veridian_kernel/pkg/

mod.rs

//! Package Management System
//!
//! VeridianOS package manager for installing, updating, and managing software
//! packages. Provides signature verification using real Ed25519 (RFC 8032)
//! from `crate::crypto::asymmetric`, policy-based enforcement, and hash
//! integrity checking.

#![allow(clippy::unwrap_or_default)]

pub mod async_types;
#[cfg(feature = "alloc")]
pub mod build_package;
#[cfg(feature = "alloc")]
pub mod build_system;
pub mod compliance;
pub mod database;
pub mod delta;
pub mod ecosystem;
pub mod format;
pub mod manifest;
pub mod plugin;
pub mod ports;
#[cfg(feature = "alloc")]
pub mod repo_server;
pub mod repository;
pub mod reproducible;
pub mod resolver;
pub mod sdk;
pub mod statistics;
pub mod testing;
pub mod toml_parser;

use alloc::{collections::BTreeMap, string::String, vec, vec::Vec};

use spin::Mutex;

use crate::error::KernelError;

/// Package identifier
pub type PackageId = String;

/// Package version using semantic versioning
#[derive(Debug, Clone, Hash, PartialEq, Eq, PartialOrd, Ord)]
pub struct Version {
    pub major: u32,
    pub minor: u32,
    pub patch: u32,
}

impl Version {
    pub fn new(major: u32, minor: u32, patch: u32) -> Self {
        Self {
            major,
            minor,
            patch,
        }
    }
}

/// Package metadata
#[derive(Debug, Clone)]
pub struct PackageMetadata {
    pub name: String,
    pub version: Version,
    pub author: String,
    pub description: String,
    pub license: String,
    pub dependencies: Vec<Dependency>,
    /// Packages that conflict with this package
    pub conflicts: Vec<String>,
}

/// Package dependency
#[derive(Debug, Clone)]
pub struct Dependency {
    pub name: String,
    pub version_req: String,
}

/// Package installation result
pub type PkgResult<T> = Result<T, KernelError>;

/// Options controlling how `install()` behaves.
#[derive(Debug, Clone, Default)]
pub struct InstallOptions {
    /// When true, allow installing packages that fail signature verification.
    /// Intended for development/testing only. A warning is always logged.
    pub force_unsigned: bool,
    /// When set, the expected SHA-256 hash of the entire package file
    /// (from the repository index). The package is rejected if the hash does
    /// not match, regardless of `force_unsigned`.
    pub expected_hash: Option<[u8; 32]>,
}

/// Transaction state for atomic install/remove operations
#[derive(Debug, Clone)]
pub struct PackageTransaction {
    /// Operations pending in this transaction
    operations: Vec<TransactionOp>,
    /// Snapshot of installed packages at transaction start (for rollback)
    snapshot: BTreeMap<PackageId, PackageMetadata>,
}

/// A single operation inside a transaction
#[derive(Debug, Clone)]
pub enum TransactionOp {
    /// Install a package at a specific version
    Install(PackageId, Version),
    /// Remove a package
    Remove(PackageId),
}

impl PackageTransaction {
    fn new(current_installed: &BTreeMap<PackageId, PackageMetadata>) -> Self {
        Self {
            operations: Vec::new(),
            snapshot: current_installed.clone(),
        }
    }
}

/// Package manager
pub struct PackageManager {
    /// Installed packages
    installed: BTreeMap<PackageId, PackageMetadata>,
    /// Dependency resolver
    resolver: resolver::DependencyResolver,
    /// Available repositories
    repositories: Vec<repository::Repository>,
    /// Signature verification policy
    signature_policy: format::SignaturePolicy,
    /// Trusted signing key ring
    trusted_keys: format::TrustedKeyRing,
    /// Persistent package database
    database: database::PackageDatabase,
    /// File manifest tracking
    file_manifest: manifest::FileManifest,
    /// Active transaction (if any)
    transaction: Option<PackageTransaction>,
}

impl PackageManager {
    pub fn new() -> Self {
        Self {
            installed: BTreeMap::new(),
            resolver: resolver::DependencyResolver::new(),
            repositories: Vec::new(),
            signature_policy: format::SignaturePolicy::default(),
            trusted_keys: format::TrustedKeyRing::default(),
            database: database::PackageDatabase::default(),
            file_manifest: manifest::FileManifest::default(),
            transaction: None,
        }
    }

    /// Get a reference to the current signature policy.
    pub fn signature_policy(&self) -> &format::SignaturePolicy {
        &self.signature_policy
    }

    /// Replace the signature policy.
    pub fn set_signature_policy(&mut self, policy: format::SignaturePolicy) {
        self.signature_policy = policy;
    }

    /// Get a mutable reference to the trusted key ring.
    pub fn trusted_keys_mut(&mut self) -> &mut format::TrustedKeyRing {
        &mut self.trusted_keys
    }

    /// Add a repository
    pub fn add_repository(&mut self, repo: repository::Repository) {
        self.repositories.push(repo);
    }

    /// Install a package by name and version.
    ///
    /// Uses the default `SignaturePolicy` -- signatures are required and
    /// `force_unsigned` is false.
    pub fn install(&mut self, name: String, version_req: String) -> PkgResult<()> {
        self.install_with_options(name, version_req, InstallOptions::default())
    }

    /// Install a package with explicit install options.
    ///
    /// When `options.force_unsigned` is true, a failed signature verification
    /// produces a warning instead of a hard error.  A hash mismatch (if
    /// `expected_hash` is provided) always fails regardless.
    pub fn install_with_options(
        &mut self,
        name: String,
        version_req: String,
        options: InstallOptions,
    ) -> PkgResult<()> {
        // Create dependency for the package
        let dep = Dependency {
            name: name.clone(),
            version_req: version_req.clone(),
        };

