defmodule Mv.Authorization.Checks.NoActor do
  @moduledoc """
  Custom Ash Policy Check that allows actions when no actor is present.

  This is primarily used for:
  - Database seeding (priv/repo/seeds.exs)
  - Test fixtures that create data without authentication
  - Background jobs that operate on behalf of the system

  ## Security Note

  This check should only be used for specific actions where system-level
  access is appropriate. It should always be combined with other policy
  checks that validate actor-based permissions when an actor IS present.

  ## Usage in Policies

      policies do
        # Allow seeding and system operations
        policy action_type(:create) do
          authorize_if NoActor
        end
        
        # Check permissions when actor is present
        policy action_type([:read, :create, :update, :destroy]) do
          authorize_if HasPermission
        end
      end

  ## Behavior

  - Returns `{:ok, true}` when actor is nil (allows action)
  - Returns `{:ok, :unknown}` when actor is present (delegates to other policies)
  - `auto_filter` returns nil (no filtering needed)
  """

  use Ash.Policy.Check

  @impl true
  def describe(_opts) do
    "allows actions when no actor is present (for seeds and system operations)"
  end

  @impl true
  def strict_check(actor, _authorizer, _opts) do
    if is_nil(actor) do
      # No actor present - allow (for seeds, tests, system operations)
      {:ok, true}
    else
      # Actor present - let other policies decide
      {:ok, :unknown}
    end
  end

  @impl true
  def auto_filter(_actor, _authorizer, _opts) do
    # No filtering needed - this check only validates presence/absence of actor
    nil
  end
end