import { UserRole } from '@prisma/client';

/**
 * MFA enrolment policy — central source of truth for which roles require
 * TOTP and how long the grace period lasts.
 *
 * Backed by `User.mfaGraceStartedAt` and `User.mfaLastVerifiedAt` columns.
 *
 * Policy summary:
 * - On first login under enforcement, `mfaGraceStartedAt` is stamped.
 * - For `MFA_GRACE_PERIOD_DAYS` after that timestamp, the user keeps full
 *   access but receives `mfa: 'grace'` in their JWT (UI nudges enrollment).
 * - After grace expires, the JWT carries `mfa: 'enrollment_required'` and
 *   sensitive routes (admin guards) reject until the user enrols.
 */

/** Roles for which TOTP is mandatory after the grace window expires. */
export const MFA_REQUIRED_ROLES: ReadonlyArray<UserRole> = ['ADMIN'];

/** Length of the grace window before MFA enrolment becomes mandatory. */
export const MFA_GRACE_PERIOD_DAYS = 14;

/**
 * Re-auth window for "step-up" admin operations (e.g. user impersonation,
 * mass actions). After this many minutes since `mfaLastVerifiedAt`, the
 * admin re-auth interceptor must challenge again.
 */
export const MFA_REAUTH_WINDOW_MINUTES = 15;