<?php

namespace App\Support\Operations;

use App\Support\Auth\Capabilities;

final class OperationRunCapabilityResolver
{
    public function requiredCapabilityForType(string $operationType): ?string
    {
        $operationType = trim($operationType);

        if ($operationType === '') {
            return null;
        }

        return match ($operationType) {
            'inventory_sync' => Capabilities::TENANT_INVENTORY_SYNC_RUN,
            'entra_group_sync' => Capabilities::TENANT_SYNC,
            'backup_schedule_run', 'backup_schedule_retention', 'backup_schedule_purge' => Capabilities::TENANT_BACKUP_SCHEDULES_RUN,
            'restore.execute' => Capabilities::TENANT_MANAGE,
            'directory_role_definitions.sync' => Capabilities::TENANT_MANAGE,
            'alerts.evaluate', 'alerts.deliver' => Capabilities::ALERTS_VIEW,

            // Viewing verification reports should be possible for readonly members.
            // Starting verification is separately guarded by the verification service.
            'provider.connection.check' => Capabilities::PROVIDER_VIEW,

            // Keep legacy / unknown types viewable by membership+entitlement only.
            default => null,
        };
    }

    public function requiredExecutionCapabilityForType(string $operationType): ?string
    {
        $operationType = trim($operationType);

        if ($operationType === '') {
            return null;
        }

        return match ($operationType) {
            'provider.connection.check', 'provider.inventory.sync', 'provider.compliance.snapshot' => Capabilities::PROVIDER_RUN,
            'policy.sync', 'policy.sync_one', 'tenant.sync' => Capabilities::TENANT_SYNC,
            'policy.delete' => Capabilities::TENANT_MANAGE,
            'assignments.restore', 'restore.execute' => Capabilities::TENANT_MANAGE,
            default => $this->requiredCapabilityForType($operationType),
        };
    }
}