package lib

import (
	"atlas9.dev/c/core/iam"
	"atlas9.dev/c/demo/lib/domains"
)

var AppRoles = map[string][]iam.Cap{
	"owner": {
		// Tenants
		iam.CapTenantsUpdate,
		iam.CapTenantsRead,
		// Tenant members
		iam.CapTenantMembersCreate,
		iam.CapTenantMembersRemove,
		iam.CapTenantMembersRead,
		// Roles
		iam.CapRolesSave,
		iam.CapRolesGet,
		iam.CapRolesDelete,
		iam.CapRolesList,
		iam.CapRolesListByTenant,
		// Grants
		iam.CapGrantsAdd,
		iam.CapGrantsRemove,
		iam.CapGrantsList,
		// Groups
		iam.CapGroupsSave,
		iam.CapGroupsGet,
		iam.CapGroupsDelete,
		iam.CapGroupsList,
		iam.CapGroupsListByTenant,
		iam.CapGroupsAddMember,
		iam.CapGroupsRemoveMember,
		iam.CapGroupsListMembers,
		// Tenant invitations
		iam.CapTenantInvitationsCreate,
		iam.CapTenantInvitationsRead,
		iam.CapTenantInvitationsDelete,
		// Profiles
		iam.CapProfilesGet,
		iam.CapProfilesSave,
		// Domains
		domains.Cap_Domain_Write,
		domains.Cap_Domain_Read,
	},
	"member": {
		// A tenant "member" today can see the tenant itself but not
		// co-members, groups, or other resources. Deliberate minimum — expand
		// as tenants gain meaningful nested resources worth sharing with
		// non-owners.
		iam.CapTenantsRead,
	},
}