_rights that must be activated
/// - **Service Chain**: Add service node attestations via `.service_chain(nodes)`
/// - **Multi-Party**: Add multi-party attestation requirements via `.multi_party(nodes)`
/// - **Domain Restriction**: Limit token to a specific domain via `.domain_restricted(domain)`
///
/// Service chain and multi-party capabilities can be combined in the same token
/// (though this is not currently validated or actively used).
///
/// ## Token Types
///
/// **Singleton Capability Token** (default): Grants a specific right to a specific subject for
/// a specific resource and operation. The token can be used immediately.
///
/// **Latent Capability Token**: Contains broad `latent_right(resource, operation)` permissions
/// but cannot be used directly. Must be activated by the holder of the bound activator key using
/// the `activate_latent_token` function. The same latent token can be activated multiple times
/// with different subjects and (resource, operation) pairs from the latent_rights set.
///
/// # Example - Singleton Token
/// ```rust
/// use hessra_token_authz::HessraAuthorization;
/// use hessra_token_core::{KeyPair, TokenTimeConfig};
///
/// let keypair = KeyPair::new();
///
/// // Singleton capability authorization with domain restriction
/// let token = HessraAuthorization::new(
///     "alice".to_string(),
///     "resource1".to_string(),
///     "read".to_string(),
///     TokenTimeConfig::default()
/// )
/// .domain_restricted("myapp.hessra.dev".to_string())
/// .issue(&keypair)
/// .expect("Failed to create token");
/// ```
///
/// # Example - Latent Token
/// ```rust
/// use hessra_token_authz::HessraAuthorization;
/// use hessra_token_core::{KeyPair, TokenTimeConfig};
///
/// let keypair = KeyPair::new();
/// let activator_keypair = KeyPair::new();
/// let activator_public_key = format!("ed25519/{}", hex::encode(activator_keypair.public().to_bytes()));
///
/// // Latent capability authorization
/// let latent_rights = vec![
///     ("resource1".to_string(), "read".to_string()),
///     ("resource2".to_string(), "write".to_string()),
/// ];
///
/// let token = HessraAuthorization::new_latent(
///     latent_rights,
///     activator_public_key,
///     TokenTimeConfig::default()
/// )
/// .issue(&keypair)
/// .expect("Failed to create latent token");
/// ```
pub struct HessraAuthorization {
    token_type: TokenType,
    // Singleton capability fields
    subject: Option<String>,
    resource: Option<String>,
    operation: Option<String>,
    // Latent capability fields
    latent_rights: Option<Vec<(String, String)>>,
    activator_public_key: Option<String>,
    // Common fields
    time_config: TokenTimeConfig,
    service_chain_nodes: Option<Vec<ServiceNode>>,
    multi_party_nodes: Option<Vec<ServiceNode>>,
    domain: Option<String>,
}

/// Token type for authorization tokens
#[derive(Debug, Clone, PartialEq)]
enum TokenType {
    Singleton,
    Latent,
}

impl HessraAuthorization {
    /// Creates a new singleton capability authorization token builder.
    ///
    /// Singleton tokens grant a specific right to a specific subject for a specific resource
    /// and operation. The token can be used immediately upon issuance.
    ///
    /// # Arguments
    /// * `subject` - The subject (user) identifier
    /// * `resource` - The resource identifier to grant access to
    /// * `operation` - The operation to grant access to
    /// * `time_config` - Time configuration for token validity
    pub fn new(
        subject: String,
        resource: String,
        operation: String,
        time_config: TokenTimeConfig,
    ) -> Self {
        Self {
            token_type: TokenType::Singleton,
            subject: Some(subject),
            resource: Some(resource),
            operation: Some(operation),
            latent_rights: None,
            activator_public_key: None,
            time_config,
            service_chain_nodes: None,
            multi_party_nodes: None,
            domain: None,
        }
    }

    /// Creates a new latent capability authorization token builder.
    ///
    /// Latent tokens contain broad `latent_right(resource, operation)` permissions but cannot
    /// be used directly. They must be activated by the holder of the bound activator key using
    /// the `activate_latent_token` function.
    ///
    /// The same latent token can be activated multiple times with different subjects and
    /// (resource, operation) pairs from the latent_rights set.
    ///
    /// # Arguments
    /// * `latent_rights` - Vector of (resource, operation) pairs that can be activated
    /// * `activator_public_key` - Public key of the activator (format: "ed25519/hexstring")
    /// * `time_config` - Time configuration for token validity
    ///
    /// # Example
    /// ```rust
    /// use hessra_token_authz::HessraAuthorization;
    /// use hessra_token_core::{KeyPair, TokenTimeConfig};
    ///
    /// let keypair = KeyPair::new();
    /// let activator_keypair = KeyPair::new();
    /// let activator_public_key = format!("ed25519/{}", hex::encode(activator_keypair.public().to_bytes()));
    ///
    /// let latent_rights = vec![
    ///     ("resource1".to_string(), "read".to_string()),
    ///     ("resource1".to_string(), "write".to_string()),
    ///     ("resource2".to_string(), "read".to_string()),
    /// ];
    ///
    /// let token = HessraAuthorization::new_latent(
    ///     latent_rights,
    ///     activator_public_key,
    ///     TokenTimeConfig::default()
    /// )
    /// .issue(&keypair)
    /// .expect("Failed to create latent token");
    /// ```
    pub fn new_latent(
        latent_rights: Vec<(String, String)>,
        activator_public_key: String,
        time_config: TokenTimeConfig,
    ) -> Self {
        Self {
            token_type: TokenType::Latent,
            subject: None,
            resource: None,
            operation: None,
            latent_rights: Some(latent_rights),
            activator_public_key: Some(activator_public_key),
            time_config,
            service_chain_nodes: None,
            multi_party_nodes: None,
            domain: None,
        }
    }

    /// Adds service chain attestation to the authorization token.
    ///
    /// Service chain tokens include attestations for each service node in the chain.
    /// The token grants access and includes trusting relationships for the specified nodes.
    ///
    /// Can be combined with `.multi_party()` to create a token with both capabilities
    /// (though this is not currently validated or actively used).
    ///
    /// # Arguments
    /// * `nodes` - Vector of service nodes that will attest to the token
    pub fn service_chain(mut self, nodes: Vec<ServiceNode>) -> Self {
        self.service_chain_nodes = Some(nodes);
        self
    }

    /// Adds multi-party attestation requirement to the authorization token.
    ///
    /// Multi-party tokens require attestation from all specified parties before becoming valid.
    /// The key difference from service chain is that the token is invalid until all parties
    /// have provided their attestations.
    ///
    /// Can be combined with `.service_chain()` to create a token with both capabilities
    /// (though this is not currently validated or actively used).
    ///
    /// # Arguments
    /// * `nodes` - Vector of multi-party nodes that must attest to the token
    pub fn multi_party(mut self, nodes: Vec<ServiceNode>) -> Self {
        self.multi_party_nodes = Some(nodes);
        self
    }

    /// Restricts the authorization to a specific domain.
    ///
    /// Adds a domain restriction check to the authority block:
    /// - `check if domain({domain})`
    ///
    /// This ensures the token can only be used within the specified domain.
    ///
    /// # Arguments
    /// * `domain` - The domain to restrict to (e.g., "myapp.hessra.dev")
    pub fn domain_restricted(mut self, domain: String) -> Self {
        self.domain = Some(domain);
        self
    }

    /// Issues (builds and signs) the authorization token.
    ///
    /// This method builds and signs either a singleton or latent capability token based on
    /// how the builder was constructed.
    ///
    /// # Arguments
    /// * `keypair` - The keypair to sign the token with
    ///
    /// # Returns
    /// Base64-encoded biscuit token
    pub fn issue(self, keypair: &KeyPair) -> Result<String, Box<dyn Error>> {
        let start_time = self
            .time_config
            .start_time
            .unwrap_or_else(|| Utc::now().timestamp());
        let expiration = start_time + self.time_config.duration;

        let domain = self.domain;

