import { type AuthPayload, type Role } from "../model/interfaces.ts"; // Named capabilities checked at enforcement points. Extend this union as new // gated capabilities are added (e.g. "invite:manage"). export type Permission = "dump:moderate" | "comment:moderate" | "user:manage"; const ALL_PERMISSIONS: readonly Permission[] = [ "dump:moderate", "comment:moderate", "user:manage", ]; // Roles are fixed in code. `admin` is a superset of every permission (current // and future); `moderator` gets the content-moderation permissions only. export const ROLE_PERMISSIONS: Record = { admin: ALL_PERMISSIONS, moderator: ["dump:moderate", "comment:moderate"], user: [], }; export function hasPermission(role: Role, permission: Permission): boolean { return ROLE_PERMISSIONS[role].includes(permission); } export function can(payload: AuthPayload, permission: Permission): boolean { return hasPermission(payload.role, permission); }