Port AKV, MST, and AAS extension packs with zero-copy adaptation (#188)

* feat(native): Azure Key Vault extension pack with zero-copy adaptation

Port cose_sign1_azure_key_vault and cose_sign1_azure_key_vault_ffi from
native_ports branch, adapted for zero-copy architecture:

- CoseHeaderValue::Bytes/Text use ArcSlice/ArcStr (.into() conversions)
- CoseSign1Message field access via methods (.payload()/.signature())
- Clippy fix: remove redundant struct update syntax
- FFI Cargo.toml: workspace edition/license, description, test = false
- C/C++ headers: azure_key_vault.h and azure_key_vault.hpp
- rustfmt applied to all source and test files

119 AKV tests pass, 6805 workspace total, 0 failures.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: A+ quality fixes for Azure Key Vault extension pack

- Replace Mutex .unwrap() with proper error propagation in akv_signing_key.rs
- Add // SAFETY: comments to all 28 unsafe blocks in FFI crate
- Add description field to main Cargo.toml
- Normalize FFI Cargo.toml to brace notation for workspace fields
- Add @param/@return Doxygen to 4 trust policy builder C header functions

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* feat(native): MST transparency extension pack with zero-copy adaptation

Port cose_sign1_transparent_mst, code_transparency_client, and
cose_sign1_transparent_mst_ffi from native_ports, adapted for zero-copy:

- LazyHeaderMap: .headers()?.alg()/.kid() instead of direct field access
- CoseSign1Message: .payload()/.signature() method access
- CoseHeaderValue::Bytes/Text use ArcSlice/ArcStr (.into() conversions)
- Removed unstable str_as_str feature usage
- C/C++ headers: mst.h and mst.hpp projections

3 crates added, 56 files, 499 MST tests pass, 7395 workspace total.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Port Azure Artifact Signing extension pack with clippy fixes

- Port AAS crate, client sub-crate, and FFI crate from native_ports
- Fix clippy: too_many_arguments, collapsible if-let, manual Default impl
- Standardize all 3 Cargo.toml files (workspace edition/license, descriptions)
- Add C/C++ projection headers
- All AAS tests passing

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* A+ quality fixes for MST and AAS extension packs

- Add SAFETY comments to all unsafe blocks in MST and AAS FFI crates
- Replace .unwrap() with .expect() in non-test code (verify.rs, pack.rs, signing_service.rs)
- Add @param/@return Doxygen tags to 14 MST trust policy builder functions in mst.h

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix rustfmt formatting in verify.rs

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix CI: add PqcJwk import and time to dependency allowlist

- Gate PqcJwk import with #[cfg(feature = 'pqc')] in jwk_verifier.rs
- Add time crate to [crate.client] in allowed-dependencies.toml

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Jeromy Statia (from Dev Box) <jstatia@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

native/c/include/cose/sign1/extension_packs/azure_artifact_signing.h

@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/**
+ * @file azure_artifact_signing.h
+ * @brief Azure Artifact Signing trust pack for COSE Sign1
+ */
+
+#ifndef COSE_SIGN1_ATS_H
+#define COSE_SIGN1_ATS_H
+
+#include <cose/sign1/validation.h>
+#include <cose/sign1/trust.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief Options for Azure Artifact Signing trust pack
+ */
+typedef struct {
+    /** AAS endpoint URL (null-terminated UTF-8) */
+    const char* endpoint;
+    /** AAS account name (null-terminated UTF-8) */
+    const char* account_name;
+    /** Certificate profile name (null-terminated UTF-8) */
+    const char* certificate_profile_name;
+} cose_ats_trust_options_t;
+
+/**
+ * @brief Add Azure Artifact Signing trust pack with default options.
+ * @param builder Validator builder handle.
+ * @return COSE_OK on success, error code otherwise.
+ */
+cose_status_t cose_sign1_validator_builder_with_ats_pack(
+    cose_sign1_validator_builder_t* builder
+);
+
+/**
+ * @brief Add Azure Artifact Signing trust pack with custom options.
+ * @param builder Validator builder handle.
+ * @param options Options structure (NULL for defaults).
+ * @return COSE_OK on success, error code otherwise.
+ */
+cose_status_t cose_sign1_validator_builder_with_ats_pack_ex(
+    cose_sign1_validator_builder_t* builder,
+    const cose_ats_trust_options_t* options
+);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* COSE_SIGN1_ATS_H */

native/c/include/cose/sign1/extension_packs/azure_key_vault.h

@@ -1,21 +1,216 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-#ifndef COSE_SIGN1_EXTENSION_PACKS_AZURE_KEY_VAULT_H
-#define COSE_SIGN1_EXTENSION_PACKS_AZURE_KEY_VAULT_H
+/**
+ * @file azure_key_vault.h
+ * @brief Azure Key Vault KID validation pack for COSE Sign1
+ */
+
+#ifndef COSE_SIGN1_AKV_H
+#define COSE_SIGN1_AKV_H
 
