Gate tools login with Caveau access

includes/bootstrap.php

@@ -110,17 +110,29 @@ dbnToolsStartSession();
 
 function dbnToolsIsAuthenticated(): bool
 {
-    return !empty($_SESSION['dbn_tools_authenticated']);
+    return !empty($_SESSION['dbn_tools_authenticated'])
+        && !empty($_SESSION['dbn_tools_user_id'])
+        && !empty($_SESSION['dbn_tools_client_id'])
+        && (string)($_SESSION['dbn_tools_client_slug'] ?? '') === dbnToolsClientSlug();
 }
 
-function dbnToolsAuthEmail(): ?string
+function dbnToolsAuthenticatedUser(): ?array
 {
-    return dbnToolsEnv('DBN_TOOLS_AUTH_EMAIL');
+    if (!dbnToolsIsAuthenticated()) {
+        return null;
+    }
+
+    return [
+        'user_id' => isset($_SESSION['dbn_tools_user_id']) ? (int)$_SESSION['dbn_tools_user_id'] : null,
+        'client_id' => isset($_SESSION['dbn_tools_client_id']) ? (int)$_SESSION['dbn_tools_client_id'] : null,
+        'email' => (string)($_SESSION['dbn_tools_user_email'] ?? ''),
+        'role' => (string)($_SESSION['dbn_tools_user_role'] ?? ''),
+    ];
 }
 
-function dbnToolsAuthPasswordHash(): ?string
+function dbnToolsRequiredPackageSlug(): string
 {
-    return dbnToolsEnv('DBN_TOOLS_AUTH_PASSWORD_HASH');
+    return dbnToolsEnv('DBN_CAVEAU_PACKAGE_SLUG') ?: 'family-legal';
 }
 
 function dbnToolsAnonymousSessionId(): string
@@ -168,7 +180,7 @@ function dbnToolsRequireMethod(string $method): void
 function dbnToolsRequireAuth(): void
 {
     if (!dbnToolsIsAuthenticated()) {
-        dbnToolsError('Passcode session required.', 401, 'session_required');
+        dbnToolsError('Caveau session required.', 401, 'session_required');
     }
 }
 
@@ -354,7 +366,7 @@ function dbnToolsRagDb(): PDO
 
 function dbnToolsClientSlug(): string
 {
-    return dbnToolsEnv('DBN_CAVEAU_CLIENT_SLUG') ?: 'dave-jr-legal';
+    return dbnToolsEnv('DBN_CAVEAU_CLIENT_SLUG') ?: 'dobetter';
 }
 
 function dbnToolsFetchClient(?PDO $db = null): ?array
@@ -370,11 +382,53 @@ function dbnToolsRequireClient(): array
 {
     $client = dbnToolsFetchClient();
     if (!$client || empty($client['is_active'])) {
-        dbnToolsAbort('Dave Jr Legal client tenant is not active or was not found.', 503, 'client_unavailable');
+        dbnToolsAbort('Do Better Norge client tenant is not active or was not found.', 503, 'client_unavailable');
     }
     return $client;
 }
 
+function dbnToolsFetchActiveClientUser(string $email, int $clientId, ?PDO $db = null): ?array
+{
+    $db = $db ?: dbnToolsDb();
+    $stmt = $db->prepare(
+        'SELECT id, client_id, username, email, display_name, password_hash, role, is_active
+         FROM client_users
+         WHERE client_id = ? AND email = ? AND is_active = 1
+         LIMIT 1'
+    );
+    $stmt->execute([$clientId, $email]);
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+    return $row ?: null;
+}
+
+function dbnToolsCanUsePackage(int $clientId, string $packageSlug, ?PDO $db = null): array
+{
+    $db = $db ?: dbnToolsDb();
+    $package = dbnToolsFetchPackage($packageSlug, $db);
+    if (!$package || empty($package['is_active'])) {
+        return [
+            'ok' => false,
+            'status' => 503,
+            'code' => 'package_unavailable',
+            'message' => "The {$packageSlug} corpus package is not active.",
+        ];
+    }
+
+    if (!dbnToolsHasActiveSubscription($clientId, (int)$package['id'], $db)) {
+        return [
+            'ok' => false,
+            'status' => 403,
+            'code' => 'subscription_missing',
+            'message' => 'This Caveau workspace does not have access to the required corpus package.',
+        ];
+    }
+
+    return [
+        'ok' => true,
+        'package' => $package,
+    ];
+}
+
 function dbnToolsFetchPackage(string $slug = 'family-legal', ?PDO $db = null): ?array
 {
     $db = $db ?: dbnToolsDb();