/**
 * Server-side permission predicates derived from the authenticated user in `locals`.
 *
 * The user shape is intentionally narrowed to the only field these checks read
 * (`groups[].permissions`) so the helper works against `App.Locals` without importing it.
 */
type PermissionLocals = {
	user?: { groups?: { permissions: string[] }[] } | null;
};

/** True when any of the user's groups grants WRITE_ALL. False for anonymous users. */
export function hasWriteAll(locals: PermissionLocals): boolean {
	return locals.user?.groups?.some((group) => group.permissions.includes('WRITE_ALL')) ?? false;
}