// Package iam defines the platform-owned identity and authorization facade.
//
// The first implementation is intentionally a facade over the current auth and
// authz packages. Callers should depend on these platform-owned types while the
// underlying auth implementation remains behind the platform auth implementation.
package iam

type ProjectScope struct {
	UserID       string
	OrgID        string
	DepartmentID string
	ProjectID    string
}

type OrgScope struct {
	UserID string
	OrgID  string
}

type PlatformRole string

const (
	PlatformRoleSuperadmin PlatformRole = "platform_superadmin"
	PlatformRoleOps        PlatformRole = "platform_ops"
	PlatformRoleUser       PlatformRole = "platform_user"
)

type Action string

const (
	ActionPlatformAdmin       Action = "platform.admin"
	ActionPlatformOpsRead     Action = "platform.ops.read"
	ActionPlatformOpsWrite    Action = "platform.ops.write"
	ActionPlatformRunbookRead Action = "platform.ops.runbook.read"
	ActionPlatformNodeRead    Action = "platform.node.read"
	ActionPlatformAuditRead   Action = "platform.audit.read"
)

type AppliedScope string

const (
	ScopeGlobal  AppliedScope = "global"
	ScopeTenant  AppliedScope = "tenant"
	ScopeProject AppliedScope = "project"
)

type PolicySource string

const (
	PolicySourceInCode       PolicySource = "in_code"
	PolicySourcePolicyValues PolicySource = "policy_values"
	PolicySourceOPA          PolicySource = "opa"
)

type ReasonCode string

const (
	ReasonPermissionDenied     ReasonCode = "permission_denied"
	ReasonMembershipMissing    ReasonCode = "membership_missing"
	ReasonScopeMismatch        ReasonCode = "scope_mismatch"
	ReasonPolicyConstraintDeny ReasonCode = "policy_constraint_denied"
	ReasonRoleDisabled         ReasonCode = "role_disabled"
	ReasonActorDisabled        ReasonCode = "actor_disabled"
)

type Decision struct {
	Allow        bool
	ReasonCode   ReasonCode
	AppliedScope AppliedScope
	PolicySource PolicySource
}

type ActorType string

const (
	ActorTypeUser           ActorType = "user"
	ActorTypeServiceAccount ActorType = "service_account"
	ActorTypeOperator       ActorType = "operator"
	ActorTypeRelease        ActorType = "release"
	ActorTypeAuditor        ActorType = "auditor"
	ActorTypeSecurity       ActorType = "security"
)

type ScopeDecisionInput struct {
	ActorType      ActorType
	ActorID        string
	Roles          []string
	RequiredScope  string
	RequiredAction Action
	AppliedScope   AppliedScope
}