        // Build the appropriate biscuit based on token type
        let mut biscuit_builder = match self.token_type {
            TokenType::Singleton => {
                // Extract fields for singleton token
                let subject = self.subject.ok_or("Singleton token requires subject")?;
                let resource = self.resource.ok_or("Singleton token requires resource")?;
                let operation = self.operation.ok_or("Singleton token requires operation")?;

                // Build singleton authority block
                biscuit!(
                    r#"
                        right({subject}, {resource}, {operation});
                        check if subject($sub), resource($res), operation($op), right($sub, $res, $op);
                        check if time($time), $time < {expiration};
                    "#
                )
            }
            TokenType::Latent => {
                // Extract fields for latent token
                let latent_rights = self
                    .latent_rights
                    .ok_or("Latent token requires latent_rights")?;
                let activator_public_key_str = self
                    .activator_public_key
                    .ok_or("Latent token requires activator_public_key")?;
                let activator_public_key = biscuit_key_from_string(activator_public_key_str)?;

                // Start with empty builder
                let mut builder = BiscuitBuilder::new();

                // Add latent_right facts for each (resource, operation) pair
                for (resource, operation) in latent_rights.clone() {
                    builder = builder.fact(biscuit::macros::fact!(
                        r#"latent_right({resource}, {operation})"#
                    ))?;
                }

                // Add the rule that derives right from delegate and latent_right
                builder = builder.rule(rule!(
                    r#"
                        right($subject, $resource, $operation) <-
                            delegate($subject),
                            right($resource, $operation),
                            latent_right($resource, $operation)
                            trusting {activator_public_key};
                    "#
                ))?;

                // Add check that the derived right is valid (trusting activator)
                builder = builder.check(check!(
                    r#"
                        check if subject($sub), resource($res), operation($op),
                                  right($sub, $res, $op)
                                  trusting {activator_public_key};
                    "#
                ))?;

                // Add check that resource and operation are in latent_rights
                builder = builder.check(check!(
                    r#"
                        check if resource($res), operation($op), latent_right($res, $op);
                    "#
                ))?;

                // Add time check
                builder = builder.check(check!(
                    r#"
                        check if time($time), $time < {expiration};
                    "#
                ))?;

                builder
            }
        };

        // Add domain restriction if specified (works for both token types)
        if let Some(domain) = domain {
            biscuit_builder = biscuit_builder.check(check!(
                r#"
                    check if domain({domain});
                "#
            ))?;
        }

        // Add service chain rules if specified (works for both token types)
        if let Some(nodes) = self.service_chain_nodes {
            for node in nodes {
                let component = node.component;
                let public_key = biscuit_key_from_string(node.public_key)?;
                biscuit_builder = biscuit_builder.rule(rule!(
                    r#"
                        node($s, {component}) <- service($s) trusting {public_key};
                    "#
                ))?;
            }
        }

        // Add multi-party checks if specified (works for both token types)
        if let Some(nodes) = self.multi_party_nodes {
            for node in nodes {
                let component = node.component;
                let public_key = biscuit_key_from_string(node.public_key)?;
                biscuit_builder = biscuit_builder.check(check!(
                    r#"
                        check if namespace({component}) trusting {public_key};
                    "#
                ))?;
            }
        }

        // Build and sign the biscuit
        let biscuit = biscuit_builder.build(keypair)?;
        info!("biscuit (authority): {}", biscuit);
        let token = biscuit.to_base64()?;
        Ok(token)
    }
}

/// Creates a base biscuit builder with default time configuration.
///
/// This is a private helper function that creates a biscuit builder with the default
/// time configuration (5 minutes duration from current time).
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier
/// * `operation` - The operation to be granted
///
/// # Returns
///
/// * `Ok(BiscuitBuilder)` - The configured biscuit builder if successful
/// * `Err(Box<dyn Error>)` - If builder creation fails
fn _create_base_biscuit_builder(
    subject: String,
    resource: String,
    operation: String,
) -> Result<BiscuitBuilder, Box<dyn Error>> {
    create_base_biscuit_builder_with_time(subject, resource, operation, TokenTimeConfig::default())
}

/// Creates a base biscuit builder with custom time configuration.
///
/// This is a private helper function that creates a biscuit builder with custom
/// time settings for token validity period.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier
/// * `operation` - The operation to be granted
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(BiscuitBuilder)` - The configured biscuit builder if successful
/// * `Err(Box<dyn Error>)` - If builder creation fails
fn create_base_biscuit_builder_with_time(
    subject: String,
    resource: String,
    operation: String,
    time_config: TokenTimeConfig,
) -> Result<BiscuitBuilder, Box<dyn Error>> {
    let start_time = time_config
        .start_time
        .unwrap_or_else(|| Utc::now().timestamp());
    let expiration = start_time + time_config.duration;

    let biscuit_builder = biscuit!(
        r#"
            right({subject}, {resource}, {operation});
            check if subject($sub), resource($res), operation($op), right($sub, $res, $op);
            check if time($time), $time < {expiration};
        "#
    );

    Ok(biscuit_builder)
}

/// Creates a biscuit (not serialized, not base64 encoded) with custom time
/// configuration.
///
/// This function creates a raw Biscuit object that can be further processed
/// or converted to different formats. It grants the specified operation on
/// the resource for the given subject.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(Biscuit)` - The raw biscuit if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_raw_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    time_config: TokenTimeConfig,
) -> Result<Biscuit, Box<dyn Error>> {
    let biscuit = create_base_biscuit_builder_with_time(subject, resource, operation, time_config)?
        .build(&key)?;

    info!("biscuit (authority): {}", biscuit);

    Ok(biscuit)
}

/// Creates a new biscuit token with the specified subject and resource.
///
/// This function creates a token that grants read and write access to the specified resource
/// for the given subject. The token will be valid for 5 minutes by default.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `time_config` - Optional time configuration for token validity
///
/// # Returns
///
/// * `Ok(Vec<u8>)` - The binary token data if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    time_config: TokenTimeConfig,
) -> Result<Vec<u8>, Box<dyn Error>> {
    let biscuit = create_raw_biscuit(subject, resource, operation, key, time_config)?;
    let token = biscuit.to_vec()?;
    Ok(token)
}

/// Creates a base64-encoded biscuit token with custom time configuration.
///
/// This is a private helper function that creates a biscuit token and returns
/// it as a base64-encoded string for easy transmission and storage.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
fn create_base64_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    time_config: TokenTimeConfig,
) -> Result<String, Box<dyn Error>> {
    let biscuit = create_raw_biscuit(subject, resource, operation, key, time_config)?;
    let token = biscuit.to_base64()?;
    Ok(token)
}

/// Creates a biscuit token with default time configuration.
///
/// This function creates a base64-encoded token string that grants the specified
/// operation on the resource for the given subject. The token will be valid for
/// 5 minutes by default.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_token(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
) -> Result<String, Box<dyn Error>> {
    create_base64_biscuit(
        subject,
        resource,
        operation,
        key,
        TokenTimeConfig::default(),
    )
}

/// Creates a biscuit token with custom time configuration.
///
/// This function creates a base64-encoded token string that grants the specified
/// operation on the resource for the given subject with custom time settings.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_token_with_time(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    time_config: TokenTimeConfig,
) -> Result<String, Box<dyn Error>> {
    create_base64_biscuit(subject, resource, operation, key, time_config)
}

/// Creates a new biscuit token with service chain attestations.
/// Creates a new biscuit token with service chain attestations.
///
/// This function creates a token that grants access to the specified resource for the given subject,
/// and includes attestations for each service node in the chain. The token will be valid for 5 minutes by default.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `nodes` - Vector of service nodes that will attest to the token
///
/// # Returns
///
/// * `Ok(Vec<u8>)` - The binary token data if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_service_chain_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<Vec<u8>, Box<dyn Error>> {
    let biscuit =
        create_raw_service_chain_biscuit(subject, resource, operation, key, nodes, time_config)?;
    let token = biscuit.to_vec()?;
    Ok(token)
}