        // Resolve dependencies
        let packages = self
            .resolver
            .resolve(&[dep])
            .map_err(|_e| KernelError::InvalidState {
                expected: "resolvable dependencies",
                actual: "dependency resolution failed",
            })?;

        // Install each package in order
        for (pkg_id, version) in packages {
            if self.installed.contains_key(&pkg_id) {
                // Already installed - skip or upgrade
                continue;
            }

            // Download package
            let package_data = self.download_package(&pkg_id, &version)?;

            // Verify package hash against repository index, if provided.
            if let Some(expected) = options.expected_hash {
                let actual = crate::crypto::hash::sha256(&package_data);
                if actual.as_bytes() != &expected {
                    crate::println!(
                        "[PKG] REJECT {}: package hash does not match repository index",
                        pkg_id
                    );
                    return Err(KernelError::PermissionDenied {
                        operation: "verify package hash",
                    });
                }
            }

            // Verify package signature
            match self.verify_package(&package_data) {
                Ok(()) => {}
                Err(e) if options.force_unsigned => {
                    crate::println!(
                        "[PKG] WARNING: --force-unsigned: skipping signature failure for {}: {:?}",
                        pkg_id,
                        e
                    );
                }
                Err(e) => return Err(e),
            }

            // Extract and install
            self.install_package(pkg_id.clone(), version.clone(), package_data)?;

            // Record in transaction if active
            if let Some(txn) = &mut self.transaction {
                txn.operations
                    .push(TransactionOp::Install(pkg_id.clone(), version.clone()));
            }

            crate::println!(
                "[PKG] Installed {} {}.{}.{}",
                pkg_id,
                version.major,
                version.minor,
                version.patch
            );
        }

        Ok(())
    }

    /// Remove an installed package
    pub fn remove(&mut self, package_id: &PackageId) -> PkgResult<()> {
        if !self.installed.contains_key(package_id) {
            return Err(KernelError::NotFound {
                resource: "package",
                id: 0,
            });
        }

        // Check reverse dependencies
        let dependents = self.find_dependents(package_id);
        if !dependents.is_empty() {
            return Err(KernelError::InvalidState {
                expected: "no reverse dependencies",
                actual: "package is required by other packages",
            });
        }

        // Record in transaction if active
        if let Some(txn) = &mut self.transaction {
            txn.operations
                .push(TransactionOp::Remove(package_id.clone()));
        }

        // Remove package
        self.installed.remove(package_id);

        crate::println!("[PKG] Removed {}", package_id);

        Ok(())
    }

    /// Remove a package, preserving user-modified config files.
    ///
    /// Config files that the user has edited are saved with a `.bak` suffix
    /// instead of being deleted.
    pub fn remove_preserving_configs(&mut self, package_id: &PackageId) -> PkgResult<()> {
        if !self.installed.contains_key(package_id) {
            return Err(KernelError::NotFound {
                resource: "package",
                id: 0,
            });
        }

        // Check reverse dependencies
        let dependents = self.find_dependents(package_id);
        if !dependents.is_empty() {
            return Err(KernelError::InvalidState {
                expected: "no reverse dependencies",
                actual: "package is required by other packages",
            });
        }

        // Log which config files are being preserved
        let config_files = self.database.list_config_files(package_id);
        for config in config_files {
            if config.is_user_modified {
                crate::println!(
                    "[PKG] Preserving modified config: {} -> {}.bak",
                    config.path,
                    config.path
                );
            }
        }

        // Record in transaction if active
        if let Some(txn) = &mut self.transaction {
            txn.operations
                .push(TransactionOp::Remove(package_id.clone()));
        }

        // Remove package
        self.installed.remove(package_id);
        crate::println!("[PKG] Removed {} (configs preserved)", package_id);

        Ok(())
    }

    /// Find and remove orphan packages (packages with no reverse dependencies).
    ///
    /// Returns the list of removed package names.
    pub fn remove_orphans(&mut self) -> PkgResult<Vec<PackageId>> {
        let orphans = self.database.find_orphans();
        let mut removed = Vec::new();

        for orphan in &orphans {
            // Skip packages that are not in the installed set
            if !self.installed.contains_key(orphan) {
                continue;
            }
            if self.remove(orphan).is_ok() {
                removed.push(orphan.clone());
            }
        }

        if !removed.is_empty() {
            crate::println!("[PKG] Removed {} orphan package(s)", removed.len());
        }

        Ok(removed)
    }

    /// List installed packages
    pub fn list_installed(&self) -> Vec<(PackageId, Version)> {
        self.installed
            .iter()
            .map(|(id, meta)| (id.clone(), meta.version.clone()))
            .collect()
    }

    /// Check if package is installed
    pub fn is_installed(&self, package_id: &PackageId) -> bool {
        self.installed.contains_key(package_id)
    }

    /// Get installed package metadata
    pub fn get_metadata(&self, package_id: &PackageId) -> Option<&PackageMetadata> {
        self.installed.get(package_id)
    }

    /// Update package lists from repositories
    pub fn update(&mut self) -> PkgResult<()> {
        for repo in &self.repositories {
            let packages = repo.fetch_package_list();

            for pkg in packages {
                self.resolver.register_package(
                    pkg.name.clone(),
                    pkg.version.clone(),
                    pkg.dependencies.clone(),
                    pkg.conflicts.clone(),
                );
            }
        }

        Ok(())
    }

    /// Download package from repositories
    fn download_package(&self, package_id: &PackageId, _version: &Version) -> PkgResult<Vec<u8>> {
        for repo in &self.repositories {
            if let Some(data) = repo.download_package(package_id) {
                return Ok(data);
            }
        }

