Add comprehensive module-level docs and README.md files for all FFI crates

Upgrade all 13 FFI crate lib.rs files with standardized module-level
documentation including sections for ABI Stability, Panic Safety, Error
Handling, Memory Ownership, and Thread Safety. Each crate's description
is tailored to its specific functionality.

Create 9 missing README.md files for FFI crates (crypto/openssl, headers,
validation/core, validation/primitives, certificates, certificates/local,
mst, azure_key_vault, did/x509) following the existing README pattern with
exported function tables, handle types, build instructions, and links to
parent library crates.

Also add missing copyright headers to FFI crate lib.rs files that lacked
them (validation/core, validation/primitives, certificates, mst,
azure_key_vault).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Jstatia

native/rust/did/x509/ffi/README.md

@@ -0,0 +1,68 @@
+<!-- Copyright (c) Microsoft Corporation. Licensed under the MIT License. -->
+
+# did_x509_ffi
+
+C/C++ FFI projection for DID:x509 identifier operations.
+
+## Overview
+
+This crate provides C-compatible FFI exports for parsing, building, validating, and resolving
+DID:x509 identifiers against X.509 certificate chains. It wraps the `did_x509` crate for
+core functionality.
+
+## Exported Functions
+
+### ABI & Error Handling
+
+| Function | Description |
+|----------|-------------|
+| `did_x509_abi_version` | ABI version check |
+| `did_x509_error_message` | Get error description string |
+| `did_x509_error_code` | Get error code |
+| `did_x509_error_free` | Free an error handle |
+| `did_x509_string_free` | Free a string returned by this library |
+
+### Parsing
+
+| Function | Description |
+|----------|-------------|
+| `did_x509_parse` | Parse a DID:x509 identifier string |
+| `did_x509_parsed_get_fingerprint` | Get the certificate fingerprint |
+| `did_x509_parsed_get_hash_algorithm` | Get the hash algorithm used |
+| `did_x509_parsed_get_policy_count` | Get the number of policies |
+| `did_x509_parsed_free` | Free a parsed DID handle |
+
+### Building
+
+| Function | Description |
+|----------|-------------|
+| `did_x509_build_with_eku` | Build a DID:x509 with EKU policy |
+| `did_x509_build_from_chain` | Build a DID:x509 from a certificate chain |
+
+### Validation & Resolution
+
+| Function | Description |
+|----------|-------------|
+| `did_x509_validate` | Validate a DID:x509 against a certificate chain |
+| `did_x509_resolve` | Resolve a DID:x509 to a public key |
+
+## Handle Types
+
+| Type | Description |
+|------|-------------|
+| `DidX509ParsedHandle` | Opaque parsed DID:x509 identifier |
+| `DidX509ErrorHandle` | Opaque error handle |
+
+## C Header
+
+`<cose/did/x509.h>`
+
+## Parent Library
+
+[`did_x509`](../../x509/) — DID:x509 implementation.
+
+## Build
+
+```bash
+cargo build --release -p did_x509_ffi
+```

native/rust/did/x509/ffi/src/lib.rs

@@ -5,29 +5,45 @@
 #![deny(unsafe_op_in_unsafe_fn)]
 #![allow(clippy::not_unsafe_ptr_arg_deref)]
 
