%% VaultMesh PQC Integration — Hybrid Cryptographic Architecture
%% Proposal: €2.8M HORIZON-CL3-2025-CS-ECCC-06
%% Partners: VaultMesh (IE), Univ Brno (CZ), Cyber Trust (GR), France Public Services (FR)

graph TB
    subgraph External["🌐 External Trust Anchors"]
        TSA[RFC3161 TSA<br/>Timestamp Authority]
        ETH[Ethereum Mainnet<br/>Public Blockchain]
        BTC[Bitcoin<br/>Witness Anchors]
    end

    subgraph Classical["🔐 Classical Cryptography Layer (Current State)"]
        ED25519[Ed25519 Signatures<br/>Identity & Federation]
        ECDSA[ECDSA-P256<br/>TLS/mTLS]
        SHA3[SHA3-256 / BLAKE2b<br/>Content Hashing]
        AES[AES-256-GCM<br/>Symmetric Encryption]
    end

    subgraph Hybrid["🔀 Hybrid Transition Layer (TRL 4→6)"]
        DUAL_SIG[Dual Signature Mode<br/>Classical + PQC]
        KEY_NEGO[Hybrid Key Exchange<br/>X25519 + Kyber]
        CERT_CHAIN[X.509 + PQC Certificates<br/>Composite Signing]
        MERKLE[Merkle Tree Compaction<br/>Quantum-Safe Hashing]
    end

    subgraph PQC["🛡️ Post-Quantum Cryptography Layer (Target State)"]
        KYBER[CRYSTALS-Kyber<br/>KEM — Key Encapsulation]
        DILITHIUM[CRYSTALS-Dilithium<br/>Digital Signatures]
        SPHINCS[SPHINCS+<br/>Stateless Hash Signatures]
        HASH_PQ[SHA3-256<br/>Already Quantum-Safe]
    end

    subgraph VaultMesh["🏛️ VaultMesh Core Organs"]
        RECEIPTS[Receipt Engine<br/>Every Action = Proof]
        LAWCHAIN[LAWCHAIN<br/>Tamper-Evident Audit Spine]
        TREASURY[Treasury<br/>Cryptographic Value Tracking]
        FEDERATION[Federation Router<br/>Peer-to-Peer mTLS]
        PSI[Ψ-Field<br/>Anomaly Detection]
    end

    subgraph WP["📋 Work Packages"]
        WP1[WP1: Governance Framework<br/>M1-6 — VaultMesh Lead]
        WP2[WP2: Proof & Anchoring<br/>M1-12 — Univ Brno Lead]
        WP3[WP3: Ψ-Field & Observability<br/>M4-16 — Cyber Trust Lead]
        WP4[WP4: Federation & Trust<br/>M6-18 — VaultMesh Lead]
        WP5[WP5: Pilots & Assessment<br/>M12-24 — France Public Lead]
    end

    subgraph Pilots["🧪 Validation Pilots (M12-24)"]
        PILOT_FR[French Public Services<br/>Cross-Agency Compliance]
        PILOT_CZ[Czech Research Network<br/>Academic Federation]
        PILOT_GR[Greek Critical Infrastructure<br/>DORA/NIS2 Testing]
    end

    %% Classical → Hybrid Migration Path
    ED25519 -.->|"Upgrade Path"| DUAL_SIG
    ECDSA -.->|"Parallel Mode"| KEY_NEGO
    SHA3 -.->|"Already Quantum-Safe"| MERKLE
    AES -.->|"Post-Quantum KEMs"| KEY_NEGO

    %% Hybrid → PQC Target State
    DUAL_SIG ==>|"TRL 4→6 Validation"| DILITHIUM
    KEY_NEGO ==>|"NIST Standards"| KYBER
    CERT_CHAIN ==>|"Backup Signatures"| SPHINCS
    MERKLE ==>|"Hash-Based Proofs"| HASH_PQ

    %% VaultMesh Organs Integration
    RECEIPTS -->|"Sign with"| DUAL_SIG
    RECEIPTS -->|"Anchor via"| TSA
    LAWCHAIN -->|"Merkle Roots"| MERKLE
    LAWCHAIN -->|"Public Witness"| ETH
    LAWCHAIN -->|"Fallback Anchor"| BTC
    TREASURY -->|"Federation KEMs"| KEY_NEGO
    FEDERATION -->|"mTLS Handshake"| CERT_CHAIN
    PSI -->|"Quantum-Safe Scoring"| HASH_PQ

    %% Work Package Dependencies
    WP1 --> RECEIPTS
    WP1 --> LAWCHAIN
    WP2 --> TSA
    WP2 --> DUAL_SIG
    WP2 --> MERKLE
    WP3 --> PSI
    WP4 --> FEDERATION
    WP4 --> KEY_NEGO
    WP5 --> PILOT_FR
    WP5 --> PILOT_CZ
    WP5 --> PILOT_GR

    %% Pilot Validation Feedback
    PILOT_FR -.->|"Audit Benchmarks"| LAWCHAIN
    PILOT_CZ -.->|"Federation Testing"| FEDERATION
    PILOT_GR -.->|"Anomaly Detection"| PSI

    %% Standards & Policy Alignment
    KYBER -->|"NIST FIPS 203"| STANDARDS[📜 ETSI/IETF/ISO<br/>Standards Contributions]
    DILITHIUM -->|"NIST FIPS 204"| STANDARDS
    SPHINCS -->|"NIST FIPS 205"| STANDARDS

    classDef classical fill:#e1f5ff,stroke:#01579b,stroke-width:2px
    classDef hybrid fill:#fff9c4,stroke:#f57f17,stroke-width:3px
    classDef pqc fill:#c8e6c9,stroke:#2e7d32,stroke-width:2px
    classDef vaultmesh fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px
    classDef wp fill:#ffe0b2,stroke:#e65100,stroke-width:2px
    classDef pilot fill:#ffccbc,stroke:#bf360c,stroke-width:2px

    class ED25519,ECDSA,SHA3,AES classical
    class DUAL_SIG,KEY_NEGO,CERT_CHAIN,MERKLE hybrid
    class KYBER,DILITHIUM,SPHINCS,HASH_PQ pqc
    class RECEIPTS,LAWCHAIN,TREASURY,FEDERATION,PSI vaultmesh
    class WP1,WP2,WP3,WP4,WP5 wp
    class PILOT_FR,PILOT_CZ,PILOT_GR pilot