cellstate_pipeline/pack/

flow.rs

//! Flow definition and execution receipts
//!
//! Re-export path: cellstate_pipeline::pack::flow::*

use serde::{Deserialize, Serialize};
use std::collections::HashMap;

/// Flow definition from ```flow fence blocks
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct FlowDefinition {
    pub name: String,
    pub description: Option<String>,
    pub steps: Vec<FlowStep>,
    pub on_error: FlowErrorHandler,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct FlowStep {
    pub id: String,
    pub tool: String,
    pub inputs: HashMap<String, String>,
    pub outputs: Vec<String>,
    #[serde(with = "hex_array")]
    pub content_hash: [u8; 32], // SHA-256(id + tool + inputs)
}

impl FlowStep {
    pub fn compute_hash(&self) -> [u8; 32] {
        use sha2::{Digest, Sha256};

        let mut hasher = Sha256::new();
        hasher.update(self.id.as_bytes());
        hasher.update(self.tool.as_bytes());

        // Sort inputs for determinism
        let mut sorted_inputs: Vec<_> = self.inputs.iter().collect();
        sorted_inputs.sort_by_key(|(k, _)| *k);
        for (key, value) in sorted_inputs {
            hasher.update(key.as_bytes());
            hasher.update(value.as_bytes());
        }

        hasher.finalize().into()
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum FlowErrorHandler {
    Retry { max_attempts: u32 },
    SkipToNext,
    Abort,
    Fallback { step_id: String },
}

/// Compiled flow ready for execution
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct CompiledFlow {
    pub name: String,
    #[serde(with = "hex_array")]
    pub flow_hash: [u8; 32],
    pub steps: Vec<CompiledFlowStep>,
}

#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct CompiledFlowStep {
    pub id: String,
    pub tool: String,
    pub inputs: HashMap<String, String>,
    pub outputs: Vec<String>,
    #[serde(with = "hex_array")]
    pub content_hash: [u8; 32],
}

/// Flow execution receipt (Feedback #6 - audit trail)
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct FlowReceipt {
    pub receipt_id: uuid::Uuid,
    pub flow_name: String,
    #[serde(with = "hex_array")]
    pub flow_hash: [u8; 32],
    pub steps_executed: Vec<FlowStepReceipt>,
    pub started_at: chrono::DateTime<chrono::Utc>,
    pub completed_at: Option<chrono::DateTime<chrono::Utc>>,
    pub final_status: FlowStatus,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct FlowStepReceipt {
    pub step_id: String,
    #[serde(with = "hex_array")]
    pub step_hash: [u8; 32],
    pub started_at: chrono::DateTime<chrono::Utc>,
    pub completed_at: chrono::DateTime<chrono::Utc>,
    pub status: StepStatus,
    #[serde(with = "hex_array")]
    pub output_hash: [u8; 32],
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum FlowStatus {
    Running,
    Completed,
    Failed,
    Cancelled,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum StepStatus {
    Success,
    Failed,
    Skipped,
}

// Hex array serde helper module
mod hex_array {
    use serde::{Deserialize, Deserializer, Serialize, Serializer};

    pub fn serialize<S>(bytes: &[u8; 32], serializer: S) -> Result<S::Ok, S::Error>
    where
        S: Serializer,
    {
        hex::encode(bytes).serialize(serializer)
    }

    pub fn deserialize<'de, D>(deserializer: D) -> Result<[u8; 32], D::Error>
    where
        D: Deserializer<'de>,
    {
        let s = String::deserialize(deserializer)?;
        let bytes = hex::decode(&s).map_err(serde::de::Error::custom)?;
        if bytes.len() != 32 {
            return Err(serde::de::Error::custom("expected 32 bytes"));
        }
        let mut array = [0u8; 32];
        array.copy_from_slice(&bytes);
        Ok(array)
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use chrono::Utc;
    use std::collections::HashMap;

    /// Helper to create a FlowStep with given parameters
    fn make_flow_step(id: &str, tool: &str, inputs: Vec<(&str, &str)>) -> FlowStep {
        let inputs_map: HashMap<String, String> = inputs
            .into_iter()
            .map(|(k, v)| (k.to_string(), v.to_string()))
            .collect();
        FlowStep {
            id: id.to_string(),
            tool: tool.to_string(),
            inputs: inputs_map,
            outputs: vec!["result".to_string()],
            content_hash: [0u8; 32], // Placeholder, will be computed
        }
    }

