"""Role-based permissions for the three specialist agents.

In a real incident-response organization different roles have different
authority. We encode that so the environment can reward or penalize actions
taken by the wrong specialist, and so downstream policies learn realistic
coordination patterns.
"""

from __future__ import annotations

from dataclasses import dataclass
from typing import Dict, Iterable, Set

ALL_ROLES: tuple[str, ...] = (
    "triage_agent",
    "investigator_agent",
    "ops_manager_agent",
)

ALL_ACTIONS: tuple[str, ...] = (
    "inspect_logs",
    "inspect_metrics",
    "consult_kb",
    "negotiate_handoff",
    "apply_fix",
    "close_incident",
    "escalate",
    "rollback",
    "submit_postmortem",
)


@dataclass(frozen=True)
class RolePermissions:
    """Allowed actions per role and a list of role-gated actions."""

    allowed: Dict[str, Set[str]]

    def is_allowed(self, actor: str, action_type: str) -> bool:
        allowed_set = self.allowed.get(actor, set())
        return action_type in allowed_set

    def allowed_actions(self, actor: str) -> Set[str]:
        return set(self.allowed.get(actor, set()))


def default_role_permissions() -> RolePermissions:
    """Default policy used by the environment.

    - triage_agent: first-line observability + initial handoff
    - investigator_agent: deep diagnostics, knowledge base, fix proposals
    - ops_manager_agent: coordination actions (handoff, escalate, rollback),
      and is the only role authorized to close an incident or submit a
      postmortem.
    """
    allowed: Dict[str, Set[str]] = {
        "triage_agent": {
            "inspect_logs",
            "inspect_metrics",
            "consult_kb",
            "negotiate_handoff",
        },
        "investigator_agent": {
            "inspect_logs",
            "inspect_metrics",
            "consult_kb",
            "apply_fix",
            "rollback",
        },
        "ops_manager_agent": {
            "negotiate_handoff",
            "escalate",
            "rollback",
            "close_incident",
            "submit_postmortem",
        },
    }
    return RolePermissions(allowed=allowed)


def check_actor_allowed(
    actor: str, action_type: str, permissions: RolePermissions | None = None
) -> bool:
    """Return True if `actor` is permitted to run `action_type`.

    Returns False for unknown roles or actions so the caller can apply the
    policy's wrong-actor penalty uniformly.
    """
    if actor not in ALL_ROLES or action_type not in ALL_ACTIONS:
        return False
    permissions = permissions or default_role_permissions()
    return permissions.is_allowed(actor, action_type)


def allowed_actors_for(action_type: str, permissions: RolePermissions | None = None) -> Iterable[str]:
    permissions = permissions or default_role_permissions()
    return tuple(
        actor for actor in ALL_ROLES if permissions.is_allowed(actor, action_type)
    )