/// Creates a base64-encoded service chain biscuit token.
///
/// This is a private helper function that creates a service chain biscuit token
/// and returns it as a base64-encoded string for easy transmission and storage.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `nodes` - Vector of service nodes that will attest to the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
fn create_base64_service_chain_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<String, Box<dyn Error>> {
    let biscuit =
        create_raw_service_chain_biscuit(subject, resource, operation, key, nodes, time_config)?;
    let token = biscuit.to_base64()?;
    Ok(token)
}

/// Creates a raw service chain biscuit token.
///
/// This function creates a raw Biscuit object with service chain attestations
/// that can be further processed or converted to different formats. It delegates
/// to the time-aware version with the provided configuration.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `nodes` - Vector of service nodes that will attest to the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(Biscuit)` - The raw biscuit if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_raw_service_chain_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<Biscuit, Box<dyn Error>> {
    create_service_chain_biscuit_with_time(subject, resource, operation, key, nodes, time_config)
}

/// Creates a service chain biscuit token with default time configuration.
///
/// This function creates a base64-encoded service chain token string that grants
/// the specified operation on the resource for the given subject. The token will
/// be valid for 5 minutes by default and includes attestations for each service
/// node in the chain.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `nodes` - Vector of service nodes that will attest to the token
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_service_chain_token(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    nodes: &Vec<ServiceNode>,
) -> Result<String, Box<dyn Error>> {
    create_base64_service_chain_biscuit(
        subject,
        resource,
        operation,
        key,
        nodes,
        TokenTimeConfig::default(),
    )
}

/// Creates a new biscuit token with service chain attestations and custom time settings.
///
/// This function creates a token that grants access to the specified resource for the given subject,
/// includes attestations for each service node in the chain, and allows custom time configuration.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `nodes` - Vector of service nodes that will attest to the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(Vec<u8>)` - The binary token data if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_service_chain_biscuit_with_time(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<Biscuit, Box<dyn Error>> {
    let service = resource.clone();
    let mut biscuit_builder =
        create_base_biscuit_builder_with_time(subject, service, operation, time_config)?;

    // Add each node in the service chain to the biscuit builder
    for node in nodes {
        let component = node.component.clone();
        let public_key = biscuit_key_from_string(node.public_key.clone())?;
        biscuit_builder = biscuit_builder.rule(rule!(
            r#"
                node($s, {component}) <- service($s) trusting {public_key};
            "#
        ))?;
    }

    let biscuit = biscuit_builder.build(&key)?;

    info!("biscuit (authority): {}", biscuit);

    Ok(biscuit)
}

/// Creates a service chain biscuit token with custom time configuration.
///
/// This function creates a base64-encoded service chain token string that grants
/// the specified operation on the resource for the given subject with custom time
/// settings. The token includes attestations for each service node in the chain.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `nodes` - Vector of service nodes that will attest to the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_service_chain_token_with_time(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<String, Box<dyn Error>> {
    let biscuit = create_service_chain_biscuit_with_time(
        subject,
        resource,
        operation,
        key,
        nodes,
        time_config,
    )?;
    let token = biscuit.to_base64()?;
    Ok(token)
}

/// Creates a new biscuit token with multi-party attestations.
///
/// This function creates a token that grants access to the specified resource for the given subject,
/// includes attestations for each multi-party node in the chain, and allows custom time configuration.
///
/// The key difference between a multi-party biscuit and a service chain biscuit is that a multi-party
/// biscuit is not valid until it has been attested by all the parties.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `multi_party_nodes` - Vector of multi-party nodes that will attest to the token
pub fn create_raw_multi_party_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    multi_party_nodes: &Vec<ServiceNode>,
) -> Result<Biscuit, Box<dyn Error>> {
    create_multi_party_biscuit_with_time(
        subject,
        resource,
        operation,
        key,
        multi_party_nodes,
        TokenTimeConfig::default(),
    )
}

/// Creates a new biscuit token with multi-party attestations.
///
/// This function creates a token that grants access to the specified resource for the given subject,
/// includes attestations for each multi-party node in the chain. The token will be valid for 5 minutes by default.
///
/// The key difference between a multi-party biscuit and a service chain biscuit is that a multi-party
/// biscuit is not valid until it has been attested by all the parties.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `multi_party_nodes` - Vector of multi-party nodes that will attest to the token
///
/// # Returns
///
/// * `Ok(Vec<u8>)` - The binary token data if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_multi_party_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    multi_party_nodes: &Vec<ServiceNode>,
) -> Result<Vec<u8>, Box<dyn Error>> {
    let biscuit =
        create_raw_multi_party_biscuit(subject, resource, operation, key, multi_party_nodes)?;
    let token = biscuit.to_vec()?;
    Ok(token)
}

/// Creates a base64-encoded multi-party biscuit token.
///
/// This is a private helper function that creates a multi-party biscuit token
/// and returns it as a base64-encoded string for easy transmission and storage.
/// Multi-party tokens require attestation from all specified nodes before they
/// become valid.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `multi_party_nodes` - Vector of multi-party nodes that must attest to the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
fn create_base64_multi_party_biscuit(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    multi_party_nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<String, Box<dyn Error>> {
    let biscuit = create_multi_party_biscuit_with_time(
        subject,
        resource,
        operation,
        key,
        multi_party_nodes,
        time_config,
    )?;
    let token = biscuit.to_base64()?;
    Ok(token)
}

/// Creates a new multi-party biscuit token with default time configuration.
///
/// This function creates a token that grants access to the specified resource for the given subject,
/// includes attestations for each multi-party node, and uses the default time configuration (5 minutes).
///
/// The key difference between a multi-party biscuit and a service chain biscuit is that a multi-party
/// biscuit is not valid until it has been attested by all the parties.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `multi_party_nodes` - Vector of multi-party nodes that will attest to the token
///
/// # Returns
///
/// * `Ok(String)` - The base64-encoded token if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_multi_party_token(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    multi_party_nodes: &Vec<ServiceNode>,
) -> Result<String, Box<dyn Error>> {
    create_base64_multi_party_biscuit(
        subject,
        resource,
        operation,
        key,
        multi_party_nodes,
        TokenTimeConfig::default(),
    )
}

/// Creates a new biscuit token with multi-party attestations and custom time settings.
///
/// This function creates a token that grants access to the specified resource for the given subject,
/// includes attestations for each multi-party node in the chain, and allows custom time configuration.
///
/// The key difference between a multi-party biscuit and a service chain biscuit is that a multi-party
/// biscuit is not valid until it has been attested by all the parties.
///
/// # Arguments
///
/// * `subject` - The subject (user) identifier
/// * `resource` - The resource identifier to grant access to
/// * `operation` - The operation to grant access to
/// * `key` - The key pair used to sign the token
/// * `multi_party_nodes` - Vector of multi-party nodes that will attest to the token
/// * `time_config` - Time configuration for token validity
///
/// # Returns
///
/// * `Ok(Biscuit)` - The raw biscuit if successful
/// * `Err(Box<dyn Error>)` - If token creation fails
pub fn create_multi_party_biscuit_with_time(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    multi_party_nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<Biscuit, Box<dyn Error>> {
    let mut biscuit_builder =
        create_base_biscuit_builder_with_time(subject, resource, operation, time_config)?;

    for node in multi_party_nodes {
        let component = node.component.clone();
        let public_key = biscuit_key_from_string(node.public_key.clone())?;
        biscuit_builder = biscuit_builder.check(check!(
            r#"
                check if namespace({component}) trusting {public_key};
            "#
        ))?;
    }

    let biscuit = biscuit_builder.build(&key)?;

    info!("biscuit (authority): {}", biscuit);

