/**
 * UI-side RBAC decision helpers for branch-based routes (RHL-021).
 *
 * This module is pure (no React / no Next runtime).
 * The UI can use it to decide whether a user may access a given `:branch` segment.
 */

/**
 * @typedef {Object} AuthUser
 * @property {string} userId
 * @property {string} role
 * @property {string|null} branchId
 */

export const BRANCH_ACCESS = Object.freeze({
	ALLOWED: "allowed",
	FORBIDDEN: "forbidden",
});

/**
 * Decide whether the given user can access a route branch.
 *
 * Rules:
 * - role "branch": only allowed when routeBranch === user.branchId
 * - role "admin" / "dev": allowed for any route branch
 * - unknown roles or missing required data: forbidden
 *
 * @param {AuthUser|null} user
 * @param {string} routeBranch
 * @returns {"allowed"|"forbidden"}
 */
export function getBranchAccess(user, routeBranch) {
	if (!user || typeof routeBranch !== "string" || !routeBranch) {
		return BRANCH_ACCESS.FORBIDDEN;
	}

	if (user.role === "branch") {
		return user.branchId === routeBranch
			? BRANCH_ACCESS.ALLOWED
			: BRANCH_ACCESS.FORBIDDEN;
	}

	if (user.role === "admin" || user.role === "dev") {
		return BRANCH_ACCESS.ALLOWED;
	}

	return BRANCH_ACCESS.FORBIDDEN;
}