package transport

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/binary"
	"time"
)

// KnockLen is the length in bytes of the truncated HMAC-SHA256 port-knock token.
const KnockLen = 16

// KnockForMinute derives the 16-byte port-knock token for a given Unix minute under the shared
// 32-byte key.
//
// Wire formula (mirrors aura-transport/src/udp.rs):
//
//	HMAC-SHA256(key, u64_be(minute))[..16]
//
// The server validates against floor(now/60) and ±1 minute (~3-minute acceptance window).
func KnockForMinute(key [32]byte, minute uint64) [KnockLen]byte {
	var mb [8]byte
	binary.BigEndian.PutUint64(mb[:], minute)
	m := hmac.New(sha256.New, key[:])
	m.Write(mb[:])
	tag := m.Sum(nil)
	var out [KnockLen]byte
	copy(out[:], tag[:KnockLen])
	return out
}

// CurrentUnixMinute returns floor(now/60). Used by the client to compute the knock for "now".
func CurrentUnixMinute() uint64 {
	return uint64(time.Now().Unix() / 60)
}