package usecase

import "context"

// CheckRequest is the standard input to the RBAC enforcer; mirrors the
// Casbin policy header (sub, obj, act). TenantID is split out so the
// loader can pick the right enforcer instance.
type CheckRequest struct {
	TenantID string
	UID      string // Casbin "sub" — typically `{tenant}:{uid}`
	Path     string // HTTP path; e.g. /api/v1/members/AMEX-100001
	Method   string // GET / POST / PATCH / DELETE / *
}

// CheckResult bundles the boolean answer with the matched permission so
// audit logging can attribute the decision.
type CheckResult struct {
	Allow            bool
	MatchedRoleKey   string
	MatchedPolicyRow []string
}

// RBACUseCase wraps the per-tenant Casbin enforcer.
//
// LoadPolicy is the heavy operation (read all role_permission rows for a
// tenant, materialise into [][]string and feed casbin); BroadcastReload
// publishes via Redis Pub/Sub so other pods reload too.
type RBACUseCase interface {
	Check(ctx context.Context, req *CheckRequest) (*CheckResult, error)
	LoadPolicy(ctx context.Context, tenantID string) error
	LoadAllPolicies(ctx context.Context) error
	BroadcastReload(ctx context.Context, tenantID string) error
	StartReloadSubscriber(ctx context.Context) error
	StopReloadSubscriber()
}