namespace MxGateway.Server.Security.Authorization;

public static class GatewayScopes
{
    public const string SessionOpen = "session:open";
    public const string SessionClose = "session:close";
    public const string InvokeRead = "invoke:read";
    public const string InvokeWrite = "invoke:write";
    public const string InvokeSecure = "invoke:secure";
    public const string EventsRead = "events:read";
    public const string MetadataRead = "metadata:read";
    public const string Admin = "admin";

    /// <summary>
    ///     The complete catalog of canonical scope strings the gateway authorization
    ///     resolver recognizes. Key-creation paths (CLI and dashboard) validate requested
    ///     scopes against this set so a typo or non-canonical name cannot persist a key
    ///     whose scope strings the resolver never matches.
    /// </summary>
    public static readonly IReadOnlySet<string> All = new HashSet<string>(
        [
            SessionOpen,
            SessionClose,
            InvokeRead,
            InvokeWrite,
            InvokeSecure,
            EventsRead,
            MetadataRead,
            Admin,
        ],
        System.StringComparer.Ordinal);

    /// <summary>Determines whether the supplied scope string is a recognized canonical scope.</summary>
    /// <param name="scope">Scope string to check.</param>
    /// <returns><see langword="true"/> when the scope is canonical; otherwise <see langword="false"/>.</returns>
    public static bool IsKnown(string scope) => All.Contains(scope);
}