import os
import jwt
from datetime import datetime, timedelta, timezone

# In production, set JWT_SECRET in your Hugging Face Space secrets
SECRET_KEY = os.environ.get("JWT_SECRET", "your-fallback-development-secret-key")
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 1440  # 24 hour session

def create_access_token(user_id: int, role: str) -> str:
    """Generates a JWT with the exact payload structure required by the architecture."""
    expire = datetime.now(timezone.utc) + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    
    # Payload structure defined in the architectural document
    payload = {
        "user_id": user_id,
        "role": role,
        "exp": expire
    }
    
    encoded_jwt = jwt.encode(payload, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt