syntax = "proto3";
package qpq.v1;

// Key package + hybrid key CRUD (5 methods).
// Method IDs: 300-304.

message UploadKeyPackageRequest {
  bytes identity_key = 1;
  bytes package = 2;
}

message UploadKeyPackageResponse {
  bytes fingerprint = 1;
}

message FetchKeyPackageRequest {
  bytes identity_key = 1;
}

message FetchKeyPackageResponse {
  bytes package = 1;
}

message UploadHybridKeyRequest {
  bytes identity_key = 1;
  bytes hybrid_public_key = 2;
}

message UploadHybridKeyResponse {}

message FetchHybridKeyRequest {
  bytes identity_key = 1;
}

message FetchHybridKeyResponse {
  bytes hybrid_public_key = 1;
}

message FetchHybridKeysRequest {
  repeated bytes identity_keys = 1;
}

message FetchHybridKeysResponse {
  repeated bytes keys = 1;
}

// Key revocation (method ID 510).
message RevokeKeyRequest {
  bytes identity_key = 1;
  string reason = 2; // "compromised", "superseded", "user_revoked"
}

message RevokeKeyResponse {
  bool success = 1;
  uint64 leaf_index = 2; // Index of revocation entry in the KT Merkle log
}

// Check revocation status (method ID 511).
message CheckRevocationRequest {
  bytes identity_key = 1;
}

message CheckRevocationResponse {
  bool revoked = 1;
  string reason = 2;
  uint64 timestamp_ms = 3;
}

// KT audit log retrieval (method ID 520).
message AuditKeyTransparencyRequest {
  uint64 start = 1;
  uint64 end = 2; // 0 = up to current size
}

message AuditKeyTransparencyResponse {
  repeated LogEntry entries = 1;
  uint64 tree_size = 2;
  bytes root = 3;
}

message LogEntry {
  uint64 index = 1;
  bytes leaf_hash = 2;
}