import { childLogger } from '@server/logger';
const log = childLogger('auth.encryption');

const isProduction = process.env.NODE_ENV === 'production';

const rawKey = process.env.ENCRYPTION_KEY;

if (isProduction && !rawKey) {
  throw new Error(
    '[Encryption] ENCRYPTION_KEY environment variable is required in production. ' +
    'Generate one with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'base64\'))"'
  );
}

if (!isProduction && !rawKey) {
  log.warn('ENCRYPTION_KEY not set — using derived dev key. Set ENCRYPTION_KEY for production!');
}

export const ENCRYPTION_KEY_RAW: string | undefined = rawKey;