fix: reject empty HMAC keys in audit sign/verify

[muhamedfazalps]

Problem

AuditReport.sign/verify accepts empty strings and b'' as valid HMAC keys, producing worthless signatures with no warning. This is a silent security weakness for a signed-audit feature.

Fix

Added validation in _key_bytes to raise ValueError when the key is empty. This ensures a non-empty key is always required for signing and verification.

Fixes #529

---

If this helps, consider buying me a coffee! https://buymeacoffee.com/muhamedfazalps

[maziyarpanahi]

Thank you @muhamedfazalps. I reviewed this against #529 / OM-339 and added one maintainer follow-up commit: test: cover missing audit HMAC keys.

What I changed:

• made None, empty string, and empty bytes all raise the same clear ValueError for audit signing and verification;
• validated the verification key before comparing signatures so missing/empty verification keys are rejected distinctly from a wrong key;
• documented the non-empty HMAC key requirement in AuditReport.sign() and AuditReport.verify();
• added regression coverage for signing with missing/empty keys, verifying with missing/empty keys, and unsigned-report verification with a valid key.

Verification on the current PR checkout:

• PYTHONPATH=/private/tmp/openmed-pr-554 /Users/maziyar/Developer/openmed/.venv/bin/python -m pytest tests/unit/core/test_audit_report.py -q -> 10 passed
• /Users/maziyar/Developer/openmed/.venv/bin/ruff check openmed/core/audit.py tests/unit/core/test_audit_report.py -> passed
• /Users/maziyar/Developer/openmed/.venv/bin/ruff format --check openmed/core/audit.py tests/unit/core/test_audit_report.py -> passed

I also copied the labels from #529 onto the PR. The branch is mergeable with no conflicts; GitHub has not attached hosted checks to the new head commit yet, so I verified the touched behavior locally.

[muhamedfazalps]

Thanks for merging! 🎉

If this fix helped, consider supporting: https://buymeacoffee.com/muhamedfazalps