-//! C/C++ FFI for DID:x509 parsing, building, validation and resolution.
+//! C-ABI projection for `did_x509`.
 //!
-//! This crate (`did_x509_ffi`) provides FFI-safe wrappers for working with DID:x509
-//! identifiers from C and C++ code. It uses the `did_x509` crate for core functionality.
+//! This crate provides C-compatible FFI exports for DID:x509 identifier
+//! operations. It wraps the `did_x509` crate, enabling C and C++ code to
+//! parse, build, validate, and resolve DID:x509 identifiers against X.509
+//! certificate chains.
 //!
-//! ## Error Handling
+//! # ABI Stability
+//!
+//! All exported functions use `extern "C"` calling convention.
+//! Opaque handle types are passed as `*mut` (owned) or `*const` (borrowed).
+//! The ABI version is available via `did_x509_abi_version()`.
+//!
+//! # Panic Safety
+//!
+//! All exported functions are wrapped in `catch_unwind` to prevent
+//! Rust panics from crossing the FFI boundary.
+//!
+//! # Error Handling
 //!
 //! All functions follow a consistent error handling pattern:
 //! - Return value: 0 = success, negative = error code
 //! - `out_error` parameter: Set to error handle on failure (caller must free)
 //! - Output parameters: Only valid if return is 0
 //!
-//! ## Memory Management
+//! # Memory Ownership
 //!
-//! Handles and strings returned by this library must be freed using the corresponding `*_free` function:
-//! - `did_x509_parsed_free` for parsed identifier handles
-//! - `did_x509_error_free` for error handles
-//! - `did_x509_string_free` for string pointers
+//! - `*mut T` parameters transfer ownership TO this function (consumed)
+//! - `*const T` parameters are borrowed (caller retains ownership)
+//! - `*mut *mut T` out-parameters transfer ownership FROM this function (caller must free)
+//! - Every handle type has a corresponding `*_free()` function:
+//!   - `did_x509_parsed_free` for parsed identifier handles
+//!   - `did_x509_error_free` for error handles
+//!   - `did_x509_string_free` for string pointers
 //!
-//! ## Thread Safety
+//! # Thread Safety
 //!
-//! All handles are thread-safe and can be used from multiple threads. However, handles
-//! are not internally synchronized, so concurrent mutation requires external synchronization.
+//! All functions are thread-safe. Handles are not internally synchronized,
+//! so concurrent mutation requires external synchronization.
 
 pub mod error;
 pub mod types;

native/rust/extension_packs/azure_artifact_signing/ffi/src/lib.rs

@@ -3,7 +3,40 @@
 
 #![cfg_attr(coverage_nightly, feature(coverage_attribute))]
 
-//! Azure Artifact Signing pack FFI bindings.
+//! C-ABI projection for `cose_sign1_azure_artifact_signing`.
+//!
+//! This crate provides C-compatible FFI exports for the Azure Artifact Signing
+//! (AAS) extension pack. It enables C/C++ consumers to register the AAS trust
+//! pack with a validator builder, with support for both default and custom
+//! trust options (endpoint URL, account name, certificate profile name).
+//!
+//! # ABI Stability
+//!
+//! All exported functions use `extern "C"` calling convention.
+//! Opaque handle types are passed as `*mut` (owned) or `*const` (borrowed).
+//! The ABI version is available via `cose_sign1_ats_abi_version()`.
+//!
+//! # Panic Safety
+//!
+//! All exported functions are wrapped in `catch_unwind` to prevent
+//! Rust panics from crossing the FFI boundary.
+//!
+//! # Error Handling
+//!
+//! Functions return `cose_status_t` (0 = OK, non-zero = error).
+//! On error, call `cose_last_error_message_utf8()` for details.
+//! Error state is thread-local and safe for concurrent use.
+//!
+//! # Memory Ownership
+//!
+//! - `*mut T` parameters transfer ownership TO this function (consumed)
+//! - `*const T` parameters are borrowed (caller retains ownership)
+//! - `*mut *mut T` out-parameters transfer ownership FROM this function (caller must free)
+//! - Every handle type has a corresponding `*_free()` function
+//!
+//! # Thread Safety
+//!
+//! All functions are thread-safe. Error state is thread-local.
 
 #![deny(unsafe_op_in_unsafe_fn)]
 #![allow(clippy::not_unsafe_ptr_arg_deref)]