-#include <cose/cose.h>
 #include <cose/sign1/validation.h>
+#include <cose/sign1/trust.h>
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-// Stub: Azure Key Vault trust pack is not yet implemented in this layer.
-// The COSE_HAS_AKV_PACK macro gates usage in tests.
+// CoseKeyHandle is available from cose.h (included transitively via validation.h)
+
+/**
+ * @brief Options for Azure Key Vault KID validation
+ */
+typedef struct {
+    /** If true, require the KID to look like an Azure Key Vault identifier */
+    bool require_azure_key_vault_kid;
+    
+    /** NULL-terminated array of allowed KID pattern strings (supports wildcards * and ?).
+     *  NULL means use default patterns (*.vault.azure.net/keys/*, *.managedhsm.azure.net/keys/*). */
+    const char* const* allowed_kid_patterns;
+} cose_akv_trust_options_t;
+
+/**
+ * @brief Add Azure Key Vault KID validation pack with default options
+ * 
+ * Default options (secure-by-default):
+ * - require_azure_key_vault_kid: true
+ * - allowed_kid_patterns: 
+ *   - https://*.vault.azure.net/keys/*
+ *   - https://*.managedhsm.azure.net/keys/*
+ * 
+ * @param builder Validator builder handle
+ * @return COSE_OK on success, error code otherwise
+ */
+cose_status_t cose_sign1_validator_builder_with_akv_pack(
+    cose_sign1_validator_builder_t* builder
+);
+
+/**
+ * @brief Add Azure Key Vault KID validation pack with custom options
+ * 
+ * @param builder Validator builder handle
+ * @param options Options structure (NULL for defaults)
+ * @return COSE_OK on success, error code otherwise
+ */
+cose_status_t cose_sign1_validator_builder_with_akv_pack_ex(
+    cose_sign1_validator_builder_t* builder,
+    const cose_akv_trust_options_t* options
+);
+
+/**
+ * @brief Trust-policy helper: require that the message `kid` looks like an Azure Key Vault key identifier.
+ *
+ * This API is provided by the AKV pack FFI library and extends `cose_sign1_trust_policy_builder_t`.
+ *
+ * @param policy_builder The trust policy builder to add the requirement to.
+ * @return COSE_OK on success, or an error status code.
+ */
+cose_status_t cose_sign1_akv_trust_policy_builder_require_azure_key_vault_kid(
+    cose_sign1_trust_policy_builder_t* policy_builder
+);
+
+/**
+ * @brief Trust-policy helper: require that the message `kid` does not look like an Azure Key Vault key identifier.
+ *
+ * This API is provided by the AKV pack FFI library and extends `cose_sign1_trust_policy_builder_t`.
+ *
+ * @param policy_builder The trust policy builder to add the requirement to.
+ * @return COSE_OK on success, or an error status code.
+ */
+cose_status_t cose_sign1_akv_trust_policy_builder_require_not_azure_key_vault_kid(
+    cose_sign1_trust_policy_builder_t* policy_builder
+);
+
+/**
+ * @brief Trust-policy helper: require that the message `kid` is allowlisted by the AKV pack configuration.
+ *
+ * This API is provided by the AKV pack FFI library and extends `cose_sign1_trust_policy_builder_t`.
+ *
+ * @param policy_builder The trust policy builder to add the requirement to.
+ * @return COSE_OK on success, or an error status code.
+ */
+cose_status_t cose_sign1_akv_trust_policy_builder_require_azure_key_vault_kid_allowed(
+    cose_sign1_trust_policy_builder_t* policy_builder
+);
+
+/**
+ * @brief Trust-policy helper: require that the message `kid` is not allowlisted by the AKV pack configuration.
+ *
+ * This API is provided by the AKV pack FFI library and extends `cose_sign1_trust_policy_builder_t`.
+ *
+ * @param policy_builder The trust policy builder to add the requirement to.
+ * @return COSE_OK on success, or an error status code.
+ */
+cose_status_t cose_sign1_akv_trust_policy_builder_require_azure_key_vault_kid_not_allowed(
+    cose_sign1_trust_policy_builder_t* policy_builder
+);
+
+/**
+ * @brief Opaque handle to an Azure Key Vault key client
+ */
+typedef struct cose_akv_key_client_handle_t cose_akv_key_client_handle_t;
