<?php

declare(strict_types=1);

namespace App\Support\Rbac;

use App\Models\Tenant;
use App\Models\User;

/**
 * DTO representing the access context for a tenant-scoped UI action.
 *
 * Captures the current user, tenant, membership status, and capability check result
 * for use by the UiEnforcement helper.
 */
final readonly class TenantAccessContext
{
    public function __construct(
        public ?User $user,
        public ?Tenant $tenant,
        public bool $isMember,
        public bool $hasCapability,
    ) {}

    /**
     * Non-members should receive 404 (deny-as-not-found).
     */
    public function shouldDenyAsNotFound(): bool
    {
        return ! $this->isMember;
    }

    /**
     * Members without capability should receive 403 (forbidden).
     */
    public function shouldDenyAsForbidden(): bool
    {
        return $this->isMember && ! $this->hasCapability;
    }

    /**
     * User is authorized to perform the action.
     */
    public function isAuthorized(): bool
    {
        return $this->isMember && $this->hasCapability;
    }
}