#![no_main]
use libfuzzer_sys::fuzz_target;
use soliton::primitives::xwing;
use soliton::ratchet::{RatchetHeader, RatchetState};

// Fixed keys for deterministic Bob state construction.
const ROOT_KEY: [u8; 32] = [0x11; 32];
const CHAIN_KEY: [u8; 32] = [0x22; 32];
const FP_A: [u8; 32] = [0xAA; 32];
const FP_B: [u8; 32] = [0xBB; 32];

fuzz_target!(|data: &[u8]| {
    // Parse fuzzer input into:
    //   peer_ek (1216) | ratchet_pk (1216) | has_kem_ct (1) | [kem_ct (1120)] | n (4) | pn (4) | ciphertext
    // peer_ek is Bob's initial recv_ratchet_pk (set at init_bob time).
    // ratchet_pk is the value in the incoming header.
    // When they differ (the common case with random fuzz input), need_ratchet = true
    // and the ratchet-step path fires; when they happen to be identical, the
    // same-chain path fires. Both slices are independently fuzz-controlled.
    // Minimum: 1216 + 1216 + 1 + 4 + 4 + 16 = 2457 bytes (no kem_ct, 16 for Poly1305 tag)
    if data.len() < 2457 {
        return;
    }

    let Ok(peer_ek) = xwing::PublicKey::from_bytes(data[..1216].to_vec()) else {
        return;
    };
    let Ok(ratchet_pk) = xwing::PublicKey::from_bytes(data[1216..2432].to_vec()) else {
        return;
    };

    let Ok(mut bob) = RatchetState::init_bob(ROOT_KEY, CHAIN_KEY, FP_B, FP_A, peer_ek) else {
        return;
    };

    let rest = &data[2432..];
    let has_kem_ct = rest[0] & 0x01 != 0;

    let (kem_ct, counter_start) = if has_kem_ct {
        // Need 1120 bytes for kem_ct after the flag byte
        if rest.len() < 1 + 1120 + 8 {
            return;
        }
        match xwing::Ciphertext::from_bytes(rest[1..1121].to_vec()) {
            // counter_start = 1 (flag) + 1120 (kem_ct) = 1121
            Ok(ct) => (Some(ct), 1121),
            Err(_) => return,
        }
    } else {
        // counter_start = 1 (flag byte only; no kem_ct bytes)
        (None, 1)
    };

    if rest.len() < counter_start + 8 {
        return;
    }

    let n = u32::from_be_bytes(rest[counter_start..counter_start + 4].try_into().unwrap());
    let pn = u32::from_be_bytes(rest[counter_start + 4..counter_start + 8].try_into().unwrap());
    let ciphertext = &rest[counter_start + 8..];

    let header = RatchetHeader { ratchet_pk, kem_ct, n, pn };

    // decrypt must never panic regardless of input. When ratchet_pk differs
    // from peer_ek (the common case), need_ratchet = true and the ratchet-step
    // path fires, exercising KEM ciphertext validation, root/recv-epoch KDF,
    // and rollback on decapsulation failure. When they are identical, the
    // same-chain path fires and AEAD rejects almost all inputs. Both code
    // paths are reachable from fuzz input. Rollback execution is exercised
    // here; rollback correctness — that all 9 state fields (root_key,
    // recv_epoch_key, recv_count, recv_ratchet_pk, ratchet_pending,
    // recv_seen, prev_recv_epoch_key, prev_recv_ratchet_pk,
    // prev_recv_seen) are fully restored on failure — is verified by the
    // unit tests in ratchet/mod.rs, not by this harness.
    let _ = bob.decrypt(&header, ciphertext);
});