+
+/**
+ * @brief Create an AKV key client using DeveloperToolsCredential (for local dev)
+ * 
+ * @param vault_url Null-terminated UTF-8 vault URL (e.g. "https://myvault.vault.azure.net")
+ * @param key_name Null-terminated UTF-8 key name
+ * @param key_version Null-terminated UTF-8 key version, or NULL for latest
+ * @param out_client Output pointer for the created client handle
+ * @return COSE_OK on success, error code otherwise
+ */
+cose_status_t cose_akv_key_client_new_dev(
+    const char* vault_url,
+    const char* key_name,
+    const char* key_version,
+    cose_akv_key_client_handle_t** out_client
+);
+
+/**
+ * @brief Create an AKV key client using ClientSecretCredential
+ * 
+ * @param vault_url Null-terminated UTF-8 vault URL (e.g. "https://myvault.vault.azure.net")
+ * @param key_name Null-terminated UTF-8 key name
+ * @param key_version Null-terminated UTF-8 key version, or NULL for latest
+ * @param tenant_id Null-terminated UTF-8 Azure AD tenant ID
+ * @param client_id Null-terminated UTF-8 Azure AD client (application) ID
+ * @param client_secret Null-terminated UTF-8 Azure AD client secret
+ * @param out_client Output pointer for the created client handle
+ * @return COSE_OK on success, error code otherwise
+ */
+cose_status_t cose_akv_key_client_new_client_secret(
+    const char* vault_url,
+    const char* key_name,
+    const char* key_version,
+    const char* tenant_id,
+    const char* client_id,
+    const char* client_secret,
+    cose_akv_key_client_handle_t** out_client
+);
+
+/**
+ * @brief Free an AKV key client
+ * 
+ * @param client Client handle to free (NULL is safe)
+ */
+void cose_akv_key_client_free(cose_akv_key_client_handle_t* client);
+
+/**
+ * @brief Create a CoseKey (signing key handle) from an AKV key client
+ * 
+ * The returned key can be used with the signing FFI (cose_sign1_* functions).
+ * 
+ * @param akv_client AKV client handle (consumed - no longer valid after this call)
+ * @param out_key Output pointer for the created signing key handle
+ * @return COSE_OK on success, error code otherwise
+ * 
+ * @note The akv_client is consumed by this call and must not be used or freed afterward.
+ *       The returned key must be freed with cose_key_free.
+ */
+cose_status_t cose_sign1_akv_create_signing_key(
+    cose_akv_key_client_handle_t* akv_client,
+    CoseKeyHandle** out_key
+);
+
+/* ========================================================================== */
+/* AKV Signing Service                                                        */
+/* ========================================================================== */
+
+/**
+ * @brief Opaque handle to an AKV signing service
+ * 
+ * Free with `cose_sign1_akv_signing_service_free()`.
+ */
+typedef struct cose_akv_signing_service_handle_t cose_akv_signing_service_handle_t;
+
+/**
+ * @brief Create an AKV signing service from a key client
+ * 
+ * The signing service provides a high-level interface for COSE_Sign1 message creation
+ * using Azure Key Vault for cryptographic operations.
+ *
+ * @param client       AKV key client handle (consumed - no longer valid after this call)
+ * @param out          Receives the signing service handle
+ * @return COSE_OK on success, error code otherwise
+ * 
+ * @note The client handle is consumed by this call and must not be used or freed afterward.
+ *       The returned service must be freed with cose_sign1_akv_signing_service_free.
+ */
+cose_status_t cose_sign1_akv_create_signing_service(
+    cose_akv_key_client_handle_t* client,
+    cose_akv_signing_service_handle_t** out
+);
+
+/**
+ * @brief Free an AKV signing service handle
+ * 
+ * @param handle Handle to free (NULL is a safe no-op)
+ */
+void cose_sign1_akv_signing_service_free(cose_akv_signing_service_handle_t* handle);
 
 #ifdef __cplusplus
 }
 #endif
 
-#endif /* COSE_SIGN1_EXTENSION_PACKS_AZURE_KEY_VAULT_H */
+#endif // COSE_SIGN1_AKV_H