Native Rust Implementation: CLI fixes, MST/SCITT verification, PSS compatibility

.github/copilot-instructions.md

@@ -210,6 +210,24 @@ public class ExampleCommand : PluginCommandBase
 }
 ```
 
+## Command Execution Efficiency (MANDATORY)
+
+**Never re-run an expensive command (build, test, lint, coverage) just to apply a different text filter.**
+
+All long-running commands MUST capture full output to a file on the first run, then search that file for subsequent analysis. See `.github/instructions/command-output-capture.instructions.md` for the full policy.
+
+Quick reference:
+```powershell
+# CORRECT: Capture once, search many times
+cargo test --workspace 2>&1 | Out-File -FilePath "$env:TEMP\test-output.txt" -Encoding utf8
+Select-String -Path "$env:TEMP\test-output.txt" -Pattern "FAILED"
+Select-String -Path "$env:TEMP\test-output.txt" -Pattern "error"
+
+# WRONG: Re-running the same command with different filters
+cargo test --workspace 2>&1 | Select-String "FAILED"    # run 1: 10 minutes
+cargo test --workspace 2>&1 | Select-String "error"      # run 2: 10 minutes WASTED
+```
+
 ## Summary
 When generating code for this repository, always:
 1. Include the Microsoft copyright header
@@ -222,3 +240,4 @@ When generating code for this repository, always:
 8. Follow the formatting and spacing rules exactly as specified
 9. Include comprehensive XML documentation for public APIs
 10. Ensure all generated code follows the .editorconfig rules
+11. Capture long-running command output to files — never re-run just to filter differently

.github/evidence/build-verification-cb4acf58.md

@@ -0,0 +1,134 @@
+# Build Verification Evidence - Task cb4acf58
+
+**Date**: 2026-02-20T02:39:49.512Z  
+**Task**: Final verification of Rust FFI, C, and C++ builds
+
+## Summary
+
+✅ **Rust FFI Build**: SUCCESSFUL  
+❌ **C Project Build**: NOT COMPLETED (CMake not accessible)  
+❌ **C++ Project Build**: NOT COMPLETED (CMake not accessible)
+
+## Details
+
+### 1. Rust FFI Crates Build
+
+**Command**: `cd native/rust; cargo build --release --workspace`  
+**Result**: ✅ SUCCESS  
+**Exit Code**: 0
+
+**Toolchain Information**:
+- Cargo version: 1.90.0 (840b83a10 2025-07-30)
+- Rustc version: 1.90.0 (1159e78c4 2025-09-14)
+
+**Built Libraries** (native/rust/target/release/):
+
+#### Static Libraries (.lib)
+- `cose_sign1_azure_key_vault_ffi.lib` - 32.99 MB
+- `cose_sign1_certificates_ffi.lib` - 30.79 MB  
+- `cose_sign1_headers_ffi.lib` - 14.65 MB
+- `cose_sign1_primitives_ffi.lib` - 14.63 MB
+- `cose_sign1_signing_ffi.lib` - 14.95 MB
+- `cose_sign1_transparent_mst_ffi.lib` - 36.01 MB
+- `cose_sign1_validation_ffi.lib` - 23.91 MB
+- `cose_sign1_validation_primitives_ffi.lib` - 24.78 MB
+
+#### Dynamic Libraries (.dll)
+- `cose_sign1_azure_key_vault_ffi.dll` - 2.88 MB
+- `cose_sign1_certificates_ffi.dll` - 3.09 MB
+- `cose_sign1_headers_ffi.dll` - 186 KB
+- `cose_sign1_primitives_ffi.dll` - 220 KB
+- `cose_sign1_signing_ffi.dll` - 287 KB
+- `cose_sign1_transparent_mst_ffi.dll` - 4.50 MB
+- `cose_sign1_validation_ffi.dll` - 2.14 MB
+- `cose_sign1_validation_primitives_ffi.dll` - 2.41 MB
+- `did_x509_ffi.dll` - 589 KB
+
+#### Import Libraries (.dll.lib)
+- All corresponding import libraries generated successfully
+
+**All FFI crates compiled successfully** with no errors. Libraries are ready for linking with C/C++ consumers.