    Ok(biscuit)
}

pub fn create_multi_party_token_with_time(
    subject: String,
    resource: String,
    operation: String,
    key: KeyPair,
    multi_party_nodes: &Vec<ServiceNode>,
    time_config: TokenTimeConfig,
) -> Result<String, Box<dyn Error>> {
    let biscuit = create_multi_party_biscuit_with_time(
        subject,
        resource,
        operation,
        key,
        multi_party_nodes,
        time_config,
    )?;
    let token = biscuit.to_base64()?;
    Ok(token)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::attenuate::{activate_latent_token, activate_latent_token_from_string};
    use crate::verify::{verify_biscuit_local, verify_service_chain_biscuit_local};
    use biscuit::macros::block;
    use biscuit::Biscuit;
    #[test]
    fn test_create_biscuit() {
        let subject = "test@test.com".to_owned();
        let resource: String = "res1".to_string();
        let operation = "read".to_string();
        let root = KeyPair::new();
        let public_key = root.public();
        let token = create_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            TokenTimeConfig::default(),
        )
        .unwrap();

        let res = verify_biscuit_local(token, public_key, subject, resource, operation);
        assert!(res.is_ok());
    }

    #[test]
    fn test_biscuit_operations() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let operation = "read".to_string();
        let root = KeyPair::new();
        let public_key = root.public();

        // Test read operation
        let read_token = create_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            TokenTimeConfig::default(),
        )
        .unwrap();

        let res = verify_biscuit_local(
            read_token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            operation.clone(),
        );
        assert!(res.is_ok());

        let root = KeyPair::new();
        let public_key = root.public();

        // Test write operation
        let write_token = create_biscuit(
            subject.clone(),
            resource.clone(),
            "write".to_string(),
            root,
            TokenTimeConfig::default(),
        )
        .unwrap();

        let res = verify_biscuit_local(
            write_token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            "write".to_string(),
        );
        assert!(res.is_ok());

        // Test that read token cannot be used for write
        let res = verify_biscuit_local(
            read_token,
            public_key,
            subject.clone(),
            resource.clone(),
            "write".to_string(),
        );
        assert!(res.is_err());

        // Test that write token cannot be used for read
        let res = verify_biscuit_local(
            write_token,
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
        );
        assert!(res.is_err());
    }

    #[test]
    fn test_biscuit_expiration() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let operation = "read".to_string();
        let root = KeyPair::new();
        let public_key = root.public();
        // Create a biscuit with a 5 minute expiration from now
        let token = create_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            TokenTimeConfig::default(),
        )
        .unwrap();

        let res = verify_biscuit_local(
            token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            operation.clone(),
        );
        assert!(res.is_ok());

        // Create a biscuit with a start time over 5 minutes ago
        let root = KeyPair::new();
        let token = create_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            TokenTimeConfig {
                start_time: Some(Utc::now().timestamp() - 301),
                duration: 300,
            },
        )
        .unwrap();
        let res = verify_biscuit_local(token, public_key, subject, resource, operation);
        assert!(res.is_err());
    }

    #[test]
    fn test_custom_token_time_config() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let operation = "read".to_string();
        let root = KeyPair::new();
        let public_key = root.public();

        // Create token with custom start time (1 hour in the past) and longer duration (1 hour)
        let past_time = Utc::now().timestamp() - 3600;
        let time_config = TokenTimeConfig {
            start_time: Some(past_time),
            duration: 7200, // 2 hours
        };

        let token = create_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            time_config,
        )
        .unwrap();

        // Token should be valid at a time between start and expiration
        let res = verify_biscuit_local(
            token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            operation.clone(),
        );
        assert!(res.is_ok());
    }

    #[test]
    fn test_service_chain_biscuit() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let operation = "read".to_string();
        let root = KeyPair::new();
        let public_key = root.public();
        let chain_key = KeyPair::new();
        let chain_public_key = hex::encode(chain_key.public().to_bytes());
        let chain_public_key = format!("ed25519/{}", chain_public_key);
        let chain_node = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key.clone(),
        };
        let nodes = vec![chain_node];
        let token = create_service_chain_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            &nodes,
            TokenTimeConfig::default(),
        );
        if let Err(e) = &token {
            println!("Error: {}", e);
        }
        assert!(token.is_ok());
        let token = token.unwrap();
        let res = verify_biscuit_local(
            token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            operation.clone(),
        );
        assert!(res.is_ok());
        let biscuit = Biscuit::from(&token, public_key).unwrap();
        let third_party_request = biscuit.third_party_request().unwrap();
        let third_party_block = block!(
            r#"
            service("res1");
            "#
        );
        let third_party_block = third_party_request
            .create_block(&chain_key.private(), third_party_block)
            .unwrap();
        let attested_biscuit = biscuit
            .append_third_party(chain_key.public(), third_party_block)
            .unwrap();
        let attested_token = attested_biscuit.to_vec().unwrap();
        let res = verify_service_chain_biscuit_local(
            attested_token,
            public_key,
            subject.clone(),
            resource.clone(),
            operation.clone(),
            nodes,
            None,
        );
        assert!(res.is_ok());
    }

    #[test]
    fn test_service_chain_biscuit_with_component_name() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let root = KeyPair::new();
        let public_key = root.public();

        // Create two chain nodes
        let chain_key1 = KeyPair::new();
        let chain_public_key1 = hex::encode(chain_key1.public().to_bytes());
        let chain_public_key1 = format!("ed25519/{}", chain_public_key1);
        let chain_node1 = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key1.clone(),
        };

        let chain_key2 = KeyPair::new();
        let chain_public_key2 = hex::encode(chain_key2.public().to_bytes());
        let chain_public_key2 = format!("ed25519/{}", chain_public_key2);
        let chain_node2 = ServiceNode {
            component: "middleware".to_string(),
            public_key: chain_public_key2.clone(),
        };

        let nodes = vec![chain_node1.clone(), chain_node2.clone()];

        // Create the initial token using the first node
        let token = create_service_chain_biscuit(
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            root,
            &nodes,
            TokenTimeConfig::default(),
        );
        assert!(token.is_ok());
        let token = token.unwrap();

        // Create the biscuit and add third-party blocks
        let biscuit = Biscuit::from(&token, public_key).unwrap();
        let third_party_request = biscuit.third_party_request().unwrap();
        let third_party_block = block!(
            r#"
                service("res1");
            "#
        );
        let third_party_block = third_party_request
            .create_block(&chain_key1.private(), third_party_block)
            .unwrap();
        let attested_biscuit = biscuit
            .append_third_party(chain_key1.public(), third_party_block)
            .unwrap();
        let attested_token = attested_biscuit.to_vec().unwrap();

        // Test with the "edge_function" component name - should pass
        // the first node in the service chain checking itself is valid
        // since it is checking the base biscuit
        let res = verify_service_chain_biscuit_local(
            attested_token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            nodes.clone(),
            Some("edge_function".to_string()),
        );
        // This should fail - since we're not verifying any nodes when checking up to but not including "edge_function"
        assert!(res.is_ok());

        // Create a chain with two nodes
        let nodes = vec![chain_node1.clone(), chain_node2.clone()];

        // Test with "middleware" component - should succeed verifying node1 only
        let res = verify_service_chain_biscuit_local(
            attested_token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            nodes.clone(),
            Some("middleware".to_string()),
        );
        assert!(res.is_ok());
    }

    #[test]
    fn test_service_chain_biscuit_with_nonexistent_component() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let root = KeyPair::new();
        let public_key = root.public();
        let chain_key = KeyPair::new();
        let chain_public_key = hex::encode(chain_key.public().to_bytes());
        let chain_public_key = format!("ed25519/{}", chain_public_key);
        let chain_node = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key.clone(),
        };
        let nodes = vec![chain_node];
        let token = create_service_chain_biscuit(
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            root,
            &nodes,
            TokenTimeConfig::default(),
        );
        assert!(token.is_ok());
        let token = token.unwrap();

        let biscuit = Biscuit::from(&token, public_key).unwrap();
        let third_party_request = biscuit.third_party_request().unwrap();
        let third_party_block = block!(
            r#"
            service("res1");
            "#
        );
        let third_party_block = third_party_request
            .create_block(&chain_key.private(), third_party_block)
            .unwrap();
        let attested_biscuit = biscuit
            .append_third_party(chain_key.public(), third_party_block)
            .unwrap();
        let attested_token = attested_biscuit.to_vec().unwrap();