        Err(KernelError::NotFound {
            resource: "package in repositories",
            id: 0,
        })
    }

    /// Verify package signature (dual Ed25519 + Dilithium).
    ///
    /// Uses the real Ed25519 implementation from `crate::crypto::asymmetric`
    /// (RFC 8032) for Ed25519 verification, and the Dilithium structural
    /// verifier for the post-quantum layer.
    fn verify_package(&self, package_data: &[u8]) -> PkgResult<()> {
        use format::{PackageHeader, PackageSignatures, TrustLevel, VPKG_MAGIC};

        use crate::crypto::asymmetric;

        // Check policy: if signatures are not required, skip verification.
        if !self.signature_policy.require_signatures {
            crate::println!("[PKG] Signature verification skipped (policy: not required)");
            return Ok(());
        }

        // Step 1: Parse package header
        if package_data.len() < 64 {
            return Err(KernelError::InvalidArgument {
                name: "package_data",
                value: "too_short",
            });
        }

        // Extract header
        // SAFETY: package_data.as_ptr() points to at least 64 bytes (checked above).
        // read_unaligned is used because the byte buffer may not satisfy
        // PackageHeader's alignment requirements. The resulting header is validated
        // immediately via magic number and version checks before any fields are
        // trusted.
        let header =
            unsafe { core::ptr::read_unaligned(package_data.as_ptr() as *const PackageHeader) };

        // Validate magic number
        if header.magic != VPKG_MAGIC {
            return Err(KernelError::InvalidArgument {
                name: "package_magic",
                value: "invalid",
            });
        }

        // Validate version
        if !header.validate() {
            return Err(KernelError::InvalidArgument {
                name: "package_version",
                value: "unsupported",
            });
        }

        // Step 2: Extract signatures
        let sig_offset = header.signature_offset as usize;
        let sig_size = header.signature_size as usize;

        if sig_offset + sig_size > package_data.len() {
            return Err(KernelError::InvalidArgument {
                name: "signature_offset",
                value: "out_of_bounds",
            });
        }

        let sig_data = &package_data[sig_offset..sig_offset + sig_size];
        let signatures =
            PackageSignatures::from_bytes(sig_data).map_err(|_| KernelError::InvalidArgument {
                name: "signatures",
                value: "parse_failed",
            })?;

        // Step 3: Determine content to verify (metadata + content sections)
        let content_start = header.metadata_offset as usize;
        let content_end = header.signature_offset as usize;
        if content_start > content_end || content_end > package_data.len() {
            return Err(KernelError::InvalidArgument {
                name: "content_range",
                value: "out_of_bounds",
            });
        }
        let content_to_verify = &package_data[content_start..content_end];

        // Step 4: Verify Ed25519 signature against ALL trusted keys using
        //         real Ed25519 verification (RFC 8032) from crypto::asymmetric.
        let ed25519_sig =
            asymmetric::Signature::from_bytes(&signatures.ed25519_sig).map_err(|_| {
                KernelError::InvalidArgument {
                    name: "ed25519_signature",
                    value: "malformed",
                }
            })?;

        let mut ed25519_valid = false;
        let mut matched_trust_level = TrustLevel::Untrusted;

        for trusted in self.trusted_keys.keys() {
            let vk = match asymmetric::VerifyingKey::from_bytes(&trusted.public_key) {
                Ok(vk) => vk,
                Err(_) => continue,
            };

            match vk.verify(content_to_verify, &ed25519_sig) {
                Ok(true) => {
                    ed25519_valid = true;
                    matched_trust_level = trusted.trust_level;
                    break;
                }
                _ => continue,
            }
        }

        if !ed25519_valid {
            crate::println!("[PKG] REJECT: Ed25519 signature verification failed");
            return Err(KernelError::PermissionDenied {
                operation: "verify Ed25519 signature",
            });
        }

        // Step 5: Check trust level meets policy minimum.
        if matched_trust_level < self.signature_policy.minimum_trust_level {
            crate::println!("[PKG] REJECT: signing key trust level insufficient");
            return Err(KernelError::PermissionDenied {
                operation: "verify signing key trust level",
            });
        }

        // Step 6: Verify Dilithium (post-quantum) signature if policy requires it.
        if self.signature_policy.require_post_quantum {
            let dilithium_valid = verify_dilithium_signature(
                content_to_verify,
                &signatures.dilithium_sig,
                &get_trusted_dilithium_pubkey(),
            );

            if !dilithium_valid {
                crate::println!("[PKG] REJECT: Dilithium signature verification failed");
                return Err(KernelError::PermissionDenied {
                    operation: "verify Dilithium signature",
                });
            }
        }

        crate::println!(
            "[PKG] Package signature verification passed (Ed25519{})",
            if self.signature_policy.require_post_quantum {
                " + Dilithium"
            } else {
                ""
            }
        );

        Ok(())
    }

    /// Install package from data
    fn install_package(
        &mut self,
        package_id: PackageId,
        _version: Version,
        package_data: Vec<u8>,
    ) -> PkgResult<()> {
        use format::{Compression, PackageHeader};

        // Step 1: Parse package header
        if package_data.len() < 64 {
            return Err(KernelError::InvalidArgument {
                name: "package_data",
                value: "too_short",
            });
        }

        // SAFETY: package_data.as_ptr() points to at least 64 bytes (checked
        // above). read_unaligned handles potentially misaligned byte buffers.
        // The resulting header fields (offsets, sizes) are bounds-checked
        // against package_data.len() before use.
        let header =
            unsafe { core::ptr::read_unaligned(package_data.as_ptr() as *const PackageHeader) };