+
+### 2. C Project Build
+
+**Command**: `cd native/c; cmake -B build -DCMAKE_PREFIX_PATH=../rust/target/release`  
+**Result**: ❌ NOT COMPLETED  
+**Reason**: CMake not accessible in current environment
+
+**Details**:
+- CMake is required (version 3.20 or later per native/c/README.md)
+- `where.exe cmake` returned: "Could not find files for the given pattern(s)"
+- Visual Studio 18 Enterprise is installed at `C:\Program Files\Microsoft Visual Studio\18\Enterprise`
+- CMake may be present in Visual Studio installation but not in system PATH
+- File permission restrictions prevented locating CMake in Program Files
+
+**Required Prerequisites** (from native/c/README.md):
+- CMake 3.20 or later ❌ (not in PATH)
+- C11-capable compiler (MSVC, GCC, Clang) ✅ (VS 18 available)
+- Rust toolchain ✅ (completed)
+
+### 3. C++ Project Build
+
+**Command**: `cd native/c_pp; cmake -B build -DCMAKE_PREFIX_PATH=../rust/target/release`  
+**Result**: ❌ NOT COMPLETED  
+**Reason**: Same as C project - CMake not accessible
+
+## Analysis
+
+### What Succeeded
+1. ✅ All Rust FFI crates built successfully in release mode
+2. ✅ Static libraries generated for all packs
+3. ✅ Dynamic libraries (DLLs) generated for all packs
+4. ✅ Import libraries (.dll.lib) generated for Windows linking
+5. ✅ No build errors or warnings in Rust compilation
+
+### What Remains
+The C and C++ projects require CMake to configure and build. The build system cannot proceed without:
+- CMake being added to system PATH, OR
+- Explicitly calling CMake from its Visual Studio installation location
+
+### Verification of FFI Completeness
+All expected FFI crates were built:
+- **Base**: cose_sign1_primitives_ffi, cose_sign1_headers_ffi, cose_sign1_signing_ffi
+- **Validation**: cose_sign1_validation_ffi, cose_sign1_validation_primitives_ffi
+- **Certificates Pack**: cose_sign1_certificates_ffi
+- **MST Pack**: cose_sign1_transparent_mst_ffi  
+- **AKV Pack**: cose_sign1_azure_key_vault_ffi
+- **DID**: did_x509_ffi
+
+## Recommendations
+
+To complete the verification:
+
+1. **Option A**: Install CMake and add to PATH
+   ```powershell
+   # Download from https://cmake.org/download/ or use winget
+   winget install Kitware.CMake
+   ```
+
+2. **Option B**: Use CMake from Visual Studio
+   ```powershell
+   $env:PATH += ";C:\Program Files\Microsoft Visual Studio\18\Enterprise\Common7\IDE\CommonExtensions\Microsoft\CMake\CMake\bin"
+   cmake --version
+   ```
+
+3. **Option C**: Use Visual Studio Developer PowerShell
+   - Launch "Developer PowerShell for VS 2022"
+   - Run the build commands in that environment
+
+Once CMake is accessible, the build can proceed with:
+```bash
+# C project
+cd native/c
+cmake -B build -DCMAKE_PREFIX_PATH=../rust/target/release
+cmake --build build --config Release
+
+# C++ project  
+cd native/c_pp
+cmake -B build -DCMAKE_PREFIX_PATH=../rust/target/release
+cmake --build build --config Release
+```
+
+## Conclusion
+
+**Partial Success**: The Rust FFI layer (Layer 1) is fully built and ready. The C (Layer 2) and C++ (Layer 3) projections cannot be built without CMake being accessible in the current environment. All Rust artifacts are present and correct for consumption by the C/C++ layers once the build environment is properly configured.

.github/instructions/command-output-capture.instructions.md

@@ -0,0 +1,138 @@
+# Command Output Capture Policy — All Agents
+
+> **Applies to:** `**` (all files, all agents, all tasks in this repository)
+
+## Mandatory Rule: Capture Once, Search the File
+
+**Tests, builds, and coverage commands in this repository are expensive — often taking minutes or tens of minutes to complete.** Agents MUST capture full command output to a file on the first execution, then search/filter/reason over that file for all subsequent analysis. **Re-running the same command with a different filter is strictly prohibited.**
+
+## The Problem This Solves
+
+❌ **PROHIBITED pattern** — re-running a command to filter differently:
+```powershell
+# First run: agent pipes to Select-String looking for errors
+cargo test --workspace 2>&1 | Select-String "FAILED"
+
+# Second run: same command, different filter (WASTING MINUTES)
+cargo test --workspace 2>&1 | Select-String "error\[E"
+
+# Third run: same command, yet another filter (COMPLETELY UNACCEPTABLE)
+cargo test --workspace 2>&1 | Select-String "test result"
+```
+
+Each of those runs takes the **full execution time** of the command. Three filter passes on a 10-minute test suite wastes 20 minutes.