        // Test with a component name that doesn't exist in the chain
        let res = verify_service_chain_biscuit_local(
            attested_token,
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            nodes.clone(),
            Some("nonexistent_component".to_string()),
        );
        assert!(res.is_err());

        // Verify the error message contains the component name
        let err = res.unwrap_err().to_string();
        assert!(err.contains("nonexistent_component"));
    }

    #[test]
    fn test_service_chain_biscuit_with_multiple_nodes() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let root = KeyPair::new();
        let public_key = root.public();

        // Create three chain nodes
        let chain_key1 = KeyPair::new();
        let chain_public_key1 = hex::encode(chain_key1.public().to_bytes());
        let chain_public_key1 = format!("ed25519/{}", chain_public_key1);
        let chain_node1 = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key1.clone(),
        };

        let chain_key2 = KeyPair::new();
        let chain_public_key2 = hex::encode(chain_key2.public().to_bytes());
        let chain_public_key2 = format!("ed25519/{}", chain_public_key2);
        let chain_node2 = ServiceNode {
            component: "middleware".to_string(),
            public_key: chain_public_key2.clone(),
        };

        let chain_key3 = KeyPair::new();
        let chain_public_key3 = hex::encode(chain_key3.public().to_bytes());
        let chain_public_key3 = format!("ed25519/{}", chain_public_key3);
        let chain_node3 = ServiceNode {
            component: "backend".to_string(),
            public_key: chain_public_key3.clone(),
        };

        // Create the initial token with the first node
        let nodes = vec![
            chain_node1.clone(),
            chain_node2.clone(),
            chain_node3.clone(),
        ];
        let token = create_service_chain_biscuit(
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            root,
            &nodes,
            TokenTimeConfig::default(),
        );
        assert!(token.is_ok());
        let token = token.unwrap();

        println!("Created initial token");

        // Create the biscuit and add node1's block
        let biscuit = Biscuit::from(&token, public_key).unwrap();
        let third_party_request1 = biscuit.third_party_request().unwrap();
        let third_party_block1 = block!(
            r#"
                service("res1");
            "#
        );
        let third_party_block1 = third_party_request1
            .create_block(&chain_key1.private(), third_party_block1)
            .unwrap();
        let attested_biscuit1 = biscuit
            .append_third_party(chain_key1.public(), third_party_block1)
            .unwrap();

        // Chain with all three nodes
        let all_nodes = vec![
            chain_node1.clone(),
            chain_node2.clone(),
            chain_node3.clone(),
        ];
        let attested_token1 = attested_biscuit1.to_vec().unwrap();

        // Test 1: Verify up to but not including middleware
        // This should verify edge_function only
        let res = verify_service_chain_biscuit_local(
            attested_token1.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            all_nodes.clone(),
            Some("middleware".to_string()),
        );
        assert!(res.is_ok());

        // Test 3: Verify up to but not including backend
        // This should try to verify both edge_function and middleware
        // but since the middleware attestation wasn't added, it will fail
        let res = verify_service_chain_biscuit_local(
            attested_token1.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            all_nodes.clone(),
            Some("backend".to_string()),
        );
        assert!(res.is_err());
    }

    #[test]
    fn test_service_chain_biscuit_with_custom_time() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let root = KeyPair::new();
        let public_key = root.public();
        let chain_key = KeyPair::new();
        let chain_public_key = hex::encode(chain_key.public().to_bytes());
        let chain_public_key = format!("ed25519/{}", chain_public_key);
        let chain_node = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key.clone(),
        };
        let nodes = vec![chain_node];

        // Create a valid token with default time configuration (5 minutes)
        let valid_token = create_service_chain_biscuit_with_time(
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            root,
            &nodes,
            TokenTimeConfig::default(),
        );
        assert!(valid_token.is_ok());
        let valid_token = valid_token.unwrap().to_vec().unwrap();

        // Verify the valid token works
        let res = verify_biscuit_local(
            valid_token.clone(),
            public_key,
            subject.clone(),
            resource.clone(),
            "read".to_string(),
        );
        assert!(res.is_ok());

        // Create an expired token (start time 6 minutes ago with 5 minute duration)
        let expired_time_config = TokenTimeConfig {
            start_time: Some(Utc::now().timestamp() - 360), // 6 minutes ago
            duration: 300,                                  // 5 minutes
        };

        // Create a new key pair for the expired token
        let root2 = KeyPair::new();
        let public_key2 = root2.public();

        let expired_token = create_service_chain_biscuit_with_time(
            subject.clone(),
            resource.clone(),
            "read".to_string(),
            root2,
            &nodes,
            expired_time_config,
        );
        assert!(expired_token.is_ok());
        let expired_token = expired_token.unwrap().to_vec().unwrap();

        // Verify expired token fails
        let res = verify_biscuit_local(
            expired_token,
            public_key2,
            subject,
            resource,
            "read".to_string(),
        );
        assert!(res.is_err());
    }

    #[test]
    fn test_multi_party_biscuit_helper_functions() {
        let subject = "test@test.com".to_owned();
        let resource = "res1".to_string();
        let operation = "read".to_string();
        let root = KeyPair::new();

        // Create a multi-party node
        let multi_party_key = KeyPair::new();
        let multi_party_public_key = hex::encode(multi_party_key.public().to_bytes());
        let multi_party_public_key = format!("ed25519/{}", multi_party_public_key);
        let multi_party_node = ServiceNode {
            component: "approval_service".to_string(),
            public_key: multi_party_public_key.clone(),
        };
        let nodes = vec![multi_party_node];

        // Test create_multi_party_token (default time config)
        let token_string = create_multi_party_token(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root,
            &nodes,
        );
        assert!(token_string.is_ok());

        // Test create_multi_party_biscuit (binary token with default time config)
        let root2 = KeyPair::new();
        let binary_token = create_multi_party_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root2,
            &nodes,
        );
        assert!(binary_token.is_ok());

        // Test create_raw_multi_party_biscuit (raw biscuit with default time config)
        let root3 = KeyPair::new();
        let raw_biscuit = create_raw_multi_party_biscuit(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root3,
            &nodes,
        );
        assert!(raw_biscuit.is_ok());

        // Test create_multi_party_token_with_time (custom time config)
        let custom_time_config = TokenTimeConfig {
            start_time: Some(Utc::now().timestamp()),
            duration: 600, // 10 minutes
        };
        let root4 = KeyPair::new();
        let custom_time_token = create_multi_party_token_with_time(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root4,
            &nodes,
            custom_time_config,
        );
        assert!(custom_time_token.is_ok());

        // Test create_multi_party_biscuit_with_time (raw biscuit with custom time config)
        let root5 = KeyPair::new();
        let custom_time_biscuit = create_multi_party_biscuit_with_time(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            root5,
            &nodes,
            custom_time_config,
        );
        assert!(custom_time_biscuit.is_ok());
    }

    #[test]
    fn test_basic_authorization_with_domain_restriction() {
        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();
        let domain = "myapp.hessra.dev".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create basic authorization token with domain restriction
        let token = HessraAuthorization::new(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            TokenTimeConfig::default(),
        )
        .domain_restricted(domain.clone())
        .issue(&keypair);

        assert!(token.is_ok(), "Failed to create domain-restricted token");
        let token = token.unwrap();

        // Parse and verify the token
        let biscuit = Biscuit::from_base64(&token, public_key).unwrap();

        // Build authorizer with domain fact - should succeed
        let authz = crate::verify::build_base_authorizer(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            Some(domain.clone()),
        )
        .unwrap();
        assert!(
            authz.build(&biscuit).unwrap().authorize().is_ok(),
            "Token should verify with correct domain"
        );

