package models

import "time"

// ArtifactSignature stores the Cosign-compatible signature bundle produced
// when an artifact is uploaded.  The BundleJSON field is the full self-contained
// bundle so consumers can verify without hitting the API again.
type ArtifactSignature struct {
	ID         int64     `xorm:"'id' pk autoincr"               json:"id"`
	ArtifactID int64     `xorm:"'artifact_id' notnull unique"   json:"artifactId"`
	KeyID      string    `xorm:"'key_id' varchar(32)"           json:"keyId"`
	Algorithm  string    `xorm:"'algorithm' varchar(50)"        json:"algorithm"` // "ecdsa-p256-sha256"
	Digest     string    `xorm:"'digest' varchar(80)"           json:"digest"`    // "sha256:<hex>"
	BundleJSON string    `xorm:"'bundle_json' text"             json:"-"`         // full bundle, not surfaced directly
	SignedAt   time.Time `xorm:"'signed_at'"                    json:"signedAt"`
}