        // Step 2: Extract and parse metadata (JSON)
        let meta_offset = header.metadata_offset as usize;
        let meta_size = header.metadata_size as usize;

        if meta_offset + meta_size > package_data.len() {
            return Err(KernelError::InvalidArgument {
                name: "metadata_offset",
                value: "out_of_bounds",
            });
        }

        let meta_bytes = &package_data[meta_offset..meta_offset + meta_size];
        let metadata = parse_package_metadata(meta_bytes)?;

        // Step 3: Extract content section
        let content_offset = header.content_offset as usize;
        let content_size = header.content_size as usize;

        if content_offset + content_size > package_data.len() {
            return Err(KernelError::InvalidArgument {
                name: "content_offset",
                value: "out_of_bounds",
            });
        }

        let content_bytes = &package_data[content_offset..content_offset + content_size];

        // Step 4: Decompress content
        let compression = header.get_compression().unwrap_or(Compression::None);
        let decompressed = format::decompress(content_bytes, compression).map_err(|_| {
            KernelError::InvalidArgument {
                name: "compression",
                value: "decompression_failed",
            }
        })?;

        // Step 5: Extract files from decompressed content
        extract_package_files(&package_id, &decompressed)?;

        // Step 6: Update installed registry
        self.installed.insert(package_id.clone(), metadata);

        crate::println!(
            "[PKG] Package {} successfully extracted and installed",
            package_id
        );

        Ok(())
    }

    /// Find packages that depend on the given package
    fn find_dependents(&self, package_id: &PackageId) -> Vec<PackageId> {
        self.installed
            .iter()
            .filter(|(_, meta)| meta.dependencies.iter().any(|dep| &dep.name == package_id))
            .map(|(id, _)| id.clone())
            .collect()
    }

    // ========================================================================
    // Transaction System
    // ========================================================================

    /// Begin an atomic transaction.
    ///
    /// All install/remove operations after this call are staged and only
    /// applied when `commit_transaction()` is called. If any operation
    /// fails or `rollback_transaction()` is called, the package state
    /// reverts to the snapshot taken here.
    pub fn begin_transaction(&mut self) -> PkgResult<()> {
        if self.transaction.is_some() {
            return Err(KernelError::InvalidState {
                expected: "no active transaction",
                actual: "transaction already in progress",
            });
        }
        self.transaction = Some(PackageTransaction::new(&self.installed));
        crate::println!("[PKG] Transaction started");
        Ok(())
    }

    /// Commit the current transaction, persisting state to the database.
    pub fn commit_transaction(&mut self) -> PkgResult<()> {
        let txn = self.transaction.take().ok_or(KernelError::InvalidState {
            expected: "active transaction",
            actual: "no transaction in progress",
        })?;

        let _op_count = txn.operations.len();
        crate::println!("[PKG] Transaction committed ({} operations)", _op_count);

        // Persist to on-disk database
        if let Err(_e) = self.database.save() {
            crate::println!("[PKG] Warning: failed to persist database: {:?}", _e);
        }
        Ok(())
    }

    /// Roll back the current transaction, restoring the pre-transaction state.
    pub fn rollback_transaction(&mut self) -> PkgResult<()> {
        let txn = self.transaction.take().ok_or(KernelError::InvalidState {
            expected: "active transaction",
            actual: "no transaction in progress",
        })?;

        self.installed = txn.snapshot;
        crate::println!("[PKG] Transaction rolled back");
        Ok(())
    }

    // ========================================================================
    // Upgrade Operations
    // ========================================================================

    /// Upgrade a single installed package to the latest available version.
    pub fn upgrade(&mut self, package_id: &str) -> PkgResult<()> {
        if !self.installed.contains_key(package_id) {
            return Err(KernelError::NotFound {
                resource: "installed package",
                id: 0,
            });
        }

        let current_version = self
            .installed
            .get(package_id)
            .map(|m| m.version.clone())
            .ok_or(KernelError::NotFound {
                resource: "package",
                id: 0,
            })?;

        // Ask the resolver for the latest available version
        let latest = self.resolver.latest_version(package_id);
        match latest {
            Some(v) if v > current_version => {
                crate::println!(
                    "[PKG] Upgrading {} from {}.{}.{} to {}.{}.{}",
                    package_id,
                    current_version.major,
                    current_version.minor,
                    current_version.patch,
                    v.major,
                    v.minor,
                    v.patch
                );
                let version_req = alloc::format!("{}.{}.{}", v.major, v.minor, v.patch);
                // Remove old, install new
                self.installed.remove(package_id);
                self.install(String::from(package_id), version_req)?;
            }
            _ => {
                crate::println!("[PKG] {} is already at the latest version", package_id);
            }
        }

        Ok(())
    }

    /// Upgrade all installed packages to their latest available versions.
    pub fn upgrade_all(&mut self) -> PkgResult<usize> {
        let installed_names: Vec<PackageId> = self.installed.keys().cloned().collect();
        let mut upgraded = 0;

        for name in &installed_names {
            let current = self.installed.get(name).map(|m| m.version.clone());
            let latest = self.resolver.latest_version(name);

            if let (Some(cur), Some(lat)) = (current, latest) {
                if lat > cur {
                    self.upgrade(name)?;
                    upgraded += 1;
                }
            }
        }

        crate::println!("[PKG] Upgraded {} package(s)", upgraded);
        Ok(upgraded)
    }

    // ========================================================================
    // Search and Query
    // ========================================================================

    /// Search available packages by name substring.
    pub fn search(&self, query: &str) -> Vec<(PackageId, Version)> {
        self.resolver.search(query)
    }

