signalwire-sdk 2.0.0

data/lib/signalwire/rest/namespaces/short_codes.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module SignalWire
+  module REST
+    module Namespaces
+      # Short code management (read + update only).
+      class ShortCodesResource < BaseResource
+        def initialize(http)
+          super(http, '/api/relay/rest/short_codes')
+        end
+
+        def list(**params)
+          @http.get(@base_path, params.empty? ? nil : params)
+        end
+
+        def get(short_code_id)
+          @http.get(_path(short_code_id))
+        end
+
+        def update(short_code_id, **kwargs)
+          @http.put(_path(short_code_id), kwargs)
+        end
+      end
+    end
+  end
+end

data/lib/signalwire/rest/namespaces/sip_profile.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module SignalWire
+  module REST
+    module Namespaces
+      # Project SIP profile (singleton resource).
+      class SipProfileResource < BaseResource
+        def initialize(http)
+          super(http, '/api/relay/rest/sip_profile')
+        end
+
+        def get
+          @http.get(@base_path)
+        end
+
+        def update(**kwargs)
+          @http.put(@base_path, kwargs)
+        end
+      end
+    end
+  end
+end

data/lib/signalwire/rest/namespaces/verified_callers.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module SignalWire
+  module REST
+    module Namespaces
+      # Verified caller ID management with verification flow.
+      class VerifiedCallersResource < CrudResource
+        self.update_method = 'PUT'
+
+        def initialize(http)
+          super(http, '/api/relay/rest/verified_caller_ids')
+        end
+
+        def redial_verification(caller_id)
+          @http.post(_path(caller_id, 'verification'))
+        end
+
+        def submit_verification(caller_id, **kwargs)
+          @http.put(_path(caller_id, 'verification'), kwargs)
+        end
+      end
+    end
+  end
+end

data/lib/signalwire/rest/namespaces/video.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+module SignalWire
+  module REST
+    module Namespaces
+      # Video room management with streams.
+      class VideoRooms < CrudResource
+        self.update_method = 'PUT'
+
+        def list_streams(room_id, **params)
+          @http.get(_path(room_id, 'streams'), params.empty? ? nil : params)
+        end
+
+        def create_stream(room_id, **kwargs)
+          @http.post(_path(room_id, 'streams'), kwargs)
+        end
+      end
+
+      # Video room token generation.
+      class VideoRoomTokens < BaseResource
+        def create(**kwargs)
+          @http.post(@base_path, kwargs)
+        end
+      end
+
+      # Video room session management.
+      class VideoRoomSessions < BaseResource
+        def list(**params)
+          @http.get(@base_path, params.empty? ? nil : params)
+        end
+
+        def get(session_id)
+          @http.get(_path(session_id))
+        end
+
+        def list_events(session_id, **params)
+          @http.get(_path(session_id, 'events'), params.empty? ? nil : params)
+        end
+
+        def list_members(session_id, **params)
+          @http.get(_path(session_id, 'members'), params.empty? ? nil : params)
+        end
+
+        def list_recordings(session_id, **params)
+          @http.get(_path(session_id, 'recordings'), params.empty? ? nil : params)
+        end
+      end
+
+      # Video room recording management.
+      class VideoRoomRecordings < BaseResource
+        def list(**params)
+          @http.get(@base_path, params.empty? ? nil : params)
+        end
+
+        def get(recording_id)
+          @http.get(_path(recording_id))
+        end
+
+        def delete(recording_id)
+          @http.delete(_path(recording_id))
+        end
+
+        def list_events(recording_id, **params)
+          @http.get(_path(recording_id, 'events'), params.empty? ? nil : params)
+        end
+      end
+
+      # Video conference management with tokens and streams.
+      class VideoConferences < CrudResource
+        self.update_method = 'PUT'
+
+        def list_conference_tokens(conference_id, **params)
+          @http.get(_path(conference_id, 'conference_tokens'), params.empty? ? nil : params)
+        end
+
+        def list_streams(conference_id, **params)
+          @http.get(_path(conference_id, 'streams'), params.empty? ? nil : params)
+        end
+
+        def create_stream(conference_id, **kwargs)
+          @http.post(_path(conference_id, 'streams'), kwargs)
+        end
+      end
+
+      # Video conference token management.
