"""Simple HMAC-based signer for PlanDelta and AuditLog proofs."""
import os
import hmac
import hashlib
from typing import Optional


def _key() -> bytes:
    # Use environment-provided key for reproducibility in tests; fall back to a default (not secure!) key.
    key = os.environ.get("MARKETCOMPILER_SIGNING_KEY", "default-secret-key").encode("utf-8")
    return key


class Signer:
    @staticmethod
    def sign(message: str) -> str:
        key = _key()
        digest = hmac.new(key, message.encode("utf-8"), hashlib.sha256).hexdigest()
        return digest

    @staticmethod
    def verify(message: str, signature: str) -> bool:
        expected = Signer.sign(message)
        return hmac.compare_digest(expected, signature)