    /// Helper to create a FlowStepReceipt with given parameters
    fn make_step_receipt(
        step_id: &str,
        step_hash: [u8; 32],
        output_hash: [u8; 32],
    ) -> FlowStepReceipt {
        let now = Utc::now();
        FlowStepReceipt {
            step_id: step_id.to_string(),
            step_hash,
            started_at: now,
            completed_at: now,
            status: StepStatus::Success,
            output_hash,
        }
    }

    /// Helper to create a FlowReceipt with given parameters
    fn make_flow_receipt(
        flow_name: &str,
        flow_hash: [u8; 32],
        steps: Vec<FlowStepReceipt>,
    ) -> FlowReceipt {
        let now = Utc::now();
        FlowReceipt {
            receipt_id: uuid::Uuid::new_v4(),
            flow_name: flow_name.to_string(),
            flow_hash,
            steps_executed: steps,
            started_at: now,
            completed_at: Some(now),
            final_status: FlowStatus::Completed,
        }
    }

    // ==================== FlowStep::compute_hash() Tests ====================

    #[test]
    fn test_flow_step_compute_hash_deterministic() {
        // Calling compute_hash multiple times on the same FlowStep should yield identical results
        let step = make_flow_step("step1", "file_read", vec![("path", "/tmp/test.txt")]);

        let hash1 = step.compute_hash();
        let hash2 = step.compute_hash();
        let hash3 = step.compute_hash();

        assert_eq!(hash1, hash2, "Hash should be deterministic across calls");
        assert_eq!(hash2, hash3, "Hash should be deterministic across calls");
    }

    #[test]
    fn test_flow_step_compute_hash_same_inputs_same_hash() {
        // Two FlowSteps with identical content should produce the same hash
        let step1 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test.txt")]);
        let step2 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test.txt")]);

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_eq!(
            hash1, hash2,
            "Identical FlowSteps should produce identical hashes"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_different_id_different_hash() {
        // Different step IDs should produce different hashes
        let step1 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test.txt")]);
        let step2 = make_flow_step("step2", "file_read", vec![("path", "/tmp/test.txt")]);

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_ne!(
            hash1, hash2,
            "Different IDs should produce different hashes"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_different_tool_different_hash() {
        // Different tools should produce different hashes
        let step1 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test.txt")]);
        let step2 = make_flow_step("step1", "file_write", vec![("path", "/tmp/test.txt")]);

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_ne!(
            hash1, hash2,
            "Different tools should produce different hashes"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_different_input_values_different_hash() {
        // Different input values should produce different hashes
        let step1 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test1.txt")]);
        let step2 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test2.txt")]);

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_ne!(
            hash1, hash2,
            "Different input values should produce different hashes"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_different_input_keys_different_hash() {
        // Different input keys should produce different hashes
        let step1 = make_flow_step("step1", "file_read", vec![("path", "/tmp/test.txt")]);
        let step2 = make_flow_step("step1", "file_read", vec![("file", "/tmp/test.txt")]);

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_ne!(
            hash1, hash2,
            "Different input keys should produce different hashes"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_input_order_independent() {
        // Hash should be the same regardless of insertion order (inputs are sorted)
        let step1 = make_flow_step(
            "step1",
            "http_request",
            vec![
                ("url", "http://example.com"),
                ("method", "GET"),
                ("timeout", "30"),
            ],
        );

        // Create step2 with inputs in different order
        let mut inputs2 = HashMap::new();
        inputs2.insert("timeout".to_string(), "30".to_string());
        inputs2.insert("url".to_string(), "http://example.com".to_string());
        inputs2.insert("method".to_string(), "GET".to_string());

        let step2 = FlowStep {
            id: "step1".to_string(),
            tool: "http_request".to_string(),
            inputs: inputs2,
            outputs: vec!["result".to_string()],
            content_hash: [0u8; 32],
        };

