meezi/web/dashboard/src/lib/auth-permissions.ts

import { BRANCH_ONLY_NAV_GROUP, type NavGroupId, type NavItemKey } from "@/lib/sidebar-nav";
import { NAV_REQUIRED_PERMISSION } from "@/lib/permissions";

/** Cafe owner (HQ) — billing, taxes, branches. */
export function isCafeOwner(role: string | undefined): boolean {
  return role === "Owner";
}

/** Logged in as a branch-scoped employee (JWT branchId). */
export function isBranchAccount(branchId: string | null | undefined): boolean {
  return !!branchId;
}

export const OWNER_ONLY_NAV_KEYS = ["subscription", "taxes", "branches"] as const;

export function canSeeNavGroup(
  groupId: NavGroupId,
  role: string | undefined,
  branchId: string | null | undefined
): boolean {
  if (isBranchAccount(branchId) && groupId !== BRANCH_ONLY_NAV_GROUP) {
    return false;
  }
  return true;
}

export function canSeeNavItem(
  key: string,
  role: string | undefined,
  branchId: string | null | undefined,
  permissions?: Set<string> | null
): boolean {
  if ((OWNER_ONLY_NAV_KEYS as readonly string[]).includes(key) && !isCafeOwner(role)) {
    return false;
  }
  if (key === "branches" && isBranchAccount(branchId)) {
    return false;
  }
  // Permission-based page visibility. `permissions === null` means a legacy
  // session with no permission list — fall back to the role/branch rules above
  // so those users keep their current access until the next token refresh.
  if (permissions) {
    const required = NAV_REQUIRED_PERMISSION[key as NavItemKey];
    if (required && !permissions.has(required)) {
      return false;
    }
  }
  return true;
}