+
+## Required Pattern: Capture Full Output to a File
+
+✅ **REQUIRED pattern** — run once, capture everything, search the file:
+```powershell
+# Step 1: Run the command ONCE, capture ALL output (stdout + stderr) to a file
+cargo test --workspace 2>&1 | Out-File -FilePath "$env:TEMP\test-output.txt" -Encoding utf8
+
+# Step 2: Search the captured file as many times as needed (instant)
+Select-String -Path "$env:TEMP\test-output.txt" -Pattern "FAILED"
+Select-String -Path "$env:TEMP\test-output.txt" -Pattern "error\[E"
+Select-String -Path "$env:TEMP\test-output.txt" -Pattern "test result"
+Get-Content "$env:TEMP\test-output.txt" | Select-String "warning"
+```
+
+## Specific Rules
+
+### 1. All Long-Running Commands MUST Capture to File
+
+Any command that takes more than ~10 seconds MUST have its full output captured to a temporary file. This includes but is not limited to:
+
+| Command Type | Examples |
+|---|---|
+| Test suites | `cargo test`, `dotnet test`, `npm test`, `pytest` |
+| Builds | `cargo build`, `dotnet build`, `msbuild`, `npm run build` |
+| Coverage | `cargo llvm-cov`, `dotnet test --collect`, coverage scripts |
+| Linting | `cargo clippy`, `dotnet format`, `eslint` |
+| Package restore | `cargo fetch`, `dotnet restore`, `npm install` |
+| Any CI script | `collect-coverage.ps1`, or any orchestrating script |
+
+### 2. Capture Syntax
+
+Use one of these patterns to capture output:
+
+**PowerShell (preferred in this repo):**
+```powershell
+# Capture stdout + stderr to file
+<command> 2>&1 | Out-File -FilePath "$env:TEMP\<descriptive-name>.txt" -Encoding utf8
+
+# Or use Tee-Object if you also want to see live output
+<command> 2>&1 | Tee-Object -FilePath "$env:TEMP\<descriptive-name>.txt"
+```
+
+**Bash/Shell:**
+```bash
+<command> > /tmp/<descriptive-name>.txt 2>&1
+```
+
+**Rust/Cargo specific:**
+```powershell
+cargo test --workspace --no-fail-fast 2>&1 | Out-File -FilePath "$env:TEMP\cargo-test-output.txt" -Encoding utf8
+cargo clippy --workspace 2>&1 | Out-File -FilePath "$env:TEMP\cargo-clippy-output.txt" -Encoding utf8
+```
+
+### 3. Search the File, NOT Re-Run the Command
+
+After capturing, use these tools to analyze the output file:
+
+```powershell
+# Find specific patterns
+Select-String -Path "$env:TEMP\cargo-test-output.txt" -Pattern "FAILED|error"
+
+# Count occurrences
+(Select-String -Path "$env:TEMP\cargo-test-output.txt" -Pattern "test result").Count
+
+# Get context around matches
+Select-String -Path "$env:TEMP\cargo-test-output.txt" -Pattern "FAILED" -Context 5,5
+
+# Read specific line ranges
+Get-Content "$env:TEMP\cargo-test-output.txt" | Select-Object -Skip 100 -First 50
+
+# Get summary (tail)
+Get-Content "$env:TEMP\cargo-test-output.txt" -Tail 50
+```
+
+### 4. When Re-Running IS Allowed
+
+A command may only be re-executed if:
+- The **source code has been modified** since the last run (i.e., you are testing a fix)
+- The command **genuinely needs different arguments** (e.g., different `--package`, different test filter)
+- The previous output file was **lost or corrupted**
+- You need output from a **different command entirely**
+
+A command MUST NOT be re-executed merely to:
+- Apply a different `Select-String`, `grep`, `findstr`, or `Where-Object` filter
+- See a different portion of the same output
+- Count or summarize results differently
+- Reformat or restructure the same data
+
+### 5. File Naming Convention
+
+Use descriptive names in `$env:TEMP` (or `/tmp` on Unix):
+```
+$env:TEMP\cargo-test-output.txt
+$env:TEMP\cargo-clippy-output.txt
+$env:TEMP\dotnet-build-output.txt
+$env:TEMP\coverage-output.txt
+```
+
+### 6. Cleanup
+
+Delete temporary output files when the task is complete:
+```powershell
+Remove-Item "$env:TEMP\cargo-test-output.txt" -ErrorAction SilentlyContinue
+Remove-Item "$env:TEMP\cargo-clippy-output.txt" -ErrorAction SilentlyContinue
+```
+
+## Summary
+
+| Step | Action |
+|------|--------|
+| **Run** | Execute the command **once**, redirect all output to a file |
+| **Search** | Use `Select-String`, `Get-Content`, `grep` on the **file** |
+| **Iterate** | Modify code → re-run command → capture to file again |
+| **Never** | Re-run the same command just to apply a different text filter |