// sign_token.php
function sign_token(array $claims, string $secret): string {
    // claims شامل tenant, exp, origin
    $payload = json_encode($claims, JSON_UNESCAPED_SLASHES);
    $sig = base64_encode(hash_hmac('sha256', $payload, $secret, true));
    return base64_encode($payload) . '.' . $sig;
}

function verify_token(string $token, string $secret): ?array {
    $parts = explode('.', $token, 2);
    if (count($parts) !== 2) return null;
    [$b64payload, $b64sig] = $parts;
    $payload = base64_decode($b64payload, true);
    $sig = base64_decode($b64sig, true);
    if (!$payload || !$sig) return null;
    $calc = hash_hmac('sha256', $payload, $secret, true);
    if (!hash_equals($calc, $sig)) return null;
    $claims = json_decode($payload, true);
    if (!is_array($claims)) return null;
    if (!empty($claims['exp']) && time() > (int)$claims['exp']) return null;
    return $claims;
}