"""RBAC helpers for Ligbox Ops Desk."""

from __future__ import annotations

ROLES = frozenset({"super_admin", "ops_lead", "technician", "noc"})

ROLE_LABELS = {
    "super_admin": "Super Admin",
    "ops_lead": "Chefe Ops",
    "technician": "Suporte",
    "noc": "NOC",
}


def can_read_tickets(role: str) -> bool:
    return role in ROLES


def can_patch_ticket(role: str, ticket: dict, username: str) -> bool:
    if role in ("super_admin", "ops_lead"):
        return True
    if role == "technician":
        assignee = ticket.get("assigned_to")
        return assignee is None or assignee == username
    return False


def can_assign_ticket(role: str, assignee: str | None, username: str) -> bool:
    if role in ("super_admin", "ops_lead"):
        return True
    if role == "technician":
        return assignee in (None, username)
    return False


def can_run_audit(role: str) -> bool:
    return role in ("super_admin", "ops_lead")


def can_read_audit_overview(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "noc")


def can_read_audit_scorecard(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "noc")


def can_read_cloudflare_dns(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician", "noc")


def can_read_funnel(role: str) -> bool:
    return role in ROLES


def can_read_session_timeline(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician")


def can_list_webhook_events(role: str, source: str | None = None) -> bool:
    if role == "noc":
        return source in (None, "wazuh", "vm112-security")
    return role in ROLES


def can_read_crm_leads(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician")


def can_read_assist(role: str) -> bool:
    return role in ROLES


def can_assist_takeover(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician")


def can_assist_handoff(role: str, username: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician")


def can_manage_users(role: str) -> bool:
    return role == "super_admin"


def can_manage_vm112_domains(role: str) -> bool:
    """Admin Desk — domínios orquestrados VM112 (Spec 017)."""
    return role in ("super_admin", "ops_lead")


def should_mask_sensitive(role: str) -> bool:
    return role == "noc"


def can_read_migration(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician", "noc")


def can_manage_migration(role: str) -> bool:
    return role in ("super_admin", "ops_lead", "technician")


def can_read_billing(role: str) -> bool:
    return role in ROLES


def can_manage_billing(role: str) -> bool:
    return role in ("super_admin", "ops_lead")