from enum import Enum


class PluginPermission(str, Enum):
    """
    Granular permissions for plugins.
    Plugins must explicitly request these capabilities.
    """

    # Core
    READ_ONLY = "READ_ONLY"  # Basic safe read operations
    READ_DATA = "READ_DATA"  # Broader data read (e.g., active user counts)
    WRITE_DATA = "WRITE_DATA"  # Generic write access (Dangerous)

    # Domains
    READ_USER = "READ_USER"  # Read user details (PII warning)
    WRITE_USER = "WRITE_USER"  # Modify user data

    READ_CASE = "READ_CASE"
    WRITE_CASE = "WRITE_CASE"

    # System
    NETWORK_ACCESS = "NETWORK_ACCESS"  # Allow outbound HTTP calls
    FILE_ACCESS = "FILE_ACCESS"  # Allow filesystem read/write (Restricted dirs)


def validate_permissions(requested: list[str]) -> list[str]:
    """
    Validate and return allowed permissions.
    could filter out unknown or forbidden permissions.
    """
    valid = []
    for p in requested:
        try:
            # Check if it's a valid enum
            PluginPermission(p)
            valid.append(p)
        except ValueError:
            pass
    return valid