package cybersecurity

import (
	"crypto/rand"
	"fmt"

	"golang.org/x/crypto/nacl/box"
)

// SealKeyBox encrypts secret for a recipient identified by their X25519 public key,
// using an anonymous sealed box (ephemeral sender keypair, no sender authentication).
// Intended for distributing a symmetric room key to a participant.
// recipientKexPub must be exactly 32 bytes.
func SealKeyBox(recipientKexPub, secret []byte) ([]byte, error) {
	if len(recipientKexPub) != 32 {
		return nil, fmt.Errorf("seal_key_box: recipientKexPub must be 32 bytes, got %d", len(recipientKexPub))
	}

	var recipientKey [32]byte
	copy(recipientKey[:], recipientKexPub)

	sealed, err := box.SealAnonymous(nil, secret, &recipientKey, rand.Reader)
	if err != nil {
		return nil, fmt.Errorf("seal_key_box: %w", err)
	}

	return sealed, nil
}