pos/server/src/lib/vendorScope.ts

import { AuthenticatedRequest } from "../types/index.js";

/**
 * Resolves the effective vendorId for a request.
 * Admin users may pass ?vendorId= to operate on any vendor's data.
 * All other roles are locked to their own vendorId.
 */
export function resolveVendorId(
  authReq: AuthenticatedRequest,
  query: Record<string, unknown> = {}
): string {
  if (authReq.auth.roleName === "admin" && typeof query.vendorId === "string" && query.vendorId) {
    return query.vendorId;
  }
  return authReq.auth.vendorId;
}