//! Key Transparency: append-only SHA-256 Merkle log for (username, identity_key) bindings.
//!
//! # Design
//!
//! A lightweight subset of RFC 9162 (Certificate Transparency v2) adapted for identity keys:
//!
//! - Leaf nodes hash as: `SHA-256(0x00 || SHA-256(username || 0x00 || identity_key))`
//! - Internal nodes hash as: `SHA-256(0x01 || left_hash || right_hash)`
//!
//! The 0x00/0x01 domain-separation prefixes prevent second-preimage attacks on
//! the tree structure (RFC 6962 §2.1).
//!
//! ## Inclusion proof
//!
//! An inclusion proof for leaf at index `i` in a tree of `n` leaves is the list of
//! sibling hashes from leaf to root. The verifier recomputes the root from the leaf
//! hash + siblings and compares it to the known root.
//!
//! ## Wire format
//!
//! Inclusion proofs are serialised as `bincode(InclusionProof)` for transport over
//! the Cap'n Proto `inclusionProof :Data` field.

use sha2::{Digest, Sha256};

mod error;
mod proof;
pub mod revocation;
mod tree;

pub use error::KtError;
pub use proof::{verify_inclusion, InclusionProof};
pub use revocation::{RevocationEntry, RevocationLog, RevocationReason};
pub use tree::MerkleLog;

/// Domain-separation prefix for leaf nodes (RFC 6962 §2.1).
const LEAF_PREFIX: u8 = 0x00;
/// Domain-separation prefix for internal nodes.
const INTERNAL_PREFIX: u8 = 0x01;

/// SHA-256 of a leaf entry: `H(0x00 || H(username || 0x00 || identity_key))`.
pub fn leaf_hash(username: &str, identity_key: &[u8]) -> [u8; 32] {
    // Inner hash commits to both fields with a 0x00 separator.
    let mut inner = Sha256::new();
    inner.update(username.as_bytes());
    inner.update([0x00]);
    inner.update(identity_key);
    let inner_digest: [u8; 32] = inner.finalize().into();

    // Outer hash adds the leaf domain-separation prefix.
    let mut outer = Sha256::new();
    outer.update([LEAF_PREFIX]);
    outer.update(inner_digest);
    outer.finalize().into()
}

/// SHA-256 of an internal node: `H(0x01 || left || right)`.
pub(crate) fn node_hash(left: &[u8; 32], right: &[u8; 32]) -> [u8; 32] {
    let mut h = Sha256::new();
    h.update([INTERNAL_PREFIX]);
    h.update(left);
    h.update(right);
    h.finalize().into()
}