import hashlib
import hmac


def salt_for_username(username: str) -> bytes:
    """Derive a per-username salt using SHA-256(username).

    The salt is deterministic for a given username and does not require storage.
    """
    return hashlib.sha256(username.encode('utf-8')).digest()


def derive_password(password_plain: str, salt: bytes, iterations: int = 100_000, dklen: int = 32) -> bytes:
    """PBKDF2-SHA256 derive a fixed-length secret from a plaintext password and salt."""
    return hashlib.pbkdf2_hmac('sha256', password_plain.encode('utf-8'), salt, iterations, dklen=dklen)


def hmac_sha256(key: bytes, message: bytes) -> bytes:
    """Compute HMAC-SHA256 signature for the given message using key bytes."""
    return hmac.new(key, message, hashlib.sha256).digest()