import {
  allPermissionsEnabled,
  canAccessFeature,
  normalizePermissions,
  persistWorkpulsePermissions,
  readWorkpulsePermissions,
  type WorkpulseFeatureKey,
  type WorkpulsePermissions
} from "~/utils/workpulse-permissions";
import { readWorkpulseSessionRole } from "~/utils/workpulse-session-user";

const STATE_KEY = "workpulse:permissions-state";

export function useWorkpulsePermissions() {
  const stored = useState<WorkpulsePermissions | null>(STATE_KEY, () => null);

  const role = computed(() => readWorkpulseSessionRole());

  const permissions = computed(() => {
    if (stored.value) return stored.value;
    const fromSession = readWorkpulsePermissions();
    if (fromSession) return fromSession;
    return normalizePermissions(role.value, null);
  });

  const isSuperadmin = computed(() => (role.value || "").toLowerCase() === "superadmin");

  function applyPermissions(raw: Partial<WorkpulsePermissions> | null | undefined, userRole?: string) {
    const r = userRole ?? role.value;
    const next = normalizePermissions(r, raw);
    stored.value = next;
    persistWorkpulsePermissions(next);
    return next;
  }

  function applyFromLoginUser(user: { role?: string; permissions?: Partial<WorkpulsePermissions> }) {
    return applyPermissions(user.permissions, user.role);
  }

  function can(feature: WorkpulseFeatureKey): boolean {
    return canAccessFeature(role.value, permissions.value, feature);
  }

  function resetForLogout() {
    stored.value = null;
  }

  return {
    permissions,
    isSuperadmin,
    applyPermissions,
    applyFromLoginUser,
    can,
    resetForLogout,
    allPermissionsEnabled
  };
}