/**
 * JWT auth middleware — delegates to @bytelyst/fastify-auth.
 * RS256 JWKS verification with HS256 fallback, configured from local config.
 *
 * Uses getter functions so config is read on each call (supports test mocks).
 */
import { createAuthMiddleware } from '@bytelyst/fastify-auth';
import { config } from './config.js';

export type { AuthPayload } from '@bytelyst/fastify-auth';

const { extractAuth, requireRole } = createAuthMiddleware({
  jwtSecret: () => config.JWT_SECRET,
  jwksUrl: () => config.PLATFORM_JWKS_URL,
});

export { extractAuth, requireRole };