// Access roles (mirrors backend App\Auth\GoogleAuthConfig::ROLES). export const ROLES = ["superadmin", "tech-admin", "service-manager", "monitoring"] as const; export type Role = (typeof ROLES)[number]; export const ROLE_LABELS: Record = { superadmin: "Superadmin", "tech-admin": "Tech-Admin", "service-manager": "Service Manager", monitoring: "Monitoring", }; export const ROLE_DESCRIPTIONS: Record = { superadmin: "Full access to everything.", "tech-admin": "Everything except cost control (the Cost & Quality settings).", "service-manager": "Dashboard, Monitoring, Enrichment Rules, and the Services & Attributes tabs in Admin Settings.", monitoring: "Dashboard and Monitoring only.", }; // Which roles may access each top-level route. Longer prefixes win (most specific). const ROUTE_ACCESS: { prefix: string; roles: Role[] }[] = [ { prefix: "/monitoring", roles: ["superadmin", "tech-admin", "service-manager", "monitoring"] }, { prefix: "/enrichment", roles: ["superadmin", "tech-admin", "service-manager"] }, { prefix: "/targeted", roles: ["superadmin", "tech-admin", "service-manager"] }, // Service Manager reaches Admin Settings but only sees the Services & Attributes // tabs (the page filters the admin-only tabs out — see canSeeAdminConfig). { prefix: "/admin-settings", roles: ["superadmin", "tech-admin", "service-manager"] }, { prefix: "/services", roles: ["superadmin", "tech-admin", "service-manager"] }, { prefix: "/guide", roles: ["superadmin", "tech-admin", "service-manager", "monitoring"] }, { prefix: "/", roles: ["superadmin", "tech-admin", "service-manager", "monitoring"] }, // Dashboard ]; export function canAccess(path: string, roles: string[]): boolean { if (roles.includes("superadmin")) return true; const match = ROUTE_ACCESS .filter((r) => (r.prefix === "/" ? path === "/" : path.startsWith(r.prefix))) .sort((a, b) => b.prefix.length - a.prefix.length)[0]; if (!match) return true; // unknown page route — don't block return match.roles.some((r) => roles.includes(r as Role)); } /** Cost control (Cost & Quality settings) is superadmin-only; Tech-Admin is excluded. */ export function canSeeCostControl(roles: string[]): boolean { return roles.includes("superadmin"); } /** * The admin-only Admin Settings tabs (Credentials, Runtime, Actions, Audit Log). * Service Manager reaches the page for Services/Attributes but not these. */ export function canSeeAdminConfig(roles: string[]): boolean { return roles.includes("superadmin") || roles.includes("tech-admin"); } /** * Starting/stopping the process runners (Worker/Poller) is infrastructure ops and * the Worker incurs Vertex cost, so it is limited to Superadmin + Tech-Admin * (Service Manager can still schedule services, but not control the runners). */ export function canControlRunners(roles: string[]): boolean { return roles.includes("superadmin") || roles.includes("tech-admin"); } /** * User management (Users & Roles) is superadmin-only. It can grant any role and set * passwords, so allowing Tech-Admin here would be a privilege-escalation path. */ export function canManageUsers(roles: string[]): boolean { return roles.includes("superadmin"); } /** Landing page a user is allowed to see (used when redirecting away from a blocked route). */ export function firstAllowedPath(roles: string[]): string { return canAccess("/", roles) ? "/" : "/monitoring"; }