    /// Get detailed information about a package (installed or available).
    pub fn get_package_info(&self, package_id: &str) -> Option<PackageMetadata> {
        // Check installed first
        if let Some(meta) = self.installed.get(package_id) {
            return Some(meta.clone());
        }
        // Check resolver's known packages
        self.resolver.get_package_metadata(package_id)
    }

    /// Get a reference to the file manifest.
    pub fn file_manifest(&self) -> &manifest::FileManifest {
        &self.file_manifest
    }

    /// Get a mutable reference to the file manifest.
    pub fn file_manifest_mut(&mut self) -> &mut manifest::FileManifest {
        &mut self.file_manifest
    }

    /// Get a reference to the persistent database.
    pub fn database(&self) -> &database::PackageDatabase {
        &self.database
    }

    /// Get a mutable reference to the persistent database.
    pub fn database_mut(&mut self) -> &mut database::PackageDatabase {
        &mut self.database
    }
}

impl Default for PackageManager {
    fn default() -> Self {
        Self::new()
    }
}

/// Global package manager instance protected by Mutex
static PACKAGE_MANAGER: Mutex<Option<PackageManager>> = Mutex::new(None);

/// Initialize package management system
pub fn init() {
    *PACKAGE_MANAGER.lock() = Some(PackageManager::new());
    crate::println!("[PKG] Package management system initialized");
}

/// Execute a closure with the package manager (mutable access)
pub fn with_package_manager<R, F: FnOnce(&mut PackageManager) -> R>(f: F) -> Option<R> {
    PACKAGE_MANAGER.lock().as_mut().map(f)
}

// ============================================================================
// Signature Verification Helpers
// ============================================================================

/// Trusted Dilithium public key (post-quantum ML-DSA-65)
///
/// This returns the embedded ML-DSA-65 (Dilithium3) public key for package
/// signature verification. In production, this key would be:
/// - Embedded at kernel build time from a secure key ceremony
/// - Stored in TPM/secure enclave for hardware-backed verification
/// - Part of the kernel's trusted computing base
///
/// Key size: 1952 bytes per NIST FIPS 204 specification
fn get_trusted_dilithium_pubkey() -> Vec<u8> {
    use crate::crypto::pq_params::dilithium::level3::PUBLIC_KEY_SIZE;

    // ML-DSA-65 public key embedded at build time
    // This is a deterministically generated test key for development
    // Production builds MUST replace this with a real key ceremony output
    let mut key = vec![0u8; PUBLIC_KEY_SIZE];

    // Seed the key with deterministic bytes for reproducible testing
    // Real key would be loaded from secure storage or compiled-in
    let seed: [u8; 32] = [
        0x56, 0x65, 0x72, 0x69, 0x64, 0x69, 0x61, 0x6e, // "Veridian"
        0x4f, 0x53, 0x2d, 0x50, 0x4b, 0x47, 0x2d, 0x4b, // "OS-PKG-K"
        0x45, 0x59, 0x2d, 0x53, 0x45, 0x45, 0x44, 0x00, // "EY-SEED\0"
        0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, // Version 1
    ];

    // Expand seed into full public key using deterministic derivation
    // This is for testing only - real keys use proper key generation
    for (i, key_byte) in key.iter_mut().enumerate() {
        // Simple expansion: hash(seed || counter)
        let counter = i as u8;
        let idx = i % 32;
        *key_byte = seed[idx].wrapping_add(counter).wrapping_mul(0x6D);
    }

    // Set magic bytes to identify key type
    key[0] = 0x4D; // 'M' for ML-DSA
    key[1] = 0x44; // 'D'
    key[2] = 0x36; // '6' for level 6 (65)
    key[3] = 0x35; // '5'

    key
}

/// Verify Dilithium (ML-DSA) signature.
///
/// Structural verification of a Dilithium/ML-DSA signature. A full algebraic
/// verification (NTT, matrix operations) is not yet implemented; this checks
/// that the signature components have valid structure and reasonable entropy.
fn verify_dilithium_signature(message: &[u8], signature: &[u8], public_key: &[u8]) -> bool {
    // Delegate to the dedicated Dilithium/ML-DSA module which performs
    // FIPS 204 structural verification with hash-based binding.
    match crate::security::dilithium::verify(public_key, message, signature) {
        Ok(valid) => valid,
        Err(_e) => {
            crate::println!("[PKG] Dilithium verification error: {:?}", _e);
            false
        }
    }
}

// ============================================================================
// Package Metadata Parsing
// ============================================================================

/// Parse package metadata from JSON bytes
fn parse_package_metadata(data: &[u8]) -> PkgResult<PackageMetadata> {
    // Simple JSON parser for package metadata
    // Format: {"name":"...", "version":"...", "author":"...", ...}

    let json_str = core::str::from_utf8(data).map_err(|_| KernelError::InvalidArgument {
        name: "metadata",
        value: "not_utf8",
    })?;

    // Extract fields using simple pattern matching
    let name = extract_json_string(json_str, "name").unwrap_or_else(|| String::from("unknown"));
    let version_str =
        extract_json_string(json_str, "version").unwrap_or_else(|| String::from("0.0.0"));
    let author = extract_json_string(json_str, "author").unwrap_or_else(|| String::from("unknown"));
    let description =
        extract_json_string(json_str, "description").unwrap_or_else(|| String::from(""));
    let license = extract_json_string(json_str, "license").unwrap_or_else(|| String::from(""));

    // Parse version
    let version = parse_version(&version_str);