+      class VideoConferenceTokens < BaseResource
+        def get(token_id)
+          @http.get(_path(token_id))
+        end
+
+        def reset(token_id)
+          @http.post(_path(token_id, 'reset'))
+        end
+      end
+
+      # Video stream management.
+      class VideoStreams < BaseResource
+        def get(stream_id)
+          @http.get(_path(stream_id))
+        end
+
+        def update(stream_id, **kwargs)
+          @http.put(_path(stream_id), kwargs)
+        end
+
+        def delete(stream_id)
+          @http.delete(_path(stream_id))
+        end
+      end
+
+      # Video API namespace.
+      class VideoNamespace
+        attr_reader :rooms, :room_tokens, :room_sessions, :room_recordings,
+                    :conferences, :conference_tokens, :streams
+
+        def initialize(http)
+          base = '/api/video'
+          @rooms              = VideoRooms.new(http, "#{base}/rooms")
+          @room_tokens        = VideoRoomTokens.new(http, "#{base}/room_tokens")
+          @room_sessions      = VideoRoomSessions.new(http, "#{base}/room_sessions")
+          @room_recordings    = VideoRoomRecordings.new(http, "#{base}/room_recordings")
+          @conferences        = VideoConferences.new(http, "#{base}/conferences")
+          @conference_tokens  = VideoConferenceTokens.new(http, "#{base}/conference_tokens")
+          @streams            = VideoStreams.new(http, "#{base}/streams")
+        end
+      end
+    end
+  end
+end

data/lib/signalwire/rest/pagination.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module SignalWire
+  module REST
+    # Iterates items across paginated API responses.
+    #
+    # Mirrors the Python PaginatedIterator (signalwire.rest._pagination):
+    # the constructor records http/path/params/data_key without fetching;
+    # iteration walks pages by following the +links.next+ cursor.
+    #
+    # Usage:
+    #   iter = SignalWire::REST::PaginatedIterator.new(http, '/api/path',
+    #                                                  params: {}, data_key: 'data')
+    #   iter.each { |item| ... }
+    #
+    # The iterator is single-pass (matching Python's __next__ semantics);
+    # use #to_a to collect every item across all pages.
+    class PaginatedIterator
+      include Enumerable
+
+      attr_reader :http, :path, :params, :data_key, :index, :items, :done
+
+      def initialize(http, path, params = nil, data_key = 'data')
+        @http     = http
+        @path     = path
+        # Dup so callers can't mutate iterator state via the original Hash.
+        @params   = params ? params.dup : {}
+        @data_key = data_key
+        @items    = []
+        @index    = 0
+        @done     = false
+      end
+
+      def each
+        return enum_for(:each) unless block_given?
+
+        loop do
+          item = next_item
+          break if item == :__stop__
+
+          yield item
+        end
+      end
+
+      # Equivalent of Python's __next__. Returns the sentinel +:__stop__+
+      # when exhausted (Ruby has no StopIteration error idiom for plain
+      # Enumerable), but the public surface is +#each+.
+      def next_item
+        while @index >= @items.length
+          return :__stop__ if @done
+
+          fetch_next
+        end
+        item = @items[@index]
+        @index += 1
+        item
+      end
+
+      private
+
+      def fetch_next
+        params_for_request = @params.empty? ? nil : @params
+        resp = @http.get(@path, params_for_request)
+        data = resp[@data_key] || []
+        @items.concat(data)
+
+        links = resp['links'] || {}
+        next_url = links['next']
+        if next_url && !data.empty?
+          uri = URI.parse(next_url)
+          query = URI.decode_www_form(uri.query || '')
+          # Flatten single-value lists, preserving multi-value entries.
+          flat = {}
+          query.each do |k, v|
+            if flat.key?(k)
+              existing = flat[k]
+              flat[k] = existing.is_a?(Array) ? existing + [v] : [existing, v]
+            else
+              flat[k] = v
+            end
+          end
+          @params = flat
+        else
+          @done = true
+        end
+      end
+    end
+  end
+end

data/lib/signalwire/rest/phone_call_handler.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module SignalWire
+  module REST
+    # PhoneCallHandler -- enum-like constants of the +call_handler+ values
+    # accepted by +phone_numbers.update+.