native/rust/extension_packs/azure_key_vault/ffi/README.md

@@ -0,0 +1,68 @@
+<!-- Copyright (c) Microsoft Corporation. Licensed under the MIT License. -->
+
+# cose_sign1_azure_key_vault_ffi
+
+C/C++ FFI projection for the Azure Key Vault extension pack.
+
+## Overview
+
+This crate provides C-compatible FFI exports for the Azure Key Vault trust pack.
+It enables C/C++ consumers to register the AKV trust pack with a validator builder,
+author trust policies that constrain Key Vault KID properties, and create signing
+keys and signing services backed by Azure Key Vault.
+
+## Exported Functions
+
+### Pack Registration
+
+| Function | Description |
+|----------|-------------|
+| `cose_sign1_validator_builder_with_akv_pack` | Add AKV pack (default options) |
+| `cose_sign1_validator_builder_with_akv_pack_ex` | Add AKV pack (custom options) |
+
+### KID Trust Policies
+
+| Function | Description |
+|----------|-------------|
+| `..._require_azure_key_vault_kid` | Require AKV KID detected |
+| `..._require_not_azure_key_vault_kid` | Require AKV KID not detected |
+| `..._require_azure_key_vault_kid_allowed` | Require KID is in allowed list |
+| `..._require_azure_key_vault_kid_not_allowed` | Require KID is not in allowed list |
+
+### Key Client Lifecycle
+
+| Function | Description |
+|----------|-------------|
+| `cose_akv_key_client_new_dev` | Create key client (dev credentials) |
+| `cose_akv_key_client_new_client_secret` | Create key client (client secret) |
+| `cose_akv_key_client_free` | Free a key client handle |
+
+### Signing Operations
+
+| Function | Description |
+|----------|-------------|
+| `cose_sign1_akv_create_signing_key` | Create a signing key from AKV |
+| `cose_sign1_akv_create_signing_service` | Create a signing service from AKV |
+| `cose_sign1_akv_signing_service_free` | Free a signing service handle |
+
+## Handle Types
+
+| Type | Description |
+|------|-------------|
+| `cose_akv_trust_options_t` | C ABI options struct for AKV trust configuration |
+| `AkvKeyClientHandle` | Opaque Azure Key Vault key client |
+| `AkvSigningServiceHandle` | Opaque AKV-backed signing service |
+
+## C Header
+
+`<cose/sign1/extension_packs/azure_key_vault.h>`
+
+## Parent Library
+
+[`cose_sign1_azure_key_vault`](../../azure_key_vault/) — Azure Key Vault trust pack implementation.
+
+## Build
+
+```bash
+cargo build --release -p cose_sign1_azure_key_vault_ffi
+```

native/rust/extension_packs/azure_key_vault/ffi/src/lib.rs

@@ -1,6 +1,42 @@
-//! Azure Key Vault pack FFI bindings.
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//! C-ABI projection for `cose_sign1_azure_key_vault`.
+//!
+//! This crate provides C-compatible FFI exports for the Azure Key Vault
+//! extension pack. It enables C/C++ consumers to register the Azure Key Vault
+//! trust pack with a validator builder, author trust policies that constrain
+//! Key Vault KID properties (detection, allowed/denied lists), and create
+//! signing keys and signing services backed by Azure Key Vault.
+//!
+//! # ABI Stability
+//!
+//! All exported functions use `extern "C"` calling convention.
+//! Opaque handle types are passed as `*mut` (owned) or `*const` (borrowed).
+//!
+//! # Panic Safety
+//!
+//! All exported functions are wrapped in `catch_unwind` to prevent
+//! Rust panics from crossing the FFI boundary.
+//!
+//! # Error Handling
+//!
+//! Functions return `cose_status_t` (0 = OK, non-zero = error).
+//! On error, call `cose_last_error_message_utf8()` for details.
+//! Error state is thread-local and safe for concurrent use.
+//!
+//! # Memory Ownership
+//!
+//! - `*mut T` parameters transfer ownership TO this function (consumed)
+//! - `*const T` parameters are borrowed (caller retains ownership)
+//! - `*mut *mut T` out-parameters transfer ownership FROM this function (caller must free)
+//! - Every handle type has a corresponding `*_free()` function:
+//!   - `cose_akv_key_client_free` for key client handles
+//!   - `cose_sign1_akv_signing_service_free` for signing service handles
+//!
+//! # Thread Safety
 //!
-//! This crate exposes the Azure Key Vault KID validation pack and signing key creation to C/C++ consumers.
+//! All functions are thread-safe. Error state is thread-local.
 
