/**
 * Role-Based Access Control (RBAC) helpers.
 *
 * @typedef {Object} Session
 * @property {"branch"|"admin"|"dev"|string} role
 * @property {string=} branchId
 */

/**
 * Returns true if the given session is allowed to access the requested branch.
 *
 * Rules:
 * - No session => not allowed (caller should return 401)
 * - role "branch" => allowed only for session.branchId === branchId
 * - role "admin" / "dev" => allowed for any branch
 *
 * @param {Session|null} session
 * @param {string} branchId
 * @returns {boolean}
 */
export function canAccessBranch(session, branchId) {
	if (!session) return false;
	if (!branchId) return false;

	if (session.role === "branch") {
		return session.branchId === branchId;
	}

	if (session.role === "admin" || session.role === "dev") {
		return true;
	}

	return false;
}

/**
 * Filters a list of branch IDs for a session.
 *
 * - No session => []
 * - role "branch" => [session.branchId] if present in branchIds, else []
 * - role "admin" / "dev" => all branchIds
 *
 * @param {Session|null} session
 * @param {string[]} branchIds
 * @returns {string[]}
 */
export function filterBranchesForSession(session, branchIds) {
	if (!session) return [];
	if (!Array.isArray(branchIds)) return [];

	if (session.role === "branch") {
		const own = session.branchId;
		if (!own) return [];
		return branchIds.includes(own) ? [own] : [];
	}

	if (session.role === "admin" || session.role === "dev") {
		return branchIds;
	}

	return [];
}