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_eq!(
            hash1, hash2,
            "Input order should not affect hash (inputs are sorted)"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_empty_inputs() {
        // Empty inputs should still produce a valid, deterministic hash
        let step1 = make_flow_step("step1", "noop", vec![]);
        let step2 = make_flow_step("step1", "noop", vec![]);

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_eq!(
            hash1, hash2,
            "Empty inputs should produce deterministic hash"
        );
        assert_ne!(hash1, [0u8; 32], "Hash should not be all zeros");
    }

    #[test]
    fn test_flow_step_compute_hash_many_inputs() {
        // Many inputs should still produce a deterministic hash
        let inputs: Vec<(&str, &str)> = (0..100)
            .map(|i| {
                // We need to leak these strings to get &str with 'static lifetime
                // In tests this is acceptable
                let key = Box::leak(format!("key{}", i).into_boxed_str());
                let value = Box::leak(format!("value{}", i).into_boxed_str());
                (key as &str, value as &str)
            })
            .collect();

        let step = make_flow_step("big_step", "complex_tool", inputs);

        let hash1 = step.compute_hash();
        let hash2 = step.compute_hash();

        assert_eq!(
            hash1, hash2,
            "Many inputs should produce deterministic hash"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_unicode_content() {
        // Unicode content should be handled correctly
        let step1 = make_flow_step(
            "step1",
            "echo",
            vec![("message", "Hello, \u{4e16}\u{754c}!")],
        );
        let step2 = make_flow_step(
            "step1",
            "echo",
            vec![("message", "Hello, \u{4e16}\u{754c}!")],
        );

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_eq!(
            hash1, hash2,
            "Unicode content should produce deterministic hash"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_special_characters() {
        // Special characters should be handled correctly
        let step1 = make_flow_step(
            "step1",
            "shell",
            vec![("cmd", "echo 'hello\\nworld' | grep -E '^[a-z]+'")],
        );
        let step2 = make_flow_step(
            "step1",
            "shell",
            vec![("cmd", "echo 'hello\\nworld' | grep -E '^[a-z]+'")],
        );

        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();

        assert_eq!(
            hash1, hash2,
            "Special characters should produce deterministic hash"
        );
    }

    #[test]
    fn test_flow_step_compute_hash_length_is_32_bytes() {
        // SHA256 should produce exactly 32 bytes
        let step = make_flow_step("step1", "test", vec![]);
        let hash = step.compute_hash();

        assert_eq!(hash.len(), 32, "SHA256 hash should be exactly 32 bytes");
    }

    // ==================== FlowReceipt Serialization Tests ====================

    #[test]
    fn test_flow_receipt_serialization_preserves_flow_hash() {
        let flow_hash = [0xABu8; 32];
        let receipt = make_flow_receipt("test_flow", flow_hash, vec![]);

        // Serialize to JSON
        let json = serde_json::to_string(&receipt).expect("Serialization should succeed");

        // Deserialize back
        let deserialized: FlowReceipt =
            serde_json::from_str(&json).expect("Deserialization should succeed");

        assert_eq!(
            deserialized.flow_hash, flow_hash,
            "flow_hash should be preserved through serialization"
        );
    }

    #[test]
    fn test_flow_receipt_serialization_preserves_step_hashes() {
        let flow_hash = [0x11u8; 32];
        let step_hash = [0x22u8; 32];
        let output_hash = [0x33u8; 32];

        let step_receipt = make_step_receipt("step1", step_hash, output_hash);
        let receipt = make_flow_receipt("test_flow", flow_hash, vec![step_receipt]);

        // Serialize to JSON
        let json = serde_json::to_string(&receipt).expect("Serialization should succeed");

        // Deserialize back
        let deserialized: FlowReceipt =
            serde_json::from_str(&json).expect("Deserialization should succeed");

        assert_eq!(deserialized.steps_executed.len(), 1);
        assert_eq!(
            deserialized.steps_executed[0].step_hash, step_hash,
            "step_hash should be preserved through serialization"
        );
        assert_eq!(
            deserialized.steps_executed[0].output_hash, output_hash,
            "output_hash should be preserved through serialization"
        );
    }