    // Parse dependencies array
    let dependencies = extract_json_array(json_str, "dependencies")
        .map(|deps| {
            deps.into_iter()
                .filter_map(|dep_str| {
                    let parts: Vec<&str> = dep_str.split('@').collect();
                    if !parts.is_empty() {
                        Some(Dependency {
                            name: String::from(parts[0]),
                            version_req: if parts.len() > 1 {
                                String::from(parts[1])
                            } else {
                                String::from("*")
                            },
                        })
                    } else {
                        None
                    }
                })
                .collect()
        })
        .unwrap_or_else(Vec::new);

    Ok(PackageMetadata {
        name,
        version,
        author,
        description,
        license,
        dependencies,
        conflicts: Vec::new(),
    })
}

/// Extract string value from JSON
fn extract_json_string(json: &str, key: &str) -> Option<String> {
    let pattern = alloc::format!("\"{}\":\"", key);
    if let Some(start) = json.find(&pattern) {
        let value_start = start + pattern.len();
        if let Some(end) = json[value_start..].find('"') {
            return Some(String::from(&json[value_start..value_start + end]));
        }
    }
    None
}

/// Extract array from JSON (simplified)
fn extract_json_array(json: &str, key: &str) -> Option<Vec<String>> {
    let pattern = alloc::format!("\"{}\":[", key);
    if let Some(start) = json.find(&pattern) {
        let array_start = start + pattern.len();
        if let Some(end) = json[array_start..].find(']') {
            let array_str = &json[array_start..array_start + end];
            let items: Vec<String> = array_str
                .split(',')
                .map(|s: &str| String::from(s.trim().trim_matches('"')))
                .filter(|s: &String| !s.is_empty())
                .collect();
            return Some(items);
        }
    }
    None
}

/// Parse semantic version string
fn parse_version(version_str: &str) -> Version {
    let parts: Vec<&str> = version_str.split('.').collect();

    let major = parts.first().and_then(|s| s.parse().ok()).unwrap_or(0);
    let minor = parts.get(1).and_then(|s| s.parse().ok()).unwrap_or(0);
    let patch = parts.get(2).and_then(|s| s.parse().ok()).unwrap_or(0);

    Version {
        major,
        minor,
        patch,
    }
}

// ============================================================================
// Package File Extraction
// ============================================================================

/// File entry in package archive
///
/// Phase 4 (package ecosystem) -- struct fields used during extraction
/// but not directly accessed outside `extract_package_files`.
#[allow(dead_code)] // Package format documentation struct -- fields describe archive layout
struct PackageFileEntry {
    path: String,
    size: u64,
    mode: u32,
    data_offset: usize,
}

/// Extract files from decompressed package content
fn extract_package_files(package_id: &str, data: &[u8]) -> PkgResult<()> {
    // Package content format:
    // [4 bytes] Number of files
    // For each file:
    //   [2 bytes] Path length
    //   [N bytes] Path (UTF-8)
    //   [8 bytes] File size
    //   [4 bytes] File mode/permissions
    //   [N bytes] File data

    if data.len() < 4 {
        return Err(KernelError::InvalidArgument {
            name: "package_content",
            value: "too_short",
        });
    }

    let num_files = u32::from_le_bytes([data[0], data[1], data[2], data[3]]) as usize;
    let mut pos = 4;

    let install_base = alloc::format!("/usr/local/packages/{}", package_id);

    #[cfg_attr(not(target_arch = "x86_64"), allow(unused_variables))]
    for file_idx in 0..num_files {
        // Read path length
        if pos + 2 > data.len() {
            return Err(KernelError::InvalidArgument {
                name: "file_entry",
                value: "truncated_path_len",
            });
        }
        let path_len = u16::from_le_bytes([data[pos], data[pos + 1]]) as usize;
        pos += 2;

        // Read path
        if pos + path_len > data.len() {
            return Err(KernelError::InvalidArgument {
                name: "file_entry",
                value: "truncated_path",
            });
        }
        let path = core::str::from_utf8(&data[pos..pos + path_len]).map_err(|_| {
            KernelError::InvalidArgument {
                name: "file_path",
                value: "not_utf8",
            }
        })?;
        pos += path_len;

        // Read file size
        if pos + 8 > data.len() {
            return Err(KernelError::InvalidArgument {
                name: "file_entry",
                value: "truncated_size",
            });
        }
        let file_size = u64::from_le_bytes([
            data[pos],
            data[pos + 1],
            data[pos + 2],
            data[pos + 3],
            data[pos + 4],
            data[pos + 5],
            data[pos + 6],
            data[pos + 7],
        ]) as usize;
        pos += 8;

        // Read file mode
        if pos + 4 > data.len() {
            return Err(KernelError::InvalidArgument {
                name: "file_entry",
                value: "truncated_mode",
            });
        }
        let file_mode =
            u32::from_le_bytes([data[pos], data[pos + 1], data[pos + 2], data[pos + 3]]);
        pos += 4;

        // Read file data
        if pos + file_size > data.len() {
            return Err(KernelError::InvalidArgument {
                name: "file_entry",
                value: "truncated_data",
            });
        }
        let file_data = &data[pos..pos + file_size];
        pos += file_size;

        // Install file to filesystem
        let full_path = alloc::format!("{}/{}", install_base, path);
        install_file(&full_path, file_data, file_mode)?;

        crate::println!(
            "[PKG] Extracted file {}/{}: {} ({} bytes, mode {:o})",
            file_idx + 1,
            num_files,
            path,
            file_size,
            file_mode
        );
    }

    Ok(())
}

/// Install a single file to the filesystem
fn install_file(path: &str, data: &[u8], mode: u32) -> PkgResult<()> {
    // Create parent directories if needed
    if let Some(parent_end) = path.rfind('/') {
        let parent_path = &path[..parent_end];
        create_directories(parent_path)?;
    }