 #![cfg_attr(coverage_nightly, feature(coverage_attribute))]
 #![deny(unsafe_op_in_unsafe_fn)]

native/rust/extension_packs/certificates/ffi/README.md

@@ -0,0 +1,95 @@
+<!-- Copyright (c) Microsoft Corporation. Licensed under the MIT License. -->
+
+# cose_sign1_certificates_ffi
+
+C/C++ FFI projection for the X.509 certificate validation extension pack.
+
+## Overview
+
+This crate provides C-compatible FFI exports for registering the X.509 certificate trust pack
+with a validator builder and authoring trust policies that constrain X.509 chain properties.
+Supported constraints include chain trust status, chain element identity and validity, public key
+algorithms, and signing certificate identity.
+
+## Exported Functions
+
+### Pack Registration
+
+| Function | Description |
+|----------|-------------|
+| `cose_sign1_validator_builder_with_certificates_pack` | Add certificate pack (default options) |
+| `cose_sign1_validator_builder_with_certificates_pack_ex` | Add certificate pack (custom options) |
+
+### Chain Trust Policies
+
+| Function | Description |
+|----------|-------------|
+| `..._require_x509_chain_trusted` | Require chain is trusted |
+| `..._require_x509_chain_not_trusted` | Require chain is not trusted |
+| `..._require_x509_chain_built` | Require chain was successfully built |
+| `..._require_x509_chain_not_built` | Require chain was not built |
+| `..._require_x509_chain_element_count_eq` | Require specific chain length |
+| `..._require_x509_chain_status_flags_eq` | Require specific chain status flags |
+| `..._require_leaf_chain_thumbprint_present` | Require leaf thumbprint present |
+| `..._require_leaf_subject_eq` | Require leaf subject matches |
+| `..._require_issuer_subject_eq` | Require issuer subject matches |
+| `..._require_leaf_issuer_is_next_chain_subject_optional` | Require leaf-to-chain issuer linkage |
+
+### Signing Certificate Policies
+
+| Function | Description |
+|----------|-------------|
+| `..._require_signing_certificate_present` | Require signing cert present |
+| `..._require_signing_certificate_subject_issuer_matches_*` | Require subject-issuer match |
+| `..._require_signing_certificate_thumbprint_eq` | Require specific thumbprint |
+| `..._require_signing_certificate_thumbprint_present` | Require thumbprint present |
+| `..._require_signing_certificate_subject_eq` | Require specific subject |
+| `..._require_signing_certificate_issuer_eq` | Require specific issuer |
+| `..._require_signing_certificate_serial_number_eq` | Require specific serial number |
+| `..._require_signing_certificate_*` (validity) | Time-based validity constraints |
+
+### Chain Element Policies
+
+| Function | Description |
+|----------|-------------|
+| `..._require_chain_element_subject_eq` | Require element subject matches |
+| `..._require_chain_element_issuer_eq` | Require element issuer matches |
+| `..._require_chain_element_thumbprint_eq` | Require element thumbprint matches |
+| `..._require_chain_element_thumbprint_present` | Require element thumbprint present |
+| `..._require_chain_element_*` (validity) | Element time-based validity constraints |
+
+### Public Key Algorithm Policies
+
+| Function | Description |
+|----------|-------------|
+| `..._require_not_pqc_algorithm_or_missing` | Require non-PQC algorithm |
+| `..._require_x509_public_key_algorithm_thumbprint_eq` | Require specific algorithm thumbprint |
+| `..._require_x509_public_key_algorithm_oid_eq` | Require specific algorithm OID |
+| `..._require_x509_public_key_algorithm_is_pqc` | Require PQC algorithm |
+| `..._require_x509_public_key_algorithm_is_not_pqc` | Require non-PQC algorithm |
+
+### Key Utilities
+
+| Function | Description |
+|----------|-------------|
+| `cose_sign1_certificates_key_from_cert_der` | Create key handle from DER certificate |
+
+## Handle Types
+
+| Type | Description |
+|------|-------------|
+| `cose_certificate_trust_options_t` | C ABI options struct for certificate trust configuration |
+
+## C Header
+
+`<cose/sign1/extension_packs/certificates.h>`
+
+## Parent Library
+
+[`cose_sign1_certificates`](../../certificates/) — X.509 certificate trust pack implementation.
+
+## Build
+
+```bash
+cargo build --release -p cose_sign1_certificates_ffi
+```