        // Build authorizer without domain fact - should fail
        let authz_no_domain = crate::verify::build_base_authorizer(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            None,
        )
        .unwrap();
        assert!(
            authz_no_domain
                .build(&biscuit)
                .unwrap()
                .authorize()
                .is_err(),
            "Token should fail verification without domain fact"
        );

        // Build authorizer with wrong domain - should fail
        let authz_wrong_domain = crate::verify::build_base_authorizer(
            subject,
            resource,
            operation,
            Some("wrongdomain.com".to_string()),
        )
        .unwrap();
        assert!(
            authz_wrong_domain
                .build(&biscuit)
                .unwrap()
                .authorize()
                .is_err(),
            "Token should fail verification with wrong domain"
        );
    }

    #[test]
    fn test_service_chain_with_domain_restriction() {
        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();
        let domain = "myapp.hessra.dev".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create service node
        let chain_key = KeyPair::new();
        let chain_public_key = hex::encode(chain_key.public().to_bytes());
        let chain_public_key = format!("ed25519/{}", chain_public_key);
        let chain_node = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key.clone(),
        };
        let nodes = vec![chain_node];

        // Create service chain token with domain restriction
        let token = HessraAuthorization::new(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            TokenTimeConfig::default(),
        )
        .service_chain(nodes.clone())
        .domain_restricted(domain.clone())
        .issue(&keypair);

        assert!(
            token.is_ok(),
            "Failed to create domain-restricted service chain token"
        );
        let token = token.unwrap();

        // Parse and verify the token
        let biscuit = Biscuit::from_base64(&token, public_key).unwrap();

        // Build authorizer with domain fact - should succeed
        let authz = crate::verify::build_base_authorizer(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            Some(domain),
        )
        .unwrap();
        assert!(
            authz.build(&biscuit).unwrap().authorize().is_ok(),
            "Service chain token should verify with correct domain"
        );

        // Build authorizer without domain fact - should fail
        let authz_no_domain =
            crate::verify::build_base_authorizer(subject, resource, operation, None).unwrap();
        assert!(
            authz_no_domain
                .build(&biscuit)
                .unwrap()
                .authorize()
                .is_err(),
            "Service chain token should fail verification without domain fact"
        );
    }

    #[test]
    fn test_multi_party_with_domain_restriction() {
        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();
        let domain = "myapp.hessra.dev".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create multi-party node
        let party_key = KeyPair::new();
        let party_public_key = hex::encode(party_key.public().to_bytes());
        let party_public_key = format!("ed25519/{}", party_public_key);
        let party_node = ServiceNode {
            component: "approval_service".to_string(),
            public_key: party_public_key.clone(),
        };
        let nodes = vec![party_node];

        // Create multi-party token with domain restriction
        let token = HessraAuthorization::new(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            TokenTimeConfig::default(),
        )
        .multi_party(nodes.clone())
        .domain_restricted(domain.clone())
        .issue(&keypair);

        assert!(
            token.is_ok(),
            "Failed to create domain-restricted multi-party token"
        );
        let token = token.unwrap();

        // Parse and verify the token
        let biscuit = Biscuit::from_base64(&token, public_key).unwrap();

        // Build authorizer with domain fact - token will still fail because multi-party needs attestations
        // But we're testing that domain check is present
        let _authz = crate::verify::build_base_authorizer(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            Some(domain),
        )
        .unwrap();
        // Multi-party token needs attestation, so this will fail for that reason, not domain
        // We're just checking the token was created successfully with domain check
        assert!(biscuit.to_base64().is_ok(), "Token should be valid biscuit");

        // Build authorizer without domain fact - should also fail
        let authz_no_domain =
            crate::verify::build_base_authorizer(subject, resource, operation, None).unwrap();
        assert!(
            authz_no_domain
                .build(&biscuit)
                .unwrap()
                .authorize()
                .is_err(),
            "Multi-party token should fail verification without domain fact or attestations"
        );
    }

    #[test]
    fn test_authorization_verifier_with_domain() {
        use crate::verify::AuthorizationVerifier;

        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();
        let domain = "myapp.hessra.dev".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create basic authorization token with domain restriction
        let token = HessraAuthorization::new(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            TokenTimeConfig::default(),
        )
        .domain_restricted(domain.clone())
        .issue(&keypair)
        .expect("Failed to create domain-restricted token");

        // Verify with matching domain using builder - should succeed
        assert!(
            AuthorizationVerifier::new(
                token.clone(),
                public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
            )
            .with_domain(domain.clone())
            .verify()
            .is_ok(),
            "Token should verify with correct domain using builder"
        );

        // Verify without domain context - should fail
        assert!(
            AuthorizationVerifier::new(
                token.clone(),
                public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
            )
            .verify()
            .is_err(),
            "Token should fail verification without domain context"
        );

        // Verify with wrong domain - should fail
        assert!(
            AuthorizationVerifier::new(
                token.clone(),
                public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
            )
            .with_domain("wrongdomain.com".to_string())
            .verify()
            .is_err(),
            "Token should fail verification with wrong domain"
        );

        // Test with non-domain-restricted token - extra domain context shouldn't break it
        let regular_token = HessraAuthorization::new(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            TokenTimeConfig::default(),
        )
        .issue(&keypair)
        .expect("Failed to create regular token");

        // Regular token should pass with or without domain context
        assert!(
            AuthorizationVerifier::new(
                regular_token.clone(),
                public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
            )
            .verify()
            .is_ok(),
            "Regular token should verify without domain context"
        );

        assert!(
            AuthorizationVerifier::new(regular_token, public_key, subject, resource, operation,)
                .with_domain(domain)
                .verify()
                .is_ok(),
            "Regular token should verify even with extra domain context"
        );
    }

    #[test]
    fn test_service_chain_verifier_with_domain() {
        use crate::verify::{AuthorizationVerifier, ServiceNode};

        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();
        let domain = "myapp.hessra.dev".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create service node
        let node_keypair = KeyPair::new();
        let node_public_key = node_keypair.public();
        let node_key_string = format!("ed25519/{}", hex::encode(node_public_key.to_bytes()));

        let service_nodes = vec![ServiceNode {
            component: "api-gateway".to_string(),
            public_key: node_key_string,
        }];

        // Create service chain token with domain restriction
        let token = HessraAuthorization::new(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            TokenTimeConfig::default(),
        )
        .service_chain(service_nodes.clone())
        .domain_restricted(domain.clone())
        .issue(&keypair)
        .expect("Failed to create service chain token with domain");

        // Convert token to bytes for attestation
        let token_bytes = crate::decode_token(&token).expect("Failed to decode token");

        // Add service node attestation
        let attested_token_bytes = crate::attest::add_service_node_attestation(
            token_bytes,
            public_key,
            &resource,
            &node_keypair,
        )
        .expect("Failed to add attestation");

        // Verify with service chain and domain - should succeed
        assert!(
            AuthorizationVerifier::from_bytes(
                attested_token_bytes.clone(),
                public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
            )
            .expect("Failed to create verifier")
            .with_service_chain(service_nodes.clone(), Some("api-gateway".to_string()))
            .with_domain(domain.clone())
            .verify()
            .is_ok(),
            "Service chain token should verify with domain"
        );

        // Verify with service chain but no domain - should fail
        assert!(
            AuthorizationVerifier::from_bytes(
                attested_token_bytes.clone(),
                public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
            )
            .expect("Failed to create verifier")
            .with_service_chain(service_nodes.clone(), Some("api-gateway".to_string()))
            .verify()
            .is_err(),
            "Service chain token should fail without domain"
        );

        // Verify with domain but no service chain checks
        // This should actually PASS because the attestation is valid and embedded in the token
        // The service chain checks are additional validation for specific component requirements
        assert!(
            AuthorizationVerifier::from_bytes(
                attested_token_bytes,
                public_key,
                subject,
                resource,
                operation,
            )
            .expect("Failed to create verifier")
            .with_domain(domain)
            .verify()
            .is_ok(),
            "Service chain token with valid attestation should pass basic verification"
        );
    }