    // Write file to VFS
    // In a full implementation, this would use the VFS layer
    #[cfg(feature = "alloc")]
    {
        use crate::fs::{get_vfs, OpenFlags, Permissions};

        // Create parent directories if needed
        if let Some(parent_end) = path.rfind('/') {
            if parent_end > 0 {
                let parent = &path[..parent_end];
                let perms = Permissions::from_mode(0o755);
                // Ignore errors for existing directories
                let _ = get_vfs().write().mkdir(parent, perms);
            }
        }

        // Open/create file via VFS and write data
        // For now, use the ramfs node write capability
        let flags = OpenFlags::read_write();
        match get_vfs().read().open(path, flags) {
            Ok(node) => {
                // Write data to the node
                if let Err(_e) = node.write(0, data) {
                    crate::println!("[PKG] Warning: Could not write to file {}", path);
                }
            }
            Err(_e) => {
                // File creation may not be fully supported yet
                crate::println!(
                    "[PKG] Warning: Could not create file {} (VFS limitation)",
                    path
                );
            }
        }
        let _ = mode; // Mode will be set when VFS supports it
    }

    #[cfg(not(feature = "alloc"))]
    {
        // Without alloc, just log
        let _ = (path, data, mode);
    }

    Ok(())
}

#[cfg(test)]
mod tests {
    #[allow(unused_imports)]
    use alloc::vec;

    use super::*;

    // ---- Version ----

    #[test]
    fn test_version_new() {
        let v = Version::new(1, 2, 3);
        assert_eq!(v.major, 1);
        assert_eq!(v.minor, 2);
        assert_eq!(v.patch, 3);
    }

    #[test]
    fn test_version_ordering() {
        let v1 = Version::new(1, 0, 0);
        let v2 = Version::new(1, 0, 1);
        let v3 = Version::new(1, 1, 0);
        let v4 = Version::new(2, 0, 0);
        assert!(v1 < v2);
        assert!(v2 < v3);
        assert!(v3 < v4);
        assert_eq!(v1, Version::new(1, 0, 0));
    }

    #[test]
    fn test_version_clone_and_eq() {
        let v1 = Version::new(5, 10, 15);
        let v2 = v1.clone();
        assert_eq!(v1, v2);
    }

    // ---- parse_version ----

    #[test]
    fn test_parse_version_full() {
        let v = parse_version("1.2.3");
        assert_eq!(v, Version::new(1, 2, 3));
    }

    #[test]
    fn test_parse_version_partial() {
        let v = parse_version("5.10");
        assert_eq!(v, Version::new(5, 10, 0));
    }

    #[test]
    fn test_parse_version_major_only() {
        let v = parse_version("7");
        assert_eq!(v, Version::new(7, 0, 0));
    }

    #[test]
    fn test_parse_version_invalid() {
        let v = parse_version("abc");
        assert_eq!(v, Version::new(0, 0, 0));
    }

    #[test]
    fn test_parse_version_empty() {
        let v = parse_version("");
        assert_eq!(v, Version::new(0, 0, 0));
    }

    // ---- extract_json_string ----

    #[test]
    fn test_extract_json_string_found() {
        let json = r#"{"name":"hello","version":"1.0.0"}"#;
        assert_eq!(
            extract_json_string(json, "name"),
            Some(String::from("hello"))
        );
        assert_eq!(
            extract_json_string(json, "version"),
            Some(String::from("1.0.0"))
        );
    }

    #[test]
    fn test_extract_json_string_not_found() {
        let json = r#"{"name":"hello"}"#;
        assert_eq!(extract_json_string(json, "missing"), None);
    }

    // ---- extract_json_array ----

    #[test]
    fn test_extract_json_array_found() {
        let json = r#"{"items":["a","b","c"]}"#;
        let arr = extract_json_array(json, "items").unwrap();
        assert_eq!(arr.len(), 3);
        assert_eq!(arr[0], "a");
        assert_eq!(arr[1], "b");
        assert_eq!(arr[2], "c");
    }

    #[test]
    fn test_extract_json_array_not_found() {
        let json = r#"{"name":"test"}"#;
        assert!(extract_json_array(json, "items").is_none());
    }

    #[test]
    fn test_extract_json_array_empty() {
        let json = r#"{"items":[]}"#;
        let arr = extract_json_array(json, "items").unwrap();
        assert!(arr.is_empty());
    }

    // ---- parse_package_metadata ----

    #[test]
    fn test_parse_package_metadata_valid() {
        let json = br#"{"name":"test-pkg","version":"1.2.3","author":"dev","description":"a package","license":"MIT"}"#;
        let meta = parse_package_metadata(json).unwrap();
        assert_eq!(meta.name, "test-pkg");
        assert_eq!(meta.version, Version::new(1, 2, 3));
        assert_eq!(meta.author, "dev");
        assert_eq!(meta.description, "a package");
        assert_eq!(meta.license, "MIT");
    }

    #[test]
    fn test_parse_package_metadata_minimal() {
        let json = br#"{}"#;
        let meta = parse_package_metadata(json).unwrap();
        assert_eq!(meta.name, "unknown");
        assert_eq!(meta.version, Version::new(0, 0, 0));
    }

    #[test]
    fn test_parse_package_metadata_invalid_utf8() {
        let data: &[u8] = &[0xFF, 0xFE];
        assert!(parse_package_metadata(data).is_err());
    }

    #[test]
    fn test_parse_package_metadata_with_deps() {
        let json = br#"{"name":"app","version":"1.0.0","dependencies":["lib@>=1.0.0","core"]}"#;
        let meta = parse_package_metadata(json).unwrap();
        assert_eq!(meta.dependencies.len(), 2);
        assert_eq!(meta.dependencies[0].name, "lib");
        assert_eq!(meta.dependencies[0].version_req, ">=1.0.0");
        assert_eq!(meta.dependencies[1].name, "core");
        assert_eq!(meta.dependencies[1].version_req, "*");
    }

