namespace Management.Security;

/// <summary>
/// Request-scoped authentication context.
/// Populated by ClientAuthMiddleware.
/// </summary>
public sealed class ClientContext
{
    public string? SessionId { get; set; }
    public string? ClientId { get; set; }
    public string? PlatformClientId { get; set; }
    public string? ClientName { get; set; }
    public string? UserId { get; set; }
    public string? Email { get; set; }
    public string? Role { get; set; }
    public bool IsDevBypass { get; set; }

    public bool IsAuthenticated => !string.IsNullOrWhiteSpace(ClientId);

    /// <summary>Full platform access.</summary>
    /// <summary>Full admin access — SuperAdmin or Admin role.</summary>
    public bool IsAdmin =>
        string.Equals(Role, "SuperAdmin", StringComparison.OrdinalIgnoreCase) ||
        string.Equals(Role, "Admin",      StringComparison.OrdinalIgnoreCase);

    /// <summary>Health monitoring and Tech Client access only.</summary>
    public bool IsTech =>
        string.Equals(Role, "Tech", StringComparison.OrdinalIgnoreCase);

    /// <summary>Any authenticated staff member (SuperAdmin, Admin or Tech).</summary>
    public bool IsStaff => IsAdmin || IsTech;
}