import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types"

class User implements Namespace {
  related: {
    // Keep empty relation for direct user references
    empty: User[]
  }
  
  permits = {
    // Always false
    isMember: (ctx: Context): boolean => 
      this.related.empty.includes(ctx.subject)
  }
}

class Group implements Namespace {
  related: {
    // Direct user members
    members: User[]
    // Parent groups (for inheritance)
    parents: Group[]
  }

  permits = {
    // A user is a member if:
    // 1. They're directly a member, OR
    // 2. They're a member of any parent group (inheritance)
    isMember: (ctx: Context): boolean =>
      this.related.members.includes(ctx.subject) ||
      this.related.parents.traverse((parent) => parent.permits.isMember(ctx))
  }
}

class Resource implements Namespace {
  related: {
    // Can reference users directly or groups via their members
    viewers: (User | SubjectSet<Group, "members">)[]
  }

  permits = {
    // Users can view if:
    // 1. They're directly listed as viewers, OR  
    // 2. They're members of a group that has viewer access
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) ||
      this.related.viewers.traverse((viewer) => viewer.permits.isMember(ctx))
  }
}