<?php

declare(strict_types=1);

/*
 * Sidebar configuration.
 *
 * This file defines the sidebar sections displayed in the frontend.
 *
 * Each SECTION may declare :
 *   - `label` (required)    : i18n key resolved by the frontend
 *   - `icon`  (required)    : MDI icon name
 *   - `items` (required)    : list of items (see below)
 *   - `permission` (opt.)   : RBAC permission code ; when set, the whole
 *                             section (and every one of its items) is hidden
 *                             from users who do not hold that permission.
 *                             Use this for "umbrella" sections like
 *                             Administration where you want to gate the
 *                             entire group behind one coarse permission.
 *
 * Each ITEM may declare :
 *   - `label`      (required)  : i18n key
 *   - `to`         (required)  : Nuxt route
 *   - `icon`       (required)  : MDI icon name
 *   - `module`     (required)  : owner module ID ; item is hidden if the
 *                                module is not listed in config/modules.php
 *   - `permission` (opt.)      : RBAC permission code ; finer-grained gate
 *                                applied in addition to the section-level one
 *
 * Precedence : section-level `permission` is evaluated first. If it fails,
 * the whole section is skipped and every item's `to` is added to the
 * `disabledRoutes` payload of /api/sidebar (so the front middleware can
 * redirect any direct navigation). Individual items without their own
 * permission are implicitly protected by the section-level one.
 *
 * This config is decoupled from the modules themselves: you can freely
 * move an item from one section to another without touching the module code.
 */

return [
    // Section "Commerciale" : pole metier principal, remontee en tete de sidebar (ERP-71).
    // L'ordre interne des onglets et les permissions restent inchanges (simple deplacement
    // du bloc, aucun gate touche).
    [
        'label' => 'sidebar.commercial.section',
        'icon'  => 'mdi:account-arrow-left-outline',
        'items' => [
            [
                'label'      => 'sidebar.commercial.clients',
                'to'         => '/clients',
                'icon'       => 'mdi:account-group-outline',
                'module'     => 'commercial',
                'permission' => 'commercial.clients.view',
            ],
            [
                'label'  => 'sidebar.commercial.suppliers',
                'to'     => '/suppliers',
                'icon'   => 'mdi:account-arrow-left-outline',
                'module' => 'commercial',
            ],
        ],
    ],
    // Section "Administration" : regroupe toutes les pages de configuration
    // applicative (RBAC, users, sites, audit log).
    //
    // CONVENTION : "etre admin" = detenir au moins une permission admin-scoped.
    // En pratique, le groupe `core.*` represente l'administration applicative
    // (users, roles, audit_log) ; les autres permissions admin-scoped proviennent
    // des modules qui exposent leur propre page d'admin dans cette section
    // (ex: `sites.view`). Un user qui n'a AUCUNE de ces permissions n'a pas
    // acces a l'administration.
    //
    // Gate implicite : tous les items de cette section declarent une `permission`.
    // Sans aucune permission correspondante, tous les items sont filtres, la
    // section devient vide et est automatiquement masquee par SidebarProvider
    // (cf. la boucle de filtrage : section vide => `continue`). Inutile donc
    // d'ajouter un gate explicite au niveau section tant que chaque item porte
    // sa propre permission.
    //
    // Pour imposer un gate explicite supplementaire (ex: "seuls les membres du
    // groupe support voient l'administration, meme s'ils ont des permissions
    // individuelles"), ajouter : 'permission' => 'core.admin.access'.
    [
        'label' => 'sidebar.administration.section',
        'icon'  => 'mdi:cog-outline',
        'items' => [
            [
                'label'      => 'sidebar.core.roles',
                'to'         => '/admin/roles',
                'icon'       => 'mdi:shield-account-outline',
                'module'     => 'core',
                'permission' => 'core.roles.view',
            ],
            [
                'label'      => 'sidebar.core.users',
                'to'         => '/admin/users',
                'icon'       => 'mdi:account-group-outline',
                'module'     => 'core',
                'permission' => 'core.users.view',
            ],
            [
                'label'      => 'sidebar.sites.admin',
                'to'         => '/admin/sites',
                'icon'       => 'mdi:domain',
                'module'     => 'sites',
                'permission' => 'sites.view',
            ],
            [
                'label'      => 'sidebar.catalog.categories',
                'to'         => '/admin/categories',
                'icon'       => 'mdi:tag-multiple-outline',
                'module'     => 'catalog',
                'permission' => 'catalog.categories.view',
            ],
            [
                'label'      => 'sidebar.core.audit_log',
                'to'         => '/admin/audit-log',
                'icon'       => 'mdi:clipboard-text-clock',
                'module'     => 'core',
                'permission' => 'core.audit_log.view',
            ],
        ],
    ],
    // Section "Mon compte" : espace personnel. Accessible a tout user authentifie
    // (aucune permission RBAC requise, tous les items restent dans `core` pour
    // rester toujours presents meme quand les modules metier sont desactives).
    [
        'label' => 'sidebar.account.section',
        'icon'  => 'mdi:account-circle-outline',
        'items' => [
            [
                'label'  => 'sidebar.account.dashboard',
                'to'     => '/',
                'icon'   => 'mdi:view-dashboard-outline',
                'module' => 'core',
            ],
            [
                'label'  => 'sidebar.account.logout',
                'to'     => '/logout',
                'icon'   => 'mdi:logout',
                'module' => 'core',
            ],
        ],
    ],
];