use k256::ecdsa::{SigningKey, Signature, signature::Signer};
use sha2::{Digest, Sha256};
use crate::shield::redact::PiiMatch;
use std::sync::OnceLock;

static SIGNING_KEY: OnceLock<SigningKey> = OnceLock::new();

pub fn init_signing_key(hex_key: &str) {
    let key = SigningKey::from_slice(&hex::decode(hex_key).unwrap()).unwrap();
    let _ = SIGNING_KEY.set(key);
}

pub fn generate_proof(original: &str, pii_map: &[PiiMatch]) -> String {
    let sk = SIGNING_KEY.get().expect("Signing key not initialised");
    let mut hasher = Sha256::new();
    hasher.update(original);
    for m in pii_map {
        hasher.update(m.entity_type.as_bytes());
        hasher.update(m.original.as_bytes());
        hasher.update(m.placeholder.as_bytes());
    }
    let digest = hasher.finalize();
    let sig: Signature = sk.sign(&digest);
    hex::encode(sig.to_bytes())
}