// Package access provides the canonical access control logic for the relay.
// Both the server (parent domain) and broadcast worker (child domain) import
// this package, eliminating canSeeEvent/bcastCanSee duplication.
package access

import (
	"bytes"

	"smesh.lol/pkg/nostr/event"
	"smesh.lol/pkg/nostr/kind"
)

// IsMLS reports whether k is an MLS event kind (443, 444, 445) or
// a gift-wrap (1059) carrying MLS Welcomes.
func IsMLS(k uint16) bool {
	return k == kind.MLSKeyPackage.K ||
		k == kind.MLSWelcome.K ||
		k == kind.MLSGroupEvent.K ||
		k == kind.GiftWrap.K
}

// CanSee reports whether a connection with the given auth state may receive ev.
//
// authed: connection has completed NIP-42 auth.
// authedPubkey: the authed pubkey (32 bytes binary). Nil if not authed.
// nip70: relay enforces NIP-70 protected-tag filtering.
// marmotOpen: relay exempts MLS kinds from privilege checks.
func CanSee(authed bool, authedPubkey []byte, ev *event.E, nip70, marmotOpen bool) bool {
	if kind.IsPrivileged(ev.Kind) {
		if marmotOpen && IsMLS(ev.Kind) {
			// MLS kinds exempt from privilege requirement
		} else if !authed {
			return false
		}
	}
	// NIP-70: events tagged "-" only delivered to the event's own author.
	if nip70 && ev.Tags != nil && ev.Tags.GetFirst([]byte("-")) != nil {
		if !authed || !bytes.Equal(authedPubkey, ev.Pubkey) {
			return false
		}
	}
	return true
}

// WriteExempt reports whether an event kind is exempt from auth-to-write
// requirements. Exemptions: NIP-46 connect events (if enabled) and MLS
// kinds (if marmotOpen).
func WriteExempt(evKind uint16, nip46BypassAuth, marmotOpen bool) bool {
	if nip46BypassAuth && evKind == kind.NostrConnect.K {
		return true
	}
	if marmotOpen && IsMLS(evKind) {
		return true
	}
	return false
}