package rbac

import "code.nochebuena.dev/einherjar/contracts/security"

// CachedOpt configures [NewCachedPermissionProvider] behaviour.
type CachedOpt func(*cachedConfig)

// WithCacheKey overrides the default cache key function.
//
// fn receives the full [security.SecurityBag], uid, and resource name and
// returns the cache key string. Use when the default key format
// ("rbac:{uid}:{resource}" or "rbac:{tenantID}:{uid}:{resource}") is
// insufficient — for example when hardware IDs, grant codes, or other bag
// attributes must be part of the key to prevent cross-context cache pollution.
//
//	rbac.NewCachedPermissionProvider(inner, cache, ttl,
//	    rbac.WithCacheKey(func(bag security.SecurityBag, uid, resource string) string {
//	        hwID, _ := bag.Get(KeyHardwareID)
//	        return fmt.Sprintf("rbac:%s:%s:%v:%s", bag.Identity().TenantID, uid, hwID, resource)
//	    }),
//	)
func WithCacheKey(fn func(security.SecurityBag, string, string) string) CachedOpt {
	return func(c *cachedConfig) {
		c.keyFn = fn
	}
}