    #[test]
    fn test_flow_receipt_serialization_multiple_steps() {
        let flow_hash = [0x00u8; 32];
        let steps = vec![
            make_step_receipt("step1", [0x11u8; 32], [0x1Au8; 32]),
            make_step_receipt("step2", [0x22u8; 32], [0x2Bu8; 32]),
            make_step_receipt("step3", [0x33u8; 32], [0x3Cu8; 32]),
        ];
        let receipt = make_flow_receipt("multi_step_flow", flow_hash, steps);

        // Serialize to JSON
        let json = serde_json::to_string(&receipt).expect("Serialization should succeed");

        // Deserialize back
        let deserialized: FlowReceipt =
            serde_json::from_str(&json).expect("Deserialization should succeed");

        assert_eq!(deserialized.steps_executed.len(), 3);
        assert_eq!(deserialized.steps_executed[0].step_hash, [0x11u8; 32]);
        assert_eq!(deserialized.steps_executed[1].step_hash, [0x22u8; 32]);
        assert_eq!(deserialized.steps_executed[2].step_hash, [0x33u8; 32]);
        assert_eq!(deserialized.steps_executed[0].output_hash, [0x1Au8; 32]);
        assert_eq!(deserialized.steps_executed[1].output_hash, [0x2Bu8; 32]);
        assert_eq!(deserialized.steps_executed[2].output_hash, [0x3Cu8; 32]);
    }

    #[test]
    fn test_flow_receipt_json_hash_format_is_hex() {
        let flow_hash = [
            0xAB, 0xCD, 0xEF, 0x01, 0x23, 0x45, 0x67, 0x89, 0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
            0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x12, 0x34, 0x56, 0x78,
            0x9A, 0xBC, 0xDE, 0xF0,
        ];
        let receipt = make_flow_receipt("test_flow", flow_hash, vec![]);

        let json = serde_json::to_string(&receipt).expect("Serialization should succeed");

        // The hash should be serialized as lowercase hex
        let expected_hex = "abcdef012345678900112233445566778899aabbccddeeff123456789abcdef0";
        assert!(
            json.contains(expected_hex),
            "JSON should contain hex-encoded flow_hash"
        );
    }

    #[test]
    fn test_flow_receipt_deserialization_from_hex_string() {
        // Test that we can deserialize from a JSON with hex-encoded hash
        let json = r#"{
            "receipt_id": "550e8400-e29b-41d4-a716-446655440000",
            "flow_name": "test_flow",
            "flow_hash": "0102030405060708091011121314151617181920212223242526272829303132",
            "steps_executed": [],
            "started_at": "2024-01-01T00:00:00Z",
            "completed_at": "2024-01-01T00:01:00Z",
            "final_status": "Completed"
        }"#;

        let receipt: FlowReceipt =
            serde_json::from_str(json).expect("Should deserialize from hex hash");

        let expected_hash: [u8; 32] = [
            0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, 0x11, 0x12, 0x13, 0x14,
            0x15, 0x16, 0x17, 0x18, 0x19, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
            0x29, 0x30, 0x31, 0x32,
        ];
        assert_eq!(receipt.flow_hash, expected_hash);
    }

    #[test]
    fn test_flow_receipt_deserialization_invalid_hex_fails() {
        // Invalid hex should fail deserialization
        let json = r#"{
            "receipt_id": "550e8400-e29b-41d4-a716-446655440000",
            "flow_name": "test_flow",
            "flow_hash": "not_valid_hex_string_at_all_xyz",
            "steps_executed": [],
            "started_at": "2024-01-01T00:00:00Z",
            "completed_at": "2024-01-01T00:01:00Z",
            "final_status": "Completed"
        }"#;

        let result: Result<FlowReceipt, _> = serde_json::from_str(json);
        assert!(result.is_err(), "Invalid hex should fail deserialization");
    }

    #[test]
    fn test_flow_receipt_deserialization_wrong_hash_length_fails() {
        // Hash with wrong length should fail deserialization
        let json = r#"{
            "receipt_id": "550e8400-e29b-41d4-a716-446655440000",
            "flow_name": "test_flow",
            "flow_hash": "0102030405",
            "steps_executed": [],
            "started_at": "2024-01-01T00:00:00Z",
            "completed_at": "2024-01-01T00:01:00Z",
            "final_status": "Completed"
        }"#;

        let result: Result<FlowReceipt, _> = serde_json::from_str(json);
        assert!(
            result.is_err(),
            "Hash with wrong length should fail deserialization"
        );
    }

