/** Effective action flags for one module — mirrors the C# ModuleActions DTO. */
export interface ModuleActions {
    read: boolean;
    write: boolean;
    delete: boolean;
    approve: boolean;
    /** Computed server-side (true if any flag is set). */
    any?: boolean;
}

export type PermissionAction = 'read' | 'write' | 'delete' | 'approve';

/**
 * Canonical module names — must match the C# ROLAC.API.Authorization.Modules constants
 * (PascalCase). Used by the permission directive, guard, nav, and admin page.
 */
export const PermissionModules = {
    Members:           'Members',
    Users:             'Users',
    Givings:           'Givings',
    GivingCategories:  'GivingCategories',
    Expenses:          'Expenses',
    ExpenseCategories: 'ExpenseCategories',
    OfferingSessions:  'OfferingSessions',
    Ministries:        'Ministries',
    FinanceDashboard:  'FinanceDashboard',
    MonthlyStatements: 'MonthlyStatements',
    ChurchProfile:     'ChurchProfile',
    Disbursements:     'Disbursements',
    MealAttendance:    'MealAttendance',
    Permissions:       'Permissions',
} as const;

/** A required permission, used in route data and the *appHasPermission directive. */
export interface PermissionRequirement {
    module: string;
    action: PermissionAction;
}

// ── Admin matrix DTOs (mirror C# DTOs.Permissions) ────────────────────────────

export interface ModulePermissionDto {
    module: string;
    canRead: boolean;
    canWrite: boolean;
    canDelete: boolean;
    canApprove: boolean;
}

export interface RolePermissionRow {
    roleName: string;
    description?: string;
    isSuperAdmin: boolean;
    modules: ModulePermissionDto[];
}

export interface PermissionMatrixDto {
    allModules: string[];
    allActions: string[];
    roles: RolePermissionRow[];
}

export interface UpdateRolePermissionsRequest {
    modules: ModulePermissionDto[];
}