%% PQC Integration — Technical Architecture (EU Reviewer Version)
%% Proposal: €2.8M HORIZON-CL3-2025-CS-ECCC-06
%% Call Topic: Post-Quantum Cryptographic Transition for EU Critical Infrastructure
%% TRL: 4→6 (Lab validation to operational pilot)

graph TB
    subgraph CallAlignment["🇪🇺 HORIZON-CL3-2025 Call Alignment"]
        TOPIC1["Topic ECCC-01:<br/>Quantum-Safe Security<br/>for Critical Infrastructure"]
        TOPIC2["Expected Outcome:<br/>TRL 6 Validation<br/>in Operational Environment"]
        TOPIC3["EU Policy:<br/>NIS2, DORA, Cybersecurity Act<br/>Digital Sovereignty"]
    end

    subgraph CurrentState["📍 Current State (TRL 4)"]
        CLASSICAL["Classical Cryptography<br/>Ed25519 (signatures)<br/>ECDSA-P256 (TLS)<br/>AES-256-GCM (symmetric)"]
        RECEIPTS_NOW["VaultMesh Node (operational)<br/>3,600+ cryptographic receipts<br/>Merkle compaction (36 manifests)"]
    end

    subgraph Transition["🔀 Hybrid Transition Layer (WP2, TRL 5)"]
        DUAL_SIG["Dual Signature Mode<br/>Classical + PQC parallel<br/>Gradual migration path"]
        HYBRID_KEM["Hybrid Key Exchange<br/>X25519 + CRYSTALS-Kyber<br/>Backward compatibility"]
        CERT_LAYER["Composite Certificates<br/>X.509 extended for PQC<br/>RFC 8410 + draft-ietf-lamps-pq-composite-certs"]
    end

    subgraph PQCTarget["🛡️ Post-Quantum Target State (WP2, TRL 6)"]
        KYBER["CRYSTALS-Kyber<br/>NIST FIPS 203<br/>Key Encapsulation Mechanism"]
        DILITHIUM["CRYSTALS-Dilithium<br/>NIST FIPS 204<br/>Digital Signatures"]
        SPHINCS["SPHINCS+<br/>NIST FIPS 205<br/>Stateless Hash Signatures"]
    end

    subgraph VaultMeshCore["🏛️ VaultMesh Core Components"]
        RECEIPT_ENGINE["Receipt Engine (WP1)<br/>Proof-of-Action for<br/>Every Critical Operation"]
        LAWCHAIN["LAWCHAIN (WP2)<br/>Tamper-Evident Audit Spine<br/>Merkle Tree + External Anchors"]
        PSI_FIELD["Ψ-Field (WP3)<br/>Anomaly Detection<br/>Collective Intelligence"]
        FEDERATION["Federation Router (WP4)<br/>Peer-to-Peer mTLS<br/>Sovereign Data Exchange"]
    end

    subgraph ExternalAnchors["🔗 External Trust Anchors (WP2)"]
        TSA["RFC-3161 TSA<br/>Timestamp Authority<br/>Legal Non-Repudiation"]
        ETHEREUM["Ethereum Mainnet<br/>Public Blockchain<br/>Immutable Witness"]
        BITCOIN["Bitcoin (Fallback)<br/>OP_RETURN Anchoring<br/>Redundancy"]
    end

    subgraph Pilots["🧪 Validation Pilots (WP5, TRL 6)"]
        PILOT_FR["France Pilot<br/>Public Digital Services<br/>Cross-Agency Compliance"]
        PILOT_CZ["Czech Pilot<br/>Research Network<br/>Academic Federation"]
        PILOT_GR["Greece Pilot<br/>Critical Infrastructure<br/>DORA/NIS2 Testing"]
    end

    subgraph Standards["📜 Standards Contributions (WP5)"]
        ETSI["ETSI TC CYBER<br/>PQC Migration Guidelines<br/>Best Practices"]
        IETF["IETF CFRG<br/>Hybrid Cryptography<br/>RFC Drafts"]
        ISO["ISO/IEC JTC 1/SC 27<br/>Security Standards<br/>Interoperability Profiles"]
    end

    %% Current State → Transition
    CLASSICAL -.->|"Migration Path (M1-M12)"| DUAL_SIG
    CLASSICAL -.->|"Backward Compatible"| HYBRID_KEM
    RECEIPTS_NOW -.->|"Integrate PQC (M8-M14)"| CERT_LAYER

    %% Transition → PQC Target
    DUAL_SIG ==>|"NIST FIPS 204"| DILITHIUM
    HYBRID_KEM ==>|"NIST FIPS 203"| KYBER
    CERT_LAYER ==>|"NIST FIPS 205 (Backup)"| SPHINCS

    %% VaultMesh Core Integration
    RECEIPT_ENGINE -->|"Sign with"| DUAL_SIG
    RECEIPT_ENGINE -->|"Anchor via"| TSA
    LAWCHAIN -->|"Merkle Roots"| TSA
    LAWCHAIN -->|"Public Witness"| ETHEREUM
    LAWCHAIN -->|"Fallback"| BITCOIN
    PSI_FIELD -->|"Quantum-Safe Hashing"| SPHINCS
    FEDERATION -->|"mTLS Handshake"| HYBRID_KEM

    %% Work Package Flow
    RECEIPT_ENGINE -.->|"WP1: Requirements"| LAWCHAIN
    LAWCHAIN -.->|"WP2: Implementation"| TSA
    PSI_FIELD -.->|"WP3: Development"| PILOT_FR
    FEDERATION -.->|"WP4: Testbed"| PILOT_CZ
    PILOT_FR -.->|"WP5: Validation"| PILOT_GR

    %% Standards Output
    DUAL_SIG -.->|"Migration Strategy"| ETSI
    HYBRID_KEM -.->|"Hybrid KEM RFC"| IETF
    CERT_LAYER -.->|"Interop Profile"| ISO

    %% Call Alignment
    TOPIC1 ==>|"Addresses"| PQCTarget
    TOPIC2 ==>|"Validates via"| Pilots
    TOPIC3 ==>|"Complies with"| LAWCHAIN

    classDef current fill:#e1f5ff,stroke:#01579b,stroke-width:2px
    classDef transition fill:#fff9c4,stroke:#f57f17,stroke-width:3px
    classDef pqc fill:#c8e6c9,stroke:#2e7d32,stroke-width:2px
    classDef core fill:#f3e5f5,stroke:#6a1b9a,stroke-width:2px
    classDef pilot fill:#ffccbc,stroke:#bf360c,stroke-width:2px
    classDef anchor fill:#e8eaf6,stroke:#3f51b5,stroke-width:2px
    classDef standard fill:#fff3e0,stroke:#e65100,stroke-width:2px
    classDef call fill:#e8f5e9,stroke:#2e7d32,stroke-width:3px

    class CLASSICAL,RECEIPTS_NOW current
    class DUAL_SIG,HYBRID_KEM,CERT_LAYER transition
    class KYBER,DILITHIUM,SPHINCS pqc
    class RECEIPT_ENGINE,LAWCHAIN,PSI_FIELD,FEDERATION core
    class PILOT_FR,PILOT_CZ,PILOT_GR pilot
    class TSA,ETHEREUM,BITCOIN anchor
    class ETSI,IETF,ISO standard
    class TOPIC1,TOPIC2,TOPIC3 call