+    #
+    # Named +PhoneCallHandler+ (not +CallHandler+) to avoid colliding with
+    # the RELAY client's inbound-call-handler callback (+Relay::Client#on_call+).
+    #
+    # Setting a phone number's +call_handler+ together with the handler-specific
+    # companion field routes inbound calls and auto-materializes the matching
+    # Fabric resource on the server. See the high-level helpers on
+    # +SignalWire::REST::Namespaces::PhoneNumbersResource+.
+    #
+    # === Mapping
+    #
+    #   Constant          | Companion field (required)     | Auto-creates resource
+    #   ------------------+--------------------------------+----------------------
+    #   RELAY_SCRIPT      | call_relay_script_url          | swml_webhook
+    #   LAML_WEBHOOKS     | call_request_url               | cxml_webhook
+    #   LAML_APPLICATION  | call_laml_application_id       | cxml_application
+    #   AI_AGENT          | call_ai_agent_id               | ai_agent
+    #   CALL_FLOW         | call_flow_id                   | call_flow
+    #   RELAY_APPLICATION | call_relay_application         | relay_application
+    #   RELAY_TOPIC       | call_relay_topic               | (routes via RELAY)
+    #   RELAY_CONTEXT     | call_relay_context             | (legacy, prefer topic)
+    #   RELAY_CONNECTOR   | (connector config)             | (internal)
+    #   VIDEO_ROOM        | call_video_room_id             | (routes to Video API)
+    #   DIALOGFLOW        | call_dialogflow_agent_id       | (none)
+    #
+    # Note: +LAML_WEBHOOKS+ (wire value +laml_webhooks+) produces a *cXML*
+    # handler despite the plural name, not a generic webhook. For SWML, use
+    # +RELAY_SCRIPT+.
+    module PhoneCallHandler
+      RELAY_SCRIPT      = 'relay_script'
+      LAML_WEBHOOKS     = 'laml_webhooks'
+      LAML_APPLICATION  = 'laml_application'
+      AI_AGENT          = 'ai_agent'
+      CALL_FLOW         = 'call_flow'
+      RELAY_APPLICATION = 'relay_application'
+      RELAY_TOPIC       = 'relay_topic'
+      RELAY_CONTEXT     = 'relay_context'
+      RELAY_CONNECTOR   = 'relay_connector'
+      VIDEO_ROOM        = 'video_room'
+      DIALOGFLOW        = 'dialogflow'
+
+      # All supported wire values, in the same order as the constants.
+      ALL = [
+        RELAY_SCRIPT, LAML_WEBHOOKS, LAML_APPLICATION, AI_AGENT, CALL_FLOW,
+        RELAY_APPLICATION, RELAY_TOPIC, RELAY_CONTEXT, RELAY_CONNECTOR,
+        VIDEO_ROOM, DIALOGFLOW
+      ].freeze
+    end
+  end
+end

data/lib/signalwire/rest/rest_client.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require_relative 'http_client'
+require_relative 'pagination'
+require_relative 'phone_call_handler'
+require_relative 'namespaces/fabric'
+require_relative 'namespaces/calling'
+require_relative 'namespaces/phone_numbers'
+require_relative 'namespaces/addresses'
+require_relative 'namespaces/queues'
+require_relative 'namespaces/recordings'
+require_relative 'namespaces/number_groups'
+require_relative 'namespaces/verified_callers'
+require_relative 'namespaces/sip_profile'
+require_relative 'namespaces/lookup'
+require_relative 'namespaces/short_codes'
+require_relative 'namespaces/imported_numbers'
+require_relative 'namespaces/mfa'
+require_relative 'namespaces/registry'
+require_relative 'namespaces/datasphere'
+require_relative 'namespaces/video'
+require_relative 'namespaces/logs'
+require_relative 'namespaces/project'
+require_relative 'namespaces/pubsub'
+require_relative 'namespaces/chat'
+require_relative 'namespaces/compat'
+
+module SignalWire
+  module REST
+    # REST client for the SignalWire platform APIs.