    #[test]
    fn test_latent_capability_basic() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create latent token with multiple rights
        let latent_rights = vec![
            ("resource1".to_string(), "read".to_string()),
            ("resource1".to_string(), "write".to_string()),
            ("resource2".to_string(), "read".to_string()),
        ];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .issue(&root_keypair)
        .expect("Failed to create latent token");

        // Activate the latent token for a specific subject and right
        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();

        let activated_token = activate_latent_token_from_string(
            latent_token.clone(),
            root_public_key,
            subject.clone(),
            resource.clone(),
            operation.clone(),
            &activator_keypair,
            TokenTimeConfig::default(),
        )
        .expect("Failed to activate latent token");

        // Verify the activated token
        let result = crate::verify::verify_token_local(
            &activated_token,
            root_public_key,
            &subject,
            &resource,
            &operation,
        );

        assert!(result.is_ok(), "Activated token should verify successfully");
    }

    #[test]
    fn test_latent_capability_multiple_activations() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create latent token with multiple rights
        let latent_rights = vec![
            ("resource1".to_string(), "read".to_string()),
            ("resource1".to_string(), "write".to_string()),
            ("resource2".to_string(), "read".to_string()),
        ];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .issue(&root_keypair)
        .expect("Failed to create latent token");

        // Activate the same latent token multiple times with different combinations
        let activations = vec![
            (
                "alice".to_string(),
                "resource1".to_string(),
                "read".to_string(),
            ),
            (
                "bob".to_string(),
                "resource1".to_string(),
                "write".to_string(),
            ),
            (
                "charlie".to_string(),
                "resource2".to_string(),
                "read".to_string(),
            ),
        ];

        for (subject, resource, operation) in activations {
            let activated_token = activate_latent_token_from_string(
                latent_token.clone(),
                root_public_key,
                subject.clone(),
                resource.clone(),
                operation.clone(),
                &activator_keypair,
                TokenTimeConfig::default(),
            )
            .expect("Failed to activate latent token");

            // Verify each activated token
            let result = crate::verify::verify_token_local(
                &activated_token,
                root_public_key,
                &subject,
                &resource,
                &operation,
            );

            assert!(
                result.is_ok(),
                "Activated token for {} should verify successfully",
                subject
            );
        }
    }

    #[test]
    fn test_latent_capability_invalid_right() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create latent token with limited rights
        let latent_rights = vec![("resource1".to_string(), "read".to_string())];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .issue(&root_keypair)
        .expect("Failed to create latent token");

        // Try to activate with a right that's not in latent_rights
        let activated_token = activate_latent_token_from_string(
            latent_token,
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "write".to_string(), // Not in latent_rights!
            &activator_keypair,
            TokenTimeConfig::default(),
        )
        .expect("Activation should succeed (validation happens at verification)");

        // Verification should fail because the right is not in latent_rights
        let result = crate::verify::verify_token_local(
            &activated_token,
            root_public_key,
            "alice",
            "resource1",
            "write",
        );

        assert!(
            result.is_err(),
            "Should fail to verify token with right not in latent_rights"
        );
    }

    #[test]
    fn test_latent_capability_with_domain_restriction() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        let domain = "myapp.hessra.dev".to_string();

        // Create latent token with domain restriction
        let latent_rights = vec![("resource1".to_string(), "read".to_string())];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .domain_restricted(domain.clone())
        .issue(&root_keypair)
        .expect("Failed to create latent token with domain restriction");

        // Activate the token
        let activated_token = activate_latent_token_from_string(
            latent_token,
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            &activator_keypair,
            TokenTimeConfig::default(),
        )
        .expect("Failed to activate latent token");

        // Verify with correct domain
        let result = crate::verify::AuthorizationVerifier::new(
            activated_token.clone(),
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
        )
        .with_domain(domain.clone())
        .verify();

        assert!(result.is_ok(), "Should verify with correct domain");

        // Verify without domain should fail
        let result = crate::verify::AuthorizationVerifier::new(
            activated_token,
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
        )
        .verify();

        assert!(result.is_err(), "Should fail to verify without domain");
    }

    #[test]
    fn test_latent_capability_with_multi_party() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create multi-party node
        let party_keypair = KeyPair::new();
        let party_public_key =
            format!("ed25519/{}", hex::encode(party_keypair.public().to_bytes()));
        let party_node = ServiceNode {
            component: "approval_service".to_string(),
            public_key: party_public_key,
        };

        // Create latent token with multi-party requirement
        let latent_rights = vec![("resource1".to_string(), "read".to_string())];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .multi_party(vec![party_node])
        .issue(&root_keypair)
        .expect("Failed to create latent token with multi-party");

        // Add multi-party attestation to the latent token (before activation)
        let latent_token_bytes =
            crate::decode_token(&latent_token).expect("Failed to decode token");
        let attested_latent_bytes = crate::attest::add_multi_party_attestation(
            latent_token_bytes,
            root_public_key,
            "approval_service".to_string(),
            party_keypair,
        )
        .expect("Failed to add multi-party attestation");

        // Now activate the attested latent token
        let activated_token_bytes = activate_latent_token(
            attested_latent_bytes,
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            &activator_keypair,
            TokenTimeConfig::default(),
        )
        .expect("Failed to activate attested latent token");

        let activated_token = crate::encode_token(&activated_token_bytes);

        // Verify the activated token
        let result = crate::verify::verify_token_local(
            &activated_token,
            root_public_key,
            "alice",
            "resource1",
            "read",
        );

        assert!(
            result.is_ok(),
            "Activated token with multi-party attestation should verify"
        );
    }

    #[test]
    fn test_activated_latent_with_service_chain() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create service chain node
        let chain_keypair = KeyPair::new();
        let chain_public_key =
            format!("ed25519/{}", hex::encode(chain_keypair.public().to_bytes()));
        let chain_node = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key,
        };

        // Create latent token with service chain
        let latent_rights = vec![("resource1".to_string(), "read".to_string())];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .service_chain(vec![chain_node.clone()])
        .issue(&root_keypair)
        .expect("Failed to create latent token with service chain");

        // Activate the latent token first
        let activated_token_bytes = activate_latent_token(
            crate::decode_token(&latent_token).expect("Failed to decode"),
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            &activator_keypair,
            TokenTimeConfig::default(),
        )
        .expect("Failed to activate latent token");

        // Add service chain attestation to the activated token
        let attested_token_bytes = crate::attest::add_service_node_attestation(
            activated_token_bytes,
            root_public_key,
            "resource1",
            &chain_keypair,
        )
        .expect("Failed to add service chain attestation");

        // Verify with service chain
        let result = verify_service_chain_biscuit_local(
            attested_token_bytes,
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            vec![chain_node],
            None,
        );

        assert!(
            result.is_ok(),
            "Activated latent token with service chain should verify"
        );
    }

    #[test]
    fn test_latent_capability_wrong_activator_key() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create latent token bound to specific activator
        let latent_rights = vec![("resource1".to_string(), "read".to_string())];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig::default(),
        )
        .issue(&root_keypair)
        .expect("Failed to create latent token");

        // Try to activate with a different keypair
        let wrong_activator_keypair = KeyPair::new();

        let activated_token = activate_latent_token_from_string(
            latent_token,
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            &wrong_activator_keypair,
            TokenTimeConfig::default(),
        )
        .expect("Activation succeeds (wrong key detected at verification)");

        // Verification should fail because the activator key doesn't match
        let result = crate::verify::verify_token_local(
            &activated_token,
            root_public_key,
            "alice",
            "resource1",
            "read",
        );

        assert!(
            result.is_err(),
            "Should fail to verify token activated with wrong key"
        );
    }

    #[test]
    fn test_latent_capability_time_attenuation() {
        let root_keypair = KeyPair::new();
        let root_public_key = root_keypair.public();

        let activator_keypair = KeyPair::new();
        let activator_public_key = format!(
            "ed25519/{}",
            hex::encode(activator_keypair.public().to_bytes())
        );

