web/dashboard/src/lib/auth-permissions.ts

import { BRANCH_ONLY_NAV_GROUP, type NavGroupId, type NavItemKey } from "@/lib/sidebar-nav";
import { NAV_REQUIRED_PERMISSION } from "@/lib/permissions";

/** Cafe owner (HQ) — billing, taxes, branches. */
export function isCafeOwner(role: string | undefined): boolean {
  return role === "Owner";
}

/** Logged in as a branch-scoped employee (JWT branchId). */
export function isBranchAccount(branchId: string | null | undefined): boolean {
  return !!branchId;
}

export const OWNER_ONLY_NAV_KEYS = ["subscription", "taxes", "branches"] as const;

export function canSeeNavGroup(
  groupId: NavGroupId,
  role: string | undefined,
  branchId: string | null | undefined
): boolean {
  if (isBranchAccount(branchId) && groupId !== BRANCH_ONLY_NAV_GROUP) {
    return false;
  }
  return true;
}

export function canSeeNavItem(
  key: string,
  role: string | undefined,
  branchId: string | null | undefined,
  permissions?: Set<string> | null
): boolean {
  if ((OWNER_ONLY_NAV_KEYS as readonly string[]).includes(key) && !isCafeOwner(role)) {
    return false;
  }
  if (key === "branches" && isBranchAccount(branchId)) {
    return false;
  }
  // Permission-based page visibility. `permissions === null` means a legacy
  // session with no permission list — fall back to the role/branch rules above
  // so those users keep their current access until the next token refresh.
  if (permissions) {
    const required = NAV_REQUIRED_PERMISSION[key as NavItemKey];
    if (required && !permissions.has(required)) {
      return false;
    }
  }
  return true;
}
first commit 2026-05-31 11:06:24 +03:30			`import { BRANCH_ONLY_NAV_GROUP, type NavGroupId, type NavItemKey } from "@/lib/sidebar-nav";`
			`import { NAV_REQUIRED_PERMISSION } from "@/lib/permissions";`
feat(dashboard): Next.js 16 merchant panel with offline POS and PWA 2026-05-27 21:34:12 +03:30
			`/** Cafe owner (HQ) — billing, taxes, branches. */`
			`export function isCafeOwner(role: string \| undefined): boolean {`
			`return role === "Owner";`
			`}`

			`/** Logged in as a branch-scoped employee (JWT branchId). */`
			`export function isBranchAccount(branchId: string \| null \| undefined): boolean {`
			`return !!branchId;`
			`}`

			`export const OWNER_ONLY_NAV_KEYS = ["subscription", "taxes", "branches"] as const;`

			`export function canSeeNavGroup(`
			`groupId: NavGroupId,`
			`role: string \| undefined,`
			`branchId: string \| null \| undefined`
			`): boolean {`
			`if (isBranchAccount(branchId) && groupId !== BRANCH_ONLY_NAV_GROUP) {`
			`return false;`
			`}`
			`return true;`
			`}`

			`export function canSeeNavItem(`
			`key: string,`
			`role: string \| undefined,`
first commit 2026-05-31 11:06:24 +03:30			`branchId: string \| null \| undefined,`
			`permissions?: Set<string> \| null`
feat(dashboard): Next.js 16 merchant panel with offline POS and PWA 2026-05-27 21:34:12 +03:30			`): boolean {`
			`if ((OWNER_ONLY_NAV_KEYS as readonly string[]).includes(key) && !isCafeOwner(role)) {`
			`return false;`
			`}`
			`if (key === "branches" && isBranchAccount(branchId)) {`
			`return false;`
			`}`
first commit 2026-05-31 11:06:24 +03:30			// Permission-based page visibility. `permissions === null` means a legacy
			`// session with no permission list — fall back to the role/branch rules above`
			`// so those users keep their current access until the next token refresh.`
			`if (permissions) {`
			`const required = NAV_REQUIRED_PERMISSION[key as NavItemKey];`
			`if (required && !permissions.has(required)) {`
			`return false;`
			`}`
			`}`
feat(dashboard): Next.js 16 merchant panel with offline POS and PWA 2026-05-27 21:34:12 +03:30			`return true;`
			`}`