types

type CABundle struct {
	// Epoch is the major epoch number for this bundle.
	Epoch uint64 `json:"epoch"`

	// Seqno is the sequence number for this bundle, used to prevent rollback attacks.
	Seqno uint64 `json:"seqno"`

	// Keys is a map of key IDs to public keys.
	Keys map[string][]byte `json:"keys"`

	// KeyID is the current primary key identifier (for quick checks)
	KeyID string `json:"keyId,omitempty"`

	// PrevKeyID is the previous key identifier (for grace period during rotation)
	PrevKeyID string `json:"prevKeyId,omitempty"`

	// IssuedAt is the Unix timestamp when this bundle was issued.
	// Used to detect stale bundles that might have been cached or backed up.
	IssuedAt int64 `json:"issuedAt,omitempty"`

	// Signature is a signature of the bundle, used to verify its authenticity.
	Signature []byte `json:"signature"`
}

type Fetcher interface {
	// Fetch fetches the CA bundle for a given issuer ID.
	Fetch(ctx context.Context, issuerID string) (*CABundle, error)
}

type Storage interface {
	// GetLastSeenSeqno returns the last seen sequence number for a given issuer ID.
	GetLastSeenSeqno(ctx context.Context, issuerID string) (uint64, error)

	// SetLastSeenSeqnoIfGreater sets the last seen sequence number for a given issuer ID
	// ONLY if the new sequence number is greater than the currently stored one.
	// This operation MUST be atomic to prevent TOCTOU race conditions.
	// If seqno is not greater than the currently stored value, this MUST be a successful no-op.
	// Returns nil if the operation succeeded (whether or not an update occurred), or a non-nil error on storage failure.
	SetLastSeenSeqnoIfGreater(ctx context.Context, issuerID string, seqno uint64) error
}