<?php

namespace App\Services\Auth;

use App\Support\Auth\Capabilities;
use App\Support\Auth\WorkspaceRole;

/**
 * Workspace Role to Capability Mapping (Single Source of Truth)
 *
 * This class defines which capabilities each workspace role has.
 * All capability strings MUST be references from the Capabilities registry.
 */
class WorkspaceRoleCapabilityMap
{
    /**
     * @var array<string, array<int, string>>
     */
    private static array $roleCapabilities = [
        WorkspaceRole::Owner->value => [
            Capabilities::WORKSPACE_VIEW,
            Capabilities::WORKSPACE_MANAGE,
            Capabilities::WORKSPACE_ARCHIVE,
            Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
            Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CANCEL,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE_DEDICATED,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_ACTIVATE,
            Capabilities::WORKSPACE_SETTINGS_VIEW,
            Capabilities::WORKSPACE_SETTINGS_MANAGE,
            Capabilities::ALERTS_VIEW,
            Capabilities::ALERTS_MANAGE,
            Capabilities::WORKSPACE_BASELINES_VIEW,
            Capabilities::WORKSPACE_BASELINES_MANAGE,
            Capabilities::AUDIT_VIEW,
            Capabilities::FINDING_EXCEPTION_APPROVE,
        ],

        WorkspaceRole::Manager->value => [
            Capabilities::WORKSPACE_VIEW,
            Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
            Capabilities::WORKSPACE_MEMBERSHIP_MANAGE,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_IDENTIFY,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CANCEL,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_MANAGE,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
            Capabilities::WORKSPACE_SETTINGS_VIEW,
            Capabilities::WORKSPACE_SETTINGS_MANAGE,
            Capabilities::ALERTS_VIEW,
            Capabilities::ALERTS_MANAGE,
            Capabilities::WORKSPACE_BASELINES_VIEW,
            Capabilities::WORKSPACE_BASELINES_MANAGE,
            Capabilities::AUDIT_VIEW,
            Capabilities::FINDING_EXCEPTION_APPROVE,
        ],

        WorkspaceRole::Operator->value => [
            Capabilities::WORKSPACE_VIEW,
            Capabilities::WORKSPACE_MEMBERSHIP_VIEW,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_CONNECTION_VIEW,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_VERIFICATION_START,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_INVENTORY_SYNC,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_POLICY_SYNC,
            Capabilities::WORKSPACE_MANAGED_TENANT_ONBOARD_BOOTSTRAP_BACKUP_BOOTSTRAP,
            Capabilities::WORKSPACE_SETTINGS_VIEW,
            Capabilities::ALERTS_VIEW,
            Capabilities::WORKSPACE_BASELINES_VIEW,
            Capabilities::AUDIT_VIEW,
        ],

        WorkspaceRole::Readonly->value => [
            Capabilities::WORKSPACE_VIEW,
            Capabilities::WORKSPACE_SETTINGS_VIEW,
            Capabilities::ALERTS_VIEW,
            Capabilities::WORKSPACE_BASELINES_VIEW,
            Capabilities::AUDIT_VIEW,
        ],
    ];

    /**
     * @return array<string>
     */
    public static function getCapabilities(WorkspaceRole|string $role): array
    {
        $roleValue = $role instanceof WorkspaceRole ? $role->value : $role;

        $capabilities = array_merge(
            self::$roleCapabilities[$roleValue] ?? [],
            RoleCapabilityMap::getCapabilities($roleValue),
        );

        if ($roleValue === WorkspaceRole::Manager->value) {
            $capabilities[] = Capabilities::TENANT_MEMBERSHIP_MANAGE;
        }

        return array_values(array_unique($capabilities));
    }

    /**
     * @return array<string>
     */
    public static function rolesWithCapability(string $capability): array
    {
        $roles = [];

        foreach (array_keys(self::$roleCapabilities) as $role) {
            if (in_array($capability, self::getCapabilities($role), true)) {
                $roles[] = $role;
            }
        }

        return $roles;
    }

    public static function hasCapability(WorkspaceRole|string $role, string $capability): bool
    {
        return in_array($capability, self::getCapabilities($role), true);
    }
}