Lumi/plugins/lumi_ai/backend/assistant_permissions.js

const ROLE_KEYS = Object.freeze({
  admin: "admins",
  mod: "mods",
  user: "users"
});

function roleOf(user, roleHint = null) {
  if (["admin", "mod", "user"].includes(roleHint)) return roleHint;
  if (user?.isAdmin) return "admin";
  if (user?.isMod) return "mod";
  return user?.id ? "user" : "anonymous";
}

function canUseAssistant({
  user,
  config = {},
  origin = "webui",
  platform = origin,
  requestedSurface = "webui_panel",
  roleHint = null,
  roleSource = null
}) {
  const normalizedRole = roleOf(user, roleHint);
  const isCommand = requestedSurface === "command";
  const visibilitySettings = isCommand
    ? { ...(config.commands?.roles || {}) }
    : { ...(config.assistant_visibility || {}) };
  const roleKey = ROLE_KEYS[normalizedRole] || null;
  const roleAllowed = Boolean(roleKey && visibilitySettings[roleKey]);
  const platformAllowed = !isCommand || Boolean(config.commands?.platforms?.[platform]);
  const featureEnabled = Boolean(config.enabled && config.assistant_enabled !== false);
  const commandEnabled = !isCommand || Boolean(config.commands?.enabled);

  let reason = null;
  if (normalizedRole === "anonymous") reason = "anonymous";
  else if (!featureEnabled) reason = "assistant_disabled";
  else if (!commandEnabled) reason = "command_disabled";
  else if (!platformAllowed) reason = "platform_forbidden";
  else if (!roleAllowed) reason = "role_forbidden";

  const allowedRoles = Object.entries(ROLE_KEYS)
    .filter(([, key]) => Boolean(visibilitySettings[key]))
    .map(([role]) => role);

  return {
    allowed: reason === null,
    reason,
    normalized_role: normalizedRole,
    visibility_settings: visibilitySettings,
    debug_details: {
      resolved_user_id: user?.id || null,
      normalized_role: normalizedRole,
      role_source: roleSource || (roleHint ? "origin_context" : "session_auth"),
      role_allowed: roleAllowed,
      allowed_roles: allowedRoles,
      origin,
      platform,
      requested_surface: requestedSurface
    }
  };
}

module.exports = { ROLE_KEYS, roleOf, canUseAssistant };