        // Create latent token with 30 minute expiration
        let latent_rights = vec![("resource1".to_string(), "read".to_string())];

        let latent_token = HessraAuthorization::new_latent(
            latent_rights,
            activator_public_key,
            TokenTimeConfig {
                start_time: Some(Utc::now().timestamp()),
                duration: 1800, // 30 minutes
            },
        )
        .issue(&root_keypair)
        .expect("Failed to create latent token");

        // Activate with 5 minute expiration (shorter than latent token)
        let activated_token_short = activate_latent_token_from_string(
            latent_token.clone(),
            root_public_key,
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            &activator_keypair,
            TokenTimeConfig {
                start_time: Some(Utc::now().timestamp()),
                duration: 300, // 5 minutes
            },
        )
        .expect("Failed to activate latent token");

        // Should verify successfully now
        let result = crate::verify::verify_token_local(
            &activated_token_short,
            root_public_key,
            "alice",
            "resource1",
            "read",
        );
        assert!(
            result.is_ok(),
            "Activated token with 5min expiration should verify"
        );

        // Create an expired activation (1 second ago, already expired)
        let activated_token_expired = activate_latent_token_from_string(
            latent_token.clone(),
            root_public_key,
            "bob".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            &activator_keypair,
            TokenTimeConfig {
                start_time: Some(Utc::now().timestamp() - 2), // Started 2 seconds ago
                duration: 1,                                  // 1 second duration (already expired)
            },
        )
        .expect("Failed to activate latent token");

        // Should fail verification because activation expired
        let result = crate::verify::verify_token_local(
            &activated_token_expired,
            root_public_key,
            "bob",
            "resource1",
            "read",
        );
        assert!(
            result.is_err(),
            "Activated token with expired time should fail verification"
        );

        // Test that even though latent token is still valid (30min),
        // the shorter activation time (5min) is respected
        // We create a latent token that expires in the future but activate it
        // with an already-expired time config
        let latent_token_long = HessraAuthorization::new_latent(
            vec![("resource2".to_string(), "write".to_string())],
            format!(
                "ed25519/{}",
                hex::encode(activator_keypair.public().to_bytes())
            ),
            TokenTimeConfig {
                start_time: Some(Utc::now().timestamp()),
                duration: 3600, // 1 hour - very long
            },
        )
        .issue(&root_keypair)
        .expect("Failed to create long-lived latent token");

        let activated_expired_despite_latent = activate_latent_token_from_string(
            latent_token_long,
            root_public_key,
            "charlie".to_string(),
            "resource2".to_string(),
            "write".to_string(),
            &activator_keypair,
            TokenTimeConfig {
                start_time: Some(Utc::now().timestamp() - 10), // Started 10 seconds ago
                duration: 1,                                   // 1 second duration (expired)
            },
        )
        .expect("Failed to activate long-lived latent token");

        // Should fail even though latent token is still valid
        let result = crate::verify::verify_token_local(
            &activated_expired_despite_latent,
            root_public_key,
            "charlie",
            "resource2",
            "write",
        );
        assert!(
            result.is_err(),
            "Activation expiration should take precedence over latent expiration"
        );
    }

    #[test]
    fn test_verify_capability_token_basic() {
        let subject = "alice".to_string();
        let resource = "resource1".to_string();
        let operation = "read".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create token with subject
        let token = create_token(
            subject.clone(),
            resource.clone(),
            operation.clone(),
            keypair,
        )
        .unwrap();

        // Verify without providing subject - should succeed
        let result =
            crate::verify::verify_capability_token_local(&token, public_key, &resource, &operation);

        assert!(result.is_ok());
    }

    #[test]
    fn test_verify_capability_token_wrong_resource() {
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        let token = create_token(
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            keypair,
        )
        .unwrap();

        // Try to verify for wrong resource
        let result = crate::verify::verify_capability_token_local(
            &token,
            public_key,
            "resource2", // Wrong resource
            "read",
        );

        assert!(result.is_err());
    }

    #[test]
    fn test_verify_capability_token_wrong_operation() {
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        let token = create_token(
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            keypair,
        )
        .unwrap();

        // Try to verify for wrong operation
        let result = crate::verify::verify_capability_token_local(
            &token,
            public_key,
            "resource1",
            "write", // Wrong operation
        );

        assert!(result.is_err());
    }

    #[test]
    fn test_verify_capability_with_domain() {
        let domain = "myapp.hessra.dev".to_string();
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create token with domain restriction
        let token = HessraAuthorization::new(
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            TokenTimeConfig::default(),
        )
        .domain_restricted(domain.clone())
        .issue(&keypair)
        .unwrap();

        // Verify capability with matching domain
        let result = crate::verify::AuthorizationVerifier::new_capability(
            token.clone(),
            public_key,
            "resource1".to_string(),
            "read".to_string(),
        )
        .with_domain(domain.clone())
        .verify();

        assert!(result.is_ok());

        // Verify capability without domain - should fail
        let result = crate::verify::AuthorizationVerifier::new_capability(
            token,
            public_key,
            "resource1".to_string(),
            "read".to_string(),
        )
        .verify();

        assert!(result.is_err());
    }

    #[test]
    fn test_verify_capability_with_service_chain() {
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        let chain_keypair = KeyPair::new();
        let chain_public_key =
            format!("ed25519/{}", hex::encode(chain_keypair.public().to_bytes()));
        let chain_node = ServiceNode {
            component: "edge_function".to_string(),
            public_key: chain_public_key,
        };

        // Create service chain token
        let token = HessraAuthorization::new(
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            TokenTimeConfig::default(),
        )
        .service_chain(vec![chain_node.clone()])
        .issue(&keypair)
        .unwrap();

        // Add attestation
        let token_bytes = crate::decode_token(&token).unwrap();
        let attested = crate::attest::add_service_node_attestation(
            token_bytes,
            public_key,
            "resource1",
            &chain_keypair,
        )
        .unwrap();
        let attested_token = crate::encode_token(&attested);

        // Verify capability with service chain
        let result = crate::verify::verify_service_chain_capability_token_local(
            &attested_token,
            public_key,
            "resource1",
            "read",
            vec![chain_node],
            None,
        );

        assert!(result.is_ok());
    }

    #[test]
    fn test_capability_verifier_builder() {
        let keypair = KeyPair::new();
        let public_key = keypair.public();
        let domain = "example.com".to_string();

        let token = HessraAuthorization::new(
            "alice".to_string(),
            "resource1".to_string(),
            "read".to_string(),
            TokenTimeConfig::default(),
        )
        .domain_restricted(domain.clone())
        .issue(&keypair)
        .unwrap();

        // Test builder pattern
        let result = crate::verify::AuthorizationVerifier::new_capability(
            token,
            public_key,
            "resource1".to_string(),
            "read".to_string(),
        )
        .with_domain(domain)
        .verify();

        assert!(result.is_ok());
    }

    #[test]
    fn test_capability_vs_identity_verification() {
        let keypair = KeyPair::new();
        let public_key = keypair.public();

        // Create token for alice
        let token = create_token(
            "alice".to_string(),
            "document_123".to_string(),
            "read".to_string(),
            keypair,
        )
        .unwrap();

        // Identity-based: Must specify correct subject
        let result = crate::verify::verify_token_local(
            &token,
            public_key,
            "alice", // Must match
            "document_123",
            "read",
        );
        assert!(result.is_ok());

        // Identity-based: Wrong subject fails
        let result = crate::verify::verify_token_local(
            &token,
            public_key,
            "bob", // Wrong subject
            "document_123",
            "read",
        );
        assert!(result.is_err());

        // Capability-based: Don't care about subject
        let result = crate::verify::verify_capability_token_local(
            &token,
            public_key,
            "document_123", // No subject needed
            "read",
        );
        assert!(result.is_ok());
    }
}