    // ==================== FlowStepReceipt Hash Verification Tests ====================

    #[test]
    fn test_flow_step_receipt_hash_matches_step() {
        // Create a FlowStep and compute its hash
        let step = make_flow_step("step1", "file_read", vec![("path", "/data/input.csv")]);
        let computed_hash = step.compute_hash();

        // Create a FlowStepReceipt with the same step_hash
        let receipt = make_step_receipt("step1", computed_hash, [0u8; 32]);

        // Verify the hashes match
        assert_eq!(
            receipt.step_hash, computed_hash,
            "FlowStepReceipt should contain the correct step_hash"
        );
    }

    #[test]
    fn test_flow_step_receipt_verification_detects_mismatch() {
        // Create a FlowStep and compute its hash
        let step = make_flow_step("step1", "file_read", vec![("path", "/data/input.csv")]);
        let computed_hash = step.compute_hash();

        // Create a FlowStepReceipt with a DIFFERENT step_hash (simulating tampering)
        let tampered_hash = [0xFFu8; 32];
        let receipt = make_step_receipt("step1", tampered_hash, [0u8; 32]);

        // Verify the hashes don't match
        assert_ne!(
            receipt.step_hash, computed_hash,
            "Tampered hash should not match computed hash"
        );
    }

    #[test]
    fn test_flow_step_receipt_output_hash_integrity() {
        // Output hash should be preserved correctly
        let output_hash = [0x42u8; 32];
        let receipt = make_step_receipt("step1", [0u8; 32], output_hash);

        assert_eq!(receipt.output_hash, output_hash);
    }

    #[test]
    fn test_flow_step_receipt_serialization_roundtrip() {
        let step_hash = [0xAAu8; 32];
        let output_hash = [0xBBu8; 32];
        let receipt = make_step_receipt("step1", step_hash, output_hash);

        // Serialize
        let json = serde_json::to_string(&receipt).expect("Serialization should succeed");

        // Deserialize
        let deserialized: FlowStepReceipt =
            serde_json::from_str(&json).expect("Deserialization should succeed");

        assert_eq!(deserialized.step_id, receipt.step_id);
        assert_eq!(deserialized.step_hash, step_hash);
        assert_eq!(deserialized.output_hash, output_hash);
    }

    // ==================== CompiledFlow Hash Tests ====================

    #[test]
    fn test_compiled_flow_hash_serialization() {
        let flow_hash = [0x12u8; 32];
        let step_hash = [0x34u8; 32];

        let compiled_flow = CompiledFlow {
            name: "test_flow".to_string(),
            flow_hash,
            steps: vec![CompiledFlowStep {
                id: "step1".to_string(),
                tool: "test_tool".to_string(),
                inputs: HashMap::new(),
                outputs: vec![],
                content_hash: step_hash,
            }],
        };

        // Serialize
        let json = serde_json::to_string(&compiled_flow).expect("Serialization should succeed");

        // Deserialize
        let deserialized: CompiledFlow =
            serde_json::from_str(&json).expect("Deserialization should succeed");

        assert_eq!(deserialized.flow_hash, flow_hash);
        assert_eq!(deserialized.steps[0].content_hash, step_hash);
    }

    #[test]
    fn test_compiled_flow_equality_includes_hashes() {
        let flow1 = CompiledFlow {
            name: "test".to_string(),
            flow_hash: [0x11u8; 32],
            steps: vec![],
        };

        let flow2 = CompiledFlow {
            name: "test".to_string(),
            flow_hash: [0x11u8; 32],
            steps: vec![],
        };

        let flow3 = CompiledFlow {
            name: "test".to_string(),
            flow_hash: [0x22u8; 32], // Different hash
            steps: vec![],
        };

        assert_eq!(flow1, flow2, "Flows with same hash should be equal");
        assert_ne!(
            flow1, flow3,
            "Flows with different hash should not be equal"
        );
    }

    // ==================== Integration-style Tests ====================

    #[test]
    fn test_end_to_end_flow_hash_verification() {
        // Simulate a complete flow execution with hash verification

