40227-vm/backend/src/shared/constants/product-permissions.ts

/**
 * Product-feature permission names (Workstream 3 §3.2). These complement the
 * generic `${METHOD}_${ENTITY}` CRUD permissions: `READ_<MODULE>` gates a
 * product page, and the three action permissions gate the special workflows
 * (filling attendance, taking a quiz, leaving a read receipt).
 *
 * Single source for both the role seeder (which seeds + grants them) and the
 * feature routes (which enforce them via `checkPermissions`), so the names never
 * drift between where they are granted and where they are checked.
 */

/** Pages every campus staff role can read. */
export const MODULE_READ_ALL_STAFF = [
  'READ_DASHBOARD',
  'READ_FRAME',
  'READ_EI',
  'READ_ATTENDANCE',
  'READ_INTERNAL_COMM',
  'READ_SAFETY',
  'READ_HANDBOOK',
] as const;

/** Instructional tools (teacher / support_staff, not office_manager). */
export const MODULE_READ_INSTRUCTIONAL = [
  'READ_CLASSROOM',
  'READ_TIMER',
  'READ_QBS',
  'READ_ZONES',
  'READ_SIGNS',
] as const;

/** Parent communication page (teacher + managers). */
export const MODULE_READ_PARENT_COMM = ['READ_PARENT_COMM'] as const;

/** External-user pages (student / guardian + staff). */
export const MODULE_READ_EXTERNAL = [
  'READ_COMMUNITY',
  'READ_VOCATIONAL',
  'READ_ESA',
] as const;

/** Director-only surfaces. */
export const MODULE_READ_DIRECTOR = [
  'READ_WALKTHROUGH',
  'READ_DIRECTOR_DASHBOARD',
] as const;

/** Special action permissions (extendable per-user via `custom_permissions`). */
export const MODULE_ACTIONS = [
  'FILL_ATTENDANCE',
  'TAKE_QUIZ',
  'ACK_READ_RECEIPT',
  'ACK_POLICY',
  'ZONE_CHECKIN',
] as const;

/** Audio library (Workstream 13): read = play/select, manage = upload/edit. */
export const AUDIO_PERMISSIONS = ['READ_AUDIO_FILES', 'MANAGE_AUDIO_FILES'] as const;

/** Every product-feature permission (seeded into the catalog). */
export const MODULE_PERMISSIONS: readonly string[] = Object.freeze([
  ...MODULE_READ_ALL_STAFF,
  ...MODULE_READ_INSTRUCTIONAL,
  ...MODULE_READ_PARENT_COMM,
  ...MODULE_READ_EXTERNAL,
  ...MODULE_READ_DIRECTOR,
  ...MODULE_ACTIONS,
  ...AUDIO_PERMISSIONS,
]);

/**
 * Named references used by the feature routes when calling `checkPermissions`.
 * Keeps the route wiring free of bare string literals.
 */
export const FEATURE_PERMISSIONS = Object.freeze({
  READ_FRAME: 'READ_FRAME',
  READ_ATTENDANCE: 'READ_ATTENDANCE',
  READ_INTERNAL_COMM: 'READ_INTERNAL_COMM',
  READ_PARENT_COMM: 'READ_PARENT_COMM',
  READ_SAFETY: 'READ_SAFETY',
  READ_WALKTHROUGH: 'READ_WALKTHROUGH',
  FILL_ATTENDANCE: 'FILL_ATTENDANCE',
  TAKE_QUIZ: 'TAKE_QUIZ',
  ACK_READ_RECEIPT: 'ACK_READ_RECEIPT',
  ACK_POLICY: 'ACK_POLICY',
  ZONE_CHECKIN: 'ZONE_CHECKIN',
  READ_AUDIO_FILES: 'READ_AUDIO_FILES',
  MANAGE_AUDIO_FILES: 'MANAGE_AUDIO_FILES',
});