// Copyright: © 2026 TWWIM UG. All rights reserved. (www.twwim.com)
/**
 * Customer Portal zone guard for TanStack Router `beforeLoad`.
 *
 * Reads the current AuthenticatedUser from the store, resolves the membership
 * role, and consults the domain canEnterZone matrix. On denial, redirects to
 * the role's landing zone (OPERATOR → /dashboard/conversations, everyone else
 * → /dashboard).
 */

import { redirect } from '@tanstack/react-router';
import { CPZone, EmployeeRole, canEnterZone, landingZoneForRole } from '@archer/domain';
import { authenticatedUserStore } from '@/infrastructure/storage/AuthenticatedUserStore';
import { toEmployeeRole } from '@/presentation/lib/enumGuards';

const ZONE_TO_PATH: Record<CPZone, string> = {
  [CPZone.HOME]: '/dashboard',
  [CPZone.INTELLIGENCE]: '/dashboard/intelligence',
  [CPZone.TENANTS]: '/dashboard/tenants',
  [CPZone.KNOWLEDGE]: '/dashboard/knowledge',
  [CPZone.WIDGET_CONFIG]: '/dashboard/plugin-settings',
  [CPZone.CONVERSATIONS]: '/dashboard/conversations',
  [CPZone.SUBSCRIPTION]: '/dashboard/subscription',
  [CPZone.PROMOTIONS]: '/dashboard/promotions',
  [CPZone.COMPANY]: '/dashboard/company',
  [CPZone.DOCUMENTS]: '/dashboard/documents',
  [CPZone.MEMBERS]: '/dashboard/members',
  [CPZone.PROFILE]: '/dashboard/profile',
  [CPZone.INFO_CENTER]: '/dashboard/info-center',
};

export function requireZone(zone: CPZone): void {
  const user = authenticatedUserStore.get();
  const role = toEmployeeRole(user?.role) ?? EmployeeRole.ADMIN;

  if (canEnterZone(role, zone)) return;

  const landingZone = landingZoneForRole(role);
  const to = ZONE_TO_PATH[landingZone] ?? '/dashboard';
  throw redirect({ to });
}