"""Placeholder encryption helpers for tenant secrets.

This is intentionally a lightweight reversible wrapper. It establishes the
module boundary now so the storage format can later be upgraded to a stronger
AES implementation without changing callers.
"""

from __future__ import annotations

import base64


class PlaceholderAESCipher:
    """Simple reversible cipher placeholder.

    This is not production-grade cryptography. It exists to define the API and
    should be replaced by a proper AES implementation before secrets are relied
    upon in production workflows.
    """

    def __init__(self, key: str) -> None:
        self.key = key.encode("utf-8")

    def encrypt(self, plaintext: str) -> str:
        raw = plaintext.encode("utf-8")
        keyed = bytes(byte ^ self.key[index % len(self.key)] for index, byte in enumerate(raw))
        return base64.urlsafe_b64encode(keyed).decode("ascii")

    def decrypt(self, ciphertext: str) -> str:
        raw = base64.urlsafe_b64decode(ciphertext.encode("ascii"))
        plain = bytes(byte ^ self.key[index % len(self.key)] for index, byte in enumerate(raw))
        return plain.decode("utf-8")