    // ---- InstallOptions ----

    #[test]
    fn test_install_options_default() {
        let opts = InstallOptions::default();
        assert!(!opts.force_unsigned);
        assert!(opts.expected_hash.is_none());
    }

    // ---- PackageManager basic operations ----

    #[test]
    fn test_package_manager_new() {
        let pm = PackageManager::new();
        assert!(pm.list_installed().is_empty());
        assert!(!pm.is_installed(&String::from("test")));
    }

    #[test]
    fn test_package_manager_default() {
        let pm = PackageManager::default();
        assert!(pm.list_installed().is_empty());
    }

    #[test]
    fn test_package_manager_remove_not_installed() {
        let mut pm = PackageManager::new();
        let result = pm.remove(&String::from("nonexistent"));
        assert!(result.is_err());
    }

    #[test]
    fn test_package_manager_get_metadata_none() {
        let pm = PackageManager::new();
        assert!(pm.get_metadata(&String::from("missing")).is_none());
    }

    // ---- Transaction system ----

    #[test]
    fn test_transaction_begin_commit() {
        let mut pm = PackageManager::new();
        assert!(pm.begin_transaction().is_ok());
        assert!(pm.commit_transaction().is_ok());
    }

    #[test]
    fn test_transaction_double_begin() {
        let mut pm = PackageManager::new();
        assert!(pm.begin_transaction().is_ok());
        assert!(pm.begin_transaction().is_err());
    }

    #[test]
    fn test_transaction_commit_without_begin() {
        let mut pm = PackageManager::new();
        assert!(pm.commit_transaction().is_err());
    }

    #[test]
    fn test_transaction_rollback_without_begin() {
        let mut pm = PackageManager::new();
        assert!(pm.rollback_transaction().is_err());
    }

    #[test]
    fn test_transaction_rollback() {
        let mut pm = PackageManager::new();
        // Insert a package manually for testing
        pm.installed.insert(
            String::from("test-pkg"),
            PackageMetadata {
                name: String::from("test-pkg"),
                version: Version::new(1, 0, 0),
                author: String::new(),
                description: String::new(),
                license: String::new(),
                dependencies: vec![],
                conflicts: vec![],
            },
        );

        assert!(pm.begin_transaction().is_ok());
        // Remove the package
        assert!(pm.remove(&String::from("test-pkg")).is_ok());
        assert!(!pm.is_installed(&String::from("test-pkg")));
        // Rollback
        assert!(pm.rollback_transaction().is_ok());
        assert!(pm.is_installed(&String::from("test-pkg")));
    }

    // ---- find_dependents ----

    #[test]
    fn test_find_dependents() {
        let mut pm = PackageManager::new();
        pm.installed.insert(
            String::from("lib"),
            PackageMetadata {
                name: String::from("lib"),
                version: Version::new(1, 0, 0),
                author: String::new(),
                description: String::new(),
                license: String::new(),
                dependencies: vec![],
                conflicts: vec![],
            },
        );
        pm.installed.insert(
            String::from("app"),
            PackageMetadata {
                name: String::from("app"),
                version: Version::new(1, 0, 0),
                author: String::new(),
                description: String::new(),
                license: String::new(),
                dependencies: vec![Dependency {
                    name: String::from("lib"),
                    version_req: String::from("*"),
                }],
                conflicts: vec![],
            },
        );
        let deps = pm.find_dependents(&String::from("lib"));
        assert_eq!(deps.len(), 1);
        assert_eq!(deps[0], "app");
    }

    #[test]
    fn test_remove_with_dependents_fails() {
        let mut pm = PackageManager::new();
        pm.installed.insert(
            String::from("lib"),
            PackageMetadata {
                name: String::from("lib"),
                version: Version::new(1, 0, 0),
                author: String::new(),
                description: String::new(),
                license: String::new(),
                dependencies: vec![],
                conflicts: vec![],
            },
        );
        pm.installed.insert(
            String::from("app"),
            PackageMetadata {
                name: String::from("app"),
                version: Version::new(1, 0, 0),
                author: String::new(),
                description: String::new(),
                license: String::new(),
                dependencies: vec![Dependency {
                    name: String::from("lib"),
                    version_req: String::from("*"),
                }],
                conflicts: vec![],
            },
        );
        // Cannot remove lib because app depends on it
        assert!(pm.remove(&String::from("lib")).is_err());
    }

    // ---- extract_package_files ----

    #[test]
    fn test_extract_package_files_too_short() {
        let data: &[u8] = &[0, 1, 2];
        assert!(extract_package_files("test", data).is_err());
    }

    #[test]
    fn test_extract_package_files_zero_files() {
        let data: &[u8] = &[0, 0, 0, 0]; // num_files = 0
        assert!(extract_package_files("test", data).is_ok());
    }
}

/// Create directory hierarchy
fn create_directories(path: &str) -> PkgResult<()> {
    // Split path and create each component
    let components: Vec<&str> = path.split('/').filter(|s| !s.is_empty()).collect();

    let mut current_path = String::new();
    for component in components {
        current_path.push('/');
        current_path.push_str(component);

        // Try to create directory (ignore if exists)
        #[cfg(feature = "alloc")]
        {
            use crate::fs::{get_vfs, Permissions};
            let perms = Permissions::from_mode(0o755);
            // Ignore errors for existing directories
            let _ = get_vfs().write().mkdir(&current_path, perms);
        }
    }

    Ok(())
}