+    #
+    # Usage:
+    #   client = SignalWire::REST::RestClient.new(
+    #     project: 'your-project-id',
+    #     token:   'your-api-token',
+    #     host:    'your-space.signalwire.com'
+    #   )
+    #
+    #   # Or use environment variables:
+    #   #   SIGNALWIRE_PROJECT_ID, SIGNALWIRE_API_TOKEN, SIGNALWIRE_SPACE
+    #   client = SignalWire::REST::RestClient.new
+    #
+    #   # Use namespaced resources
+    #   client.fabric.ai_agents.list
+    #   client.calling.play(call_id, play: [...])
+    #   client.phone_numbers.search(area_code: '512')
+    #   client.video.rooms.create(name: 'standup')
+    #   client.compat.calls.list
+    class RestClient
+      attr_reader :fabric, :calling, :phone_numbers, :datasphere, :video,
+                  :compat, :addresses, :queues, :recordings, :number_groups,
+                  :verified_callers, :sip_profile, :lookup, :short_codes,
+                  :imported_numbers, :mfa, :registry, :logs, :project,
+                  :pubsub, :chat, :project_id, :http
+
+      # +base_url+ overrides the derived +https://{space}+ default. The
+      # audit harness uses this to point at the local fixture server.
+      def initialize(project: nil, token: nil, host: nil, base_url: nil)
+        project_id = project || ENV['SIGNALWIRE_PROJECT_ID'] || ''
+        api_token  = token || ENV['SIGNALWIRE_API_TOKEN'] || ''
+        space      = host || ENV['SIGNALWIRE_SPACE'] || ''
+
+        if project_id.empty? || api_token.empty? || (space.empty? && (base_url.nil? || base_url.empty?))
+          raise ArgumentError,
+                'project, token, and host are required. ' \
+                'Provide them as arguments or set SIGNALWIRE_PROJECT_ID, ' \
+                'SIGNALWIRE_API_TOKEN, and SIGNALWIRE_SPACE environment variables.'
+        end
+
+        @project_id = project_id
+        @http = HttpClient.new(project_id, api_token, space, base_url: base_url)
+
+        # Fabric API
+        @fabric = Namespaces::FabricNamespace.new(@http)
+
+        # Calling API
+        @calling = Namespaces::CallingNamespace.new(@http)
+
+        # Relay REST resources
+        @phone_numbers    = Namespaces::PhoneNumbersResource.new(@http)
+        @addresses        = Namespaces::AddressesResource.new(@http)
+        @queues           = Namespaces::QueuesResource.new(@http)
+        @recordings       = Namespaces::RecordingsResource.new(@http)
+        @number_groups    = Namespaces::NumberGroupsResource.new(@http)
+        @verified_callers = Namespaces::VerifiedCallersResource.new(@http)
+        @sip_profile      = Namespaces::SipProfileResource.new(@http)
+        @lookup           = Namespaces::LookupResource.new(@http)
+        @short_codes      = Namespaces::ShortCodesResource.new(@http)
+        @imported_numbers = Namespaces::ImportedNumbersResource.new(@http)
+        @mfa              = Namespaces::MfaResource.new(@http)
+        @registry         = Namespaces::RegistryNamespace.new(@http)
+
+        # Datasphere API
+        @datasphere = Namespaces::DatasphereNamespace.new(@http)
+
+        # Video API
+        @video = Namespaces::VideoNamespace.new(@http)
+
+        # Logs
+        @logs = Namespaces::LogsNamespace.new(@http)
+
+        # Project management
+        @project = Namespaces::ProjectNamespace.new(@http)
+
+        # PubSub & Chat
+        @pubsub = Namespaces::PubSubResource.new(@http)
+        @chat   = Namespaces::ChatResource.new(@http)
+
+        # Compatibility (Twilio-compatible) API
+        @compat = Namespaces::CompatNamespace.new(@http, project_id)
+      end
+    end
+  end
+end

data/lib/signalwire/runtime.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+# Copyright (c) 2025 SignalWire
+#
+# Licensed under the MIT License.
+# See LICENSE file in the project root for full license information.
+
+module SignalWire
+  # Runtime environment detection.
+  #
+  # Detects the execution environment (plain server, AWS Lambda, CGI,
+  # Google Cloud Functions, Azure Functions) by inspecting well-known
+  # environment variables set by each platform.
+  #
+  # This is the Ruby counterpart to the Python SDK's
+  # +signalwire.core.logging_config.get_execution_mode+.
