/* rbac.jsx — minimal role-based access control.
   CURRENT_ROLE mirrors App state (set each render via setCurrentRole, like the
   i18n LANG global) so canEdit() is correct during render and updates when the
   acting role changes. Roles: manager > editor > viewer. */
let CURRENT_ROLE = 'manager';
function setCurrentRole(r) { CURRENT_ROLE = r; }
function getCurrentRole() { return CURRENT_ROLE; }
function canEdit() { return CURRENT_ROLE === 'manager' || CURRENT_ROLE === 'editor'; }
function canManagePeople() { return CURRENT_ROLE === 'manager'; }

const ROLES = {
  manager: { label:'Manager', labelZh:'管理员',   color:'var(--accent)',  desc:'Full access — manages people and edits everything.', descZh:'最高权限 —— 管理成员并编辑所有内容。' },
  editor:  { label:'Editor',  labelZh:'维护人员', color:'var(--success)', desc:'Can create and edit tokens, components, assets and themes.', descZh:'可创建并编辑 token、组件、资源与主题。' },
  viewer:  { label:'Viewer',  labelZh:'访客',     color:'var(--text-3)',  desc:'Read-only — can browse the system but not edit.', descZh:'只读 —— 可浏览后台但不能编辑。' },
};

Object.assign(window, { setCurrentRole, getCurrentRole, canEdit, canManagePeople, ROLES });