@spec credential(map(), atom() | binary(), term()) :: term()

Reads a credential from either an adapter or credential map.

@spec drop_nil_values(map()) :: map()

Removes keys whose values are nil.

@spec hmac_sha256_verify(binary(), iodata(), binary()) :: boolean()

Verifies an HMAC-SHA256 hex signature against a key + payload pair.

@spec provider_result(
  {:ok, %{status: integer(), body: term()}} | {:error, term()},
  atom(),
  (term() -> binary() | nil)
) :: {:ok, map()} | {:error, map()}

Normalizes an HTTP provider response into the channel delivery contract.

@spec recipient(term(), map(), binary() | atom()) :: binary() | nil

Resolves the recipient for a channel from payload overrides or enrollment data.

@spec request_options(map()) :: keyword()

Returns configured Req options for channel provider HTTP calls.

Tests and host applications can provide options globally through config :dripdrop, :channel_req_options or per adapter through adapter.config["req_options"].

@spec secure_compare(binary(), binary()) :: boolean()

Constant-time comparison of two binaries that also guards size mismatch.

Plug.Crypto.secure_compare/2 requires equal byte sizes; this wrapper folds the size check into the comparison so callers can compare a candidate signature directly without leaking length information.

@spec within_skew?(term(), pos_integer(), DateTime.t() | nil) :: boolean()

Returns true when timestamp is within max_seconds of reference (default now).

Accepts unix timestamps as integer or string and ISO 8601 strings. Used to reject replayed webhook deliveries.