        // 1. Define flow steps
        let step1 = make_flow_step("read_input", "file_read", vec![("path", "/data/input.csv")]);
        let step2 = make_flow_step("process", "transform", vec![("operation", "uppercase")]);
        let step3 = make_flow_step(
            "write_output",
            "file_write",
            vec![("path", "/data/output.csv")],
        );

        // 2. Compute hashes for each step
        let hash1 = step1.compute_hash();
        let hash2 = step2.compute_hash();
        let hash3 = step3.compute_hash();

        // 3. Compute a flow hash (in practice, this might be a hash of all step hashes)
        use sha2::{Digest, Sha256};
        let mut flow_hasher = Sha256::new();
        flow_hasher.update(hash1);
        flow_hasher.update(hash2);
        flow_hasher.update(hash3);
        let flow_hash: [u8; 32] = flow_hasher.finalize().into();

        // 4. Create receipts for executed steps
        let receipts = vec![
            make_step_receipt("read_input", hash1, [0x01u8; 32]),
            make_step_receipt("process", hash2, [0x02u8; 32]),
            make_step_receipt("write_output", hash3, [0x03u8; 32]),
        ];

        // 5. Create the flow receipt
        let flow_receipt = make_flow_receipt("data_pipeline", flow_hash, receipts);

        // 6. Serialize and deserialize (simulating storage/retrieval)
        let json = serde_json::to_string(&flow_receipt).expect("Serialization should succeed");
        let restored: FlowReceipt =
            serde_json::from_str(&json).expect("Deserialization should succeed");

        // 7. Verify all hashes match
        assert_eq!(restored.flow_hash, flow_hash);
        assert_eq!(restored.steps_executed[0].step_hash, hash1);
        assert_eq!(restored.steps_executed[1].step_hash, hash2);
        assert_eq!(restored.steps_executed[2].step_hash, hash3);

        // 8. Verify by recomputing
        let recomputed1 = step1.compute_hash();
        let recomputed2 = step2.compute_hash();
        let recomputed3 = step3.compute_hash();

        assert_eq!(restored.steps_executed[0].step_hash, recomputed1);
        assert_eq!(restored.steps_executed[1].step_hash, recomputed2);
        assert_eq!(restored.steps_executed[2].step_hash, recomputed3);
    }

    #[test]
    fn test_tamper_detection() {
        // Create a legitimate flow step and receipt
        let step = make_flow_step("critical_step", "bank_transfer", vec![("amount", "100")]);
        let legitimate_hash = step.compute_hash();
        let receipt = make_step_receipt("critical_step", legitimate_hash, [0u8; 32]);

        // Simulate an attacker trying to claim they ran with different inputs
        let tampered_step = make_flow_step(
            "critical_step",
            "bank_transfer",
            vec![("amount", "1000000")],
        );
        let tampered_hash = tampered_step.compute_hash();

        // The hashes should not match, detecting the tampering
        assert_ne!(
            receipt.step_hash, tampered_hash,
            "Tampering should be detectable via hash mismatch"
        );

        // The legitimate hash should still match
        assert_eq!(
            receipt.step_hash, legitimate_hash,
            "Legitimate hash should still verify"
        );
    }

    #[test]
    fn test_flow_status_serialization() {
        // Test all FlowStatus variants
        let statuses = vec![
            FlowStatus::Running,
            FlowStatus::Completed,
            FlowStatus::Failed,
            FlowStatus::Cancelled,
        ];

        for status in statuses {
            let json = serde_json::to_string(&status).expect("Status serialization should succeed");
            let restored: FlowStatus =
                serde_json::from_str(&json).expect("Status deserialization should succeed");

            // Check we got the same variant back (using debug string as proxy since no PartialEq)
            assert_eq!(format!("{:?}", status), format!("{:?}", restored));
        }
    }

    #[test]
    fn test_step_status_serialization() {
        // Test all StepStatus variants
        let statuses = vec![StepStatus::Success, StepStatus::Failed, StepStatus::Skipped];

        for status in statuses {
            let json = serde_json::to_string(&status).expect("Status serialization should succeed");
            let restored: StepStatus =
                serde_json::from_str(&json).expect("Status deserialization should succeed");

            assert_eq!(format!("{:?}", status), format!("{:?}", restored));
        }
    }
}