import { childLogger } from '@server/logger';
const log = childLogger('auth.jwt');

const isProduction = process.env.NODE_ENV === 'production';
const DEV_DEFAULT_SECRET = 'restroagent-dev-secret-key-not-for-production';

const rawSecret = process.env.JWT_SECRET;

if (isProduction && !rawSecret) {
  throw new Error(
    '[Auth] JWT_SECRET environment variable is required in production. Set it before deploying.'
  );
}

if (!isProduction && !rawSecret) {
  log.warn('JWT_SECRET not set — using default dev key. Set JWT_SECRET for production!');
}

export const JWT_SECRET_RAW: string = rawSecret || DEV_DEFAULT_SECRET;
export const JWT_SECRET: Uint8Array = new TextEncoder().encode(JWT_SECRET_RAW);
export const IS_USING_DEFAULT_JWT_SECRET = !rawSecret;
export const IS_PRODUCTION = isProduction;