+  module Runtime
+    MODES = %i[server lambda cgi google_cloud_function azure_function unknown].freeze
+
+    # Determine the current execution mode.
+    #
+    # Returns one of:
+    # - +:cgi+   - running under a CGI gateway (GATEWAY_INTERFACE is set)
+    # - +:lambda+ - running under AWS Lambda
+    # - +:google_cloud_function+ - Google Cloud Functions / Cloud Run
+    # - +:azure_function+ - Azure Functions
+    # - +:server+ - long-running HTTP server (the default)
+    #
+    # Detection order matters: CGI is checked before Lambda because a
+    # Lambda function invoked through an emulator that also sets
+    # GATEWAY_INTERFACE should still be treated as CGI.
+    #
+    # @return [Symbol] one of the values in {MODES}
+    def self.execution_mode
+      # CGI environment (e.g. Apache mod_cgi)
+      return :cgi if ENV['GATEWAY_INTERFACE'] && !ENV['GATEWAY_INTERFACE'].empty?
+
+      # AWS Lambda
+      if (ENV['AWS_LAMBDA_FUNCTION_NAME'] && !ENV['AWS_LAMBDA_FUNCTION_NAME'].empty?) ||
+         (ENV['LAMBDA_TASK_ROOT'] && !ENV['LAMBDA_TASK_ROOT'].empty?)
+        return :lambda
+      end
+
+      # Google Cloud Functions / Cloud Run
+      if (ENV['FUNCTION_TARGET'] && !ENV['FUNCTION_TARGET'].empty?) ||
+         (ENV['K_SERVICE'] && !ENV['K_SERVICE'].empty?) ||
+         (ENV['GOOGLE_CLOUD_PROJECT'] && !ENV['GOOGLE_CLOUD_PROJECT'].empty?)
+        return :google_cloud_function
+      end
+
+      # Azure Functions
+      if (ENV['AZURE_FUNCTIONS_ENVIRONMENT'] && !ENV['AZURE_FUNCTIONS_ENVIRONMENT'].empty?) ||
+         (ENV['FUNCTIONS_WORKER_RUNTIME'] && !ENV['FUNCTIONS_WORKER_RUNTIME'].empty?) ||
+         (ENV['AzureWebJobsStorage'] && !ENV['AzureWebJobsStorage'].empty?)
+        return :azure_function
+      end
+
+      :server
+    end
+
+    # True when the SDK is running inside AWS Lambda.
+    # @return [Boolean]
+    def self.lambda?
+      execution_mode == :lambda
+    end
+
+    # True when the SDK is running inside any serverless platform.
+    # @return [Boolean]
+    def self.serverless?
+      mode = execution_mode
+      mode == :lambda || mode == :cgi ||
+        mode == :google_cloud_function || mode == :azure_function
+    end
+
+    # Construct the base URL for the current Lambda function.
+    #
+    # Prefers +AWS_LAMBDA_FUNCTION_URL+ when set; otherwise falls back to
+    # the standard Function URL shape built from +AWS_LAMBDA_FUNCTION_NAME+
+    # and +AWS_REGION+. Returns +nil+ when neither signal is present.
+    #
+    # The returned URL never has a trailing slash and never contains a
+    # path component, so callers must append the agent's route themselves.
+    #
+    # @return [String, nil]
+    def self.lambda_base_url
+      explicit = ENV['AWS_LAMBDA_FUNCTION_URL']
+      return explicit.chomp('/') if explicit && !explicit.empty?
+
+      function_name = ENV['AWS_LAMBDA_FUNCTION_NAME']
+      return nil if function_name.nil? || function_name.empty?
+
+      region = ENV['AWS_REGION']
+      region = 'us-east-1' if region.nil? || region.empty?
+
+      "https://#{function_name}.lambda-url.#{region}.on.aws"
+    end
+  end
+end

data/lib/signalwire/security/session_manager.rb

@@ -0,0 +1,124 @@
+# frozen_string_literal: true
+
+# Copyright (c) 2025 SignalWire
+#
+# Licensed under the MIT License.
+# See LICENSE file in the project root for full license information.
+
+require 'openssl'
+require 'securerandom'
+require 'base64'
+
+module SignalWire
+  module Security
+    # Stateless HMAC-SHA256 session manager for secure SWAIG tool tokens.
+    #
+    # Tokens are self-contained: all information needed for validation is
+    # encoded inside the token itself. No server-side session state is stored.
+    #
+    #   mgr = SessionManager.new(token_expiry_secs: 900)
+    #   token = mgr.create_token("lookup_order", "call-abc-123")
+    #   mgr.validate_token("lookup_order", token, "call-abc-123") # => true
+    #
+    class SessionManager
+      # @param token_expiry_secs [Integer] seconds until tokens expire (minimum 1)
+      # @param secret_key [String, nil] hex-encoded secret; generated if omitted
+      def initialize(token_expiry_secs: 3600, secret_key: nil)
+        @token_expiry_secs = [token_expiry_secs, 1].max
+        @secret_key = secret_key || SecureRandom.hex(32)
+      end
+
+      # Create a secure, self-contained token for a function call.
+      #
+      # Token format (before Base64):
+      #   call_id.function_name.expiry_timestamp.nonce.hmac_hex
+      #
+      # @param function_name [String]
+      # @param call_id [String]
+      # @return [String] URL-safe Base64-encoded token
+      def create_token(function_name, call_id)
+        expiry = (Time.now.to_i + @token_expiry_secs).to_s
+        nonce  = SecureRandom.hex(8)
+
+        message   = "#{call_id}:#{function_name}:#{expiry}:#{nonce}"
+        signature = compute_hmac(message)
+
+        token_raw = "#{call_id}.#{function_name}.#{expiry}.#{nonce}.#{signature}"
+        Base64.urlsafe_encode64(token_raw, padding: false)
+      end
+
+      # Validate a function-call token.
+      #
+      # Checks:
+      # 1. Correct Base64 / structure (5 dot-separated parts)
+      # 2. HMAC signature (timing-safe comparison)
+      # 3. Function name matches
+      # 4. Call ID matches
+      # 5. Token not expired
+      #
+      # @param function_name [String]
+      # @param token [String] the token to validate
+      # @param call_id [String]
+      # @return [Boolean]
+      def validate_token(function_name, token, call_id)
+        return false if token.nil? || token.empty?
+        return false if call_id.nil? || call_id.empty?
+
+        decoded = Base64.urlsafe_decode64(token)
+        parts   = decoded.split(".")
+        return false unless parts.length == 5
+
+        token_call_id, token_function, token_expiry, token_nonce, token_signature = parts
+
+        # Verify function name
+        return false unless token_function == function_name
+
+        # Verify call ID
+        return false unless token_call_id == call_id
+
+        # Check expiry
+        expiry = Integer(token_expiry)
+        return false if expiry < Time.now.to_i
+
+        # Recompute HMAC and compare with timing-safe comparison
+        message           = "#{token_call_id}:#{token_function}:#{token_expiry}:#{token_nonce}"
+        expected_signature = compute_hmac(message)
+
+        secure_compare(token_signature, expected_signature)
+      rescue ArgumentError, TypeError
+        # Bad Base64, bad integer, etc.
+        false
+      end
+
+      private
+
+      # Compute HMAC-SHA256 of +message+ using the instance secret key.
+      # @return [String] hex digest
+      def compute_hmac(message)
+        OpenSSL::HMAC.hexdigest("SHA256", @secret_key, message)
+      end
+
+      # Timing-safe string comparison.
+      #
+      # Uses OpenSSL.fixed_length_secure_compare when the strings are the same
+      # length (which they should be for hex HMAC digests). Falls back to a
+      # double-HMAC comparison for differing lengths.
+      def secure_compare(a, b)
+        return false if a.nil? || b.nil?
+
+        if a.bytesize == b.bytesize
+          OpenSSL.fixed_length_secure_compare(a, b)
+        else
+          # Different length => definitely not equal, but still constant-time
+          false
+        end
+      rescue NoMethodError
+        # Fallback for older Ruby without fixed_length_secure_compare:
+        # compare HMAC of both values so timing doesn't leak content.
+        ha = OpenSSL::HMAC.digest("SHA256", @secret_key, a.to_s)
+        hb = OpenSSL::HMAC.digest("SHA256", @secret_key, b.to_s)
+        ha